Didier Stevens

Wednesday 29 April 2015

pdf-parser: A Method To Manipulate PDFs Part 2

Filed under: My Software,PDF — Didier Stevens @ 0:00

I provide 2 days of Hacking PDF training at HITB Amsterdam. This is one of the methods I teach.

Maarten Van Horenbeeck posted a diary entry (July 2008) explaining how scripts and data are stored in PDF documents (using streams), and demonstrated a Perl script to decompress streams. A couple of months before, I had started developing my pdf-parser tool, and Maarten’s diary entry motivated me to continue adding features to pdf-parser.

Extracting and decompressing a stream (for example containing a JavaScript script) is easy with pdf-parser. You select the object that contains the stream (example object 5: -o 5) and you “filter” the content of the stream (-f ). The command is:

pdf-parser.py –o 5 –f sample.pdf

In PDF jargon, streams are compressed using filters. You have all kinds of filters, for example ZLIB DEFLATE, but also lossy compressions like JPEG. pdf-parser supports a couple of filters, but not all, because the implementation of some of them (mostly the lossy ones) differs between vendors and PDF applications.


A recent article published by Virus Bulletin on JavaScript stored inside a lossy stream gave me the opportunity to implement a method I had worked out manually.

The problem: you need to decompress a stream and you have no decompression algorithm.

The solution: you use the PDF application to decompress the stream.

The method: you create a new PDF document with the stream as embedded file, and then save the embedded file using the PDF application.

The detailed method: when you need to decompress a stream for which you have no decompressor (or no decompressor identical to the target application), you create a new PDF document into which you include the object with the stream as an embedded file. PDF documents support embedded files. For example, if you have a PDF document explaining a financial method, you can include a spreadsheet in the PDF document as an embedded file. The embedded file is stored as an object with a stream, and the compression can be any method supported by the PDF application. Crafting this PDF document with embedded file manually requires many manipulations and calculations, and is thus a very good candidate for automation.

Figure: this PDF embeds a file called vbanner2.jpg

With pdf-parser, you can use this method as follows:

  1. Create a Python program that generates the PDF document with embedded file. Use pdf-parser like this (in this example, the data stream you want to decompress is in object 5 of PDF file sample.pdf): pdf-parser.py –generateembedded 5 sample.pdf > embedded.py
  2. Execute the Python program to create the PDF file: embedded.py embedded.pdf
  3. Open the created PDF file embedded.pdf with the target application (Adobe Reader for the Virus Bulletin example), and save the embedded file to disk
  4. The saved file contains the decompressed stream

You can find my PDF tools here.

Remark: the generated Python program requires my module mPDF.py, which can also be found on my PDF tools page.

Remark 2: don’t use this method when the stream contains an exploit for the decompressor.

Monday 27 April 2015

Update: virustotal-search Version 0.1.2 Daily Quota Handling and CVEs

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version op virustotal-search adds a bunch of options to manage the local database, and 2 features I want to highlight here:

1) If you exceed your daily quota, virustotal-search will now do a clean stop. You can use option -w (waitquota) to instruct virustotal-search to wait until your daily quota is reset, and then continue. The quota reset is tested by doing a query every hour.

2) A new column was added to the CSV output: CVEs. virustotal-search will extract CVE numbers from AV detection signatures and report them in column CVEs.

And I also worked together with VirusTotal so that you get a proper error message when you submit an invalid search request (for example MD5 hash prefixed with $).

virustotal-search_V0_1_2.zip (https)
MD5: 62C8031738E6E20FEC38337010496DF6
SHA256: 317AF862A62CF78FC58604EDB77AA3C00EC1543D2337EC634749C25CC5E4908C

Thursday 23 April 2015

MS15-034: PoC Excel Video

Filed under: Hacking,Vulnerabilities — Didier Stevens @ 19:31

Since I like to hack with Excel, I made a PoC for MS15-034 in VBA/Excel.

PS: If you want to see my videos as soon as they are published, subscribe to my video blog videos.DidierStevens.com or YouTube Channel.

Here’s the video:

Friday 17 April 2015

MS15-034 Detection: Some Observations

Filed under: Networking,Vulnerabilities — Didier Stevens @ 9:15

Several detection rules (SNORT, F5, …) are being published these days to detect exploitation of vulnerability MS15-034.

If you are making or modifying such detection rules, I want to share some observations with you.

MS15-034 can be exploited with a GET request with a specially crafted Range header.

Here is the example we’ll use: Range: bytes=2-18446744073709551615

Referring to RFC 2616 section 14.35.1, you can see that this is not the only way to specify a range. Here is the BNF:

ranges-specifier = byte-ranges-specifier
byte-ranges-specifier = bytes-unit “=” byte-range-set
byte-range-set  = 1#( byte-range-spec | suffix-byte-range-spec )
byte-range-spec = first-byte-pos “-” [last-byte-pos]
first-byte-pos  = 1*DIGIT
last-byte-pos   = 1*DIGIT

suffix-byte-range-spec = “-” suffix-length
suffix-length = 1*DIGIT

First of all, whitespace is allowed. So Range: bytes = 2 – 18446744073709551615 is valid (and also caused a BSOD on my test machine).

Second, numbers can have leading zeroes. So Range: bytes=2-018446744073709551615 is valid (and also caused a BSOD on my test machine).

Third, multiple ranges are allowed. So Range: bytes=2-3,4-18446744073709551615 is valid (this did not cause a BSOD on my test machine).

If you are using rules that don’t detect these cases properly, then attackers can easily evade detection. One space character could be all it takes to evade detection. If the rule looks for string “-18446744073709551615”, then using string “- 18446744073709551615” in the attack (extra space character added) will evade detection.

Thursday 16 April 2015

pdf-parser: A Method To Manipulate PDFs Part 1

Filed under: My Software,PDF,Update — Didier Stevens @ 0:00

I provide 2 days of Hacking PDF training at HITB Amsterdam. This is one of the methods I teach.

Sometimes when I analyze PDF documents (benign or malicious), I want to reduce the PDF to its essential objects. But when one removes objects in a PDF, indexes need to be updated and references updated/removed. To automate this process as much as possible, I updated my pdf-parser program to generate a Python program that in turn, generates the original PDF.

Thus when I want to make changes to the PDF (like removing objects), I generate its corresponding Python program, and then I edit this Python program.

I do this simply with option -g.


Then you can edit the Python program, and when you run it, it will generate a new PDF file.

You can also use option -g together with option -f to filter the streams before they are inserted in the Python program. This gives you the decompressed streams in the Python program, opening them up to editing.

In this example, without option -f the Python statement for the stream object is:

oPDF.stream(5, 0, 'x\x9cs\nQ\xd0w3T02Q\x08IS040P0\x07\xe2\x90\x14\x05\r\x8f\xd4\x9c\x9c|\x85\xf0\xfc\xa2\x9c\x14M\x85\x90,\x05\xd7\x10\x00\xdfn\x0b!', '<<\r\n /Length %d\r\n /Filter /FlateDecode\r\n>>')

And with option -f, it becomes:

oPDF.stream2(5, 0, 'BT /F1 24 Tf 100 700 Td (Hello World) Tj ET', '', 'f')

The generated Python program relies on my mPDF library found in my PDF make tools.

pdf-parser_V0_6_2.zip (https)
MD5: D6717F1CA6B9DA2392E63F0DABF590DD
SHA256: 4DC0136062E9A5B6D84C74696005531609BD0299887B70DDFFAA19115BF2E746

Wednesday 15 April 2015

PDF Password Cracking With John The Ripper

Filed under: Encryption,PDF — Didier Stevens @ 0:00

I have a video showing how to use oclHashcat to crack PDF passwords, but I was also asked how to do this with John The Ripper on Windows.

It’s not difficult.

Download the latest jumbo edition john-the-ripper-v1.8.0-jumbo-1-win-32.7z from the custom builds page.

Decompress this version.

Download the previous jumbo edition John the Ripper 1.7.9-jumbo-5 (Windows binaries, ZIP, 3845 KB).

Extract file cyggcc_s-1.dll from the previous jumbo edition, and copy it to folder John-the-Ripper-v1.8.0-jumbo-1-Win-32\run.

Generate the hash for the password protected PDF file (I’m using my ex020.pdf exercise file) and store it in a file (pdf2john.py is a Python program, so you need to have Python installed):

John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\pdf2john.py ex020.pdf > ex020.hash

Start John The Ripper:

John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe ex020.hash

Loaded 1 password hash (PDF [MD5 SHA2 RC4/AES 32/32])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
secret           (ex020.pdf)
1g 0:00:00:00 DONE 2/3 (2015-03-29 22:39) 10.20g/s 125071p/s 125071c/s 125071C/s
Use the "--show" option to display all of the cracked passwords reliably
Session completed

By starting John The Ripper without any options, it will first run in single crack mode and then in wordlist mode until it finds the password (secret).

But you can also provide your own wordlists (with option –wordlist) and use rules (option –rules) or work in incremental mode (–incremental).

Monday 13 April 2015

Update: oledump.py Version 0.0.14

Filed under: My Software,Update — Didier Stevens @ 0:00

A new version of oledump (small bugfix and updated plugins).

oledump_V0_0_14.zip (https)
SHA256: 7EEF509D84F7185C299A17882D3BD71481B7B1E41654F463F58492455FBDBD11

Wednesday 8 April 2015

Quickpost: Maldocs: VBA And Pastebin

Filed under: Malware — Didier Stevens @ 20:24

Since a day or two I’m seeing yet another trick used by malware authors in their VBA macros.

The sample I’m looking at is 26B857A0A57B89166584CBB7167CAA19.

The VBA macro downloads base64 encoded scripts from Pastebin:



The scripts are delimited by HTML-like tags like <text10>. Tags that start with stext are scripts for Windows XP systems, and tags that start with text are for Windows Vista and later. This difference is for Powershell: on XP, VBS scripts are executed, and on more recent systems, Powershell scripts are executed.

The URL of the payload comes from another Pastebin entry:


Correct: that trojan is hosted on Dropbox.

Quickpost info

Blog at WordPress.com.