Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/exfil0/weaponizing-cve-2024-4367

CVE-2024-4367 is a critical vulnerability (CVSS 9.8) in PDF.js, allowing arbitrary JavaScript code execution due to insufficient type checks on the FontMatrix object within PDF files.
https://github.com/exfil0/weaponizing-cve-2024-4367

cve-2024-4367 spyware weaponized

Last synced: 11 months ago
JSON representation

CVE-2024-4367 is a critical vulnerability (CVSS 9.8) in PDF.js, allowing arbitrary JavaScript code execution due to insufficient type checks on the FontMatrix object within PDF files.

Awesome Lists containing this project

README 

          
# WEAPONIZING-CVE-2024-4367

CVE-2024-4367 is a critical vulnerability (CVSS 9.8) in PDF.js, allowing arbitrary JavaScript code execution due to insufficient type checks on the FontMatrix object within PDF files.



# CVE-2024-4367 Exploit Wizard: User Guide



| **CVE IDENTIFIER** | **CVE-2024-4367** |

|--------------------|-------------------|

| **SEVERITY**       | Critical (CVSS Score: 9.8) |

| **VULNERABILITY**  | Arbitrary JavaScript code execution in PDF.js due to insufficient type checks on FontMatrix object |

| **EXPLOITATION**   | Maliciously crafted PDF files can execute JavaScript in the victim’s browser, leading to data theft, XSS, or RCE. |



---



## 1. Environment Setup



### Prerequisites



1. **Operating System**:

   - A Debian/Ubuntu-based Linux distribution or equivalent, with administrative privileges.

   - Ensure Python 3.x is installed (`python3 --version`).



2. **Script Setup**:

   - Save the exploit script in a directory of your choice (e.g., `~/cve-2024-4367/`) with the filename `cve_2024_4367_exploit_wizard.py`.



3. **Template PDF**:

   - Place a benign PDF file named `template.pdf` in the same directory. This file will serve as the base for the malicious PDF.



4. **Social Engineering Toolkit (SET)**:

   - Install SET (Social Engineering Toolkit):

     ```bash

     sudo apt-get update

     sudo apt-get install set

     ```

   - Verify installation with:

     ```bash

     which setoolkit

     ```



---



## 2. Running the Exploit Wizard



### Step 1: Make the Script Executable (Optional)



Grant executable permissions to the script:

```bash

chmod +x cve_2024_4367_exploit_wizard.py

```



### Step 2: Execute the Script



Run the script using either method below:

```bash

./cve_2024_4367_exploit_wizard.py

```

**or**

```bash

python3 cve_2024_4367_exploit_wizard.py

```



### Step 3: Follow On-Screen Prompts



The script will guide you through the attack process step-by-step.



---



## 3. Step-by-Step Wizard Workflow



### **Step 1: Verify and Install Dependencies**



- The script automatically checks for:

  - **PyPDF2**: Required for manipulating PDFs.

  - **SET**: Used for phishing campaigns.

- Missing dependencies will be installed automatically (or prompt for manual installation).



### **Step 2: Create a Malicious PDF**



- The script injects a JavaScript payload into the `/FontMatrix` field of the `template.pdf`.

- The output, `malicious.pdf`, will be saved in the same directory.

- Success or failure will be displayed.



### **Step 3: Manage Campaign Targets**



- Add target emails (or identifiers) interactively.

- Type each target email one by one.

- Finalize the list by typing `done`.



### **Step 4: Launch Social Engineering Toolkit (SET)**



- The script integrates with SET to deliver the malicious PDF via phishing.

- Follow SET’s prompts to configure the campaign:

  - Set up email templates.

  - Attach `malicious.pdf`.

- Exit SET to return to the wizard.



### **Step 5: Host Malicious PDF**



- The script launches an HTTP server at `http://localhost:8080`.

- `malicious.pdf` is accessible for download.

- Data exfiltrated by the payload (e.g., `document.cookie`) will be logged in the script’s console.



---



## 4. Testing the Exploit



### **Validate in a Controlled Environment**



1. Open `malicious.pdf` in a vulnerable version of PDF.js or a sandboxed VM.

2. Monitor server logs to confirm payload execution and data exfiltration.



### **Observe Exfiltration Logs**



- Data (e.g., cookies) submitted by the payload will be logged as:

  ```

  [+] Data exfiltrated: session_id=abcd1234; auth_token=xyz987

  ```



### **Modify Payload for Additional Tests**



- Customize the payload for actions like keylogging or redirection.

- Test your environment’s ability to detect or mitigate these threats.



---



## 5. Cleanup and Post-Execution Tasks



### Stop the Local Server



Terminate the HTTP server using `Ctrl+C` in the terminal.



### Secure Malicious Assets



- Delete or securely store `malicious.pdf` to prevent accidental misuse.

- Safely archive any logs or campaign data.



### Reset Test Environment



- If using a virtual machine, revert to a clean snapshot.

- Ensure no malicious artifacts remain on the system.



---



## 6. Important Notes and Legal Disclaimer



### **For Authorized Use Only**



- This script and guide are intended for **educational purposes** and **authorized penetration testing** within controlled environments.

- Unauthorized use is illegal and may result in severe legal consequences.

- Always obtain explicit permission before conducting any exploit tests.



### **Securing Your Systems**



1. **Update PDF.js**:

   - Ensure the latest version of PDF.js is installed to patch CVE-2024-4367.



2. **Restrict JavaScript in PDFs**:

   - Disable JavaScript execution in PDF viewers whenever possible.



3. **Implement Endpoint Protection**:

   - Use robust endpoint detection and response tools.



4. **Educate Users**:

   - Train employees to recognize phishing attempts and avoid opening unverified PDFs.



---



By following this guide responsibly, you can effectively simulate real-world attack scenarios and bolster your cybersecurity defenses.