As promised, I’m releasing a couple of my PDF tools as a warm-up to my ISSA Belgium and OWASP Belgium talk.
After having manually created some PDF test-files (just using a text editor), I stepped up to the next level and wrote a quick-and-dirty Python module to generate PDF documents by assembling fundamental PDF elements.
My mPDF.py module contains a class with methods to create headers, indirect objects, stream objects, trailers and XREFs. One of the programs I wrote based on this module is make-pdf-javascript.py. This Python program allows me to create a simple PDF document with embedded JavaScript that will execute upon opening of the PDF document. Program details and download here.
An example: to create a PDF document exploiting the util.printf Adobe Reader vulnerability in its simplest form (e.g. no shellcode and no heap spray), issue the following command:
Here it crashes Adobe Reader 8.1.2 on Windows XP SP2:
[…] To conclude, never trust PDF files! Run your PDF viewer in a sandbox, scan the received PDF (not using regular AV which only use signature based detection – obfuscation is too easy) and finally, disable execution of JavaScript. Read Didier’s presentation here. […]
Pingback by /dev/random » Blog Archive » ISSA/OWASP Belgian Chapter Meeting — Monday 17 November 2008 @ 22:51