Didier Stevens

Monday 27 February 2012

Teensy PDF Dropper Part 2

Filed under: Hacking,My Software,PDF — Didier Stevens @ 0:00

Last year I showed how to use a Teensy micro-controller to drop a PDF file with embedded executable. But I was limited to a file of a few kilobytes, because of the Arduino programming language I used for the Teensy.

In this post, I’m using WinAVR and I’m only limited by the amount of flash memory on my Teensy++.

First we use a new version of my PDF tools to create a PDF file with embedded file:

Filter i is exactly like filter h (ASCIIHexDecode), except that the lines of hex code are wrapped at 512 hex digits, making them digestible to our C compiler.

Another new feature of my make PDF tools is Python 3 support.

Here is a sample of our C code showing how to embed each line of the pure-ASCII PDF document as strings:

Macro PSTR makes that the string is stored in flash memory. The embedded executable is 57KB large, but still only takes half of the flash memory of my Teensy++.

After programming my Teensy++, I can fire up Notepad and let my Teensy++ type out the PDF document:

You can download my example for the WinAVR compiler here:

avr-teensy-pdf-dropper_V0_0_0_1.zip (https)
MD5: EA14100A1BEDA4614D1AE9DE0F71B747
SHA256: 2C9A5DF1831B564D82548C72F1050737BCF17E5A25DCDC41D7FA4EA446A8FDED

5 Comments »

  1. Is not easier to use your teensy+ as a usb storage?, then you just should to execute a copy command to drop your executable in the harddrive

    Comment by TheSur — Tuesday 28 February 2012 @ 10:57

  2. @TheSur Yes, but you missed the start of my first post:

    Pentesters need to drop files on targets. If a box is not connected to the Internet, and doesn’t accept removable storage, they need to come up with some tricks.

    Comment by Didier Stevens — Tuesday 28 February 2012 @ 11:33

  3. Ah great!, now I got the point of doing that. Good idea 🙂

    Comment by TheSur — Tuesday 28 February 2012 @ 11:55

  4. Does `copy con:` still work?

    Comment by bluelip — Friday 2 March 2012 @ 21:19

  5. […] already used a Teensy to send a CONTROL keypress every 10 seconds. This came in handy to keep machines from going to […]

    Pingback by Quickpost: Infinite Control For Bash Bunny | Didier Stevens — Saturday 8 April 2017 @ 11:25


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.