By Chris Gates, CISSP, GCIH, C|EH, CPTS

It should be obvious to everyone that the bad guys are moving away from network level attacks and moving toward social engineering coupled with client-side attacks. In fact, this is the focus of the next ChicagoCon in May, where I will be presenting this exact topic live. Penetration testers need to be able to help an organization detect and respond to client-side attacks, and what better way to do that than to do a little client side exploitation during your pentests.

A new mixin has been added to the Metasploit Framework that allows the penetration tester to create and output the files that contain the exploit code instead of just serving up the exploit on a web page.  This increases the attack surface by allowing the pentester to perform their Open Source Intelligence (OSINT) gathering to collect email addresses for the target domain. We then take those addresses and actually send the exploit to the victim as an attachment in the email versus a link to a website.  Your mileage may very on the effectiveness of that technique, but in my experience people seem to be more apt to open attachments of "normal" or "non-malicious" type like .pdf and .html rather than clicking on links. Some example formats that can be used with the fileformat mixin are .pdf, .html, .cab, .m3u, .xpm,  as well as others.


**This isn't to say that some fileformat exploits can't be delivered via the web.  You can easily link to www.evil.com/evil.pdf, but some lend themselves to easier exploitation if you can get the file into a user's inbox. So let's take a quick look at how this can be accomplished.

Is it possible for metasploit to tie this to a current PDF?  In other words, can I use a pdf I have and add this exploit onto it?  At least, where would I start looking for that information?