akde/infosec

Information security is ultimately about managing risk

PDF

This is how a PDF doc­u­ment looks — with a JavaScript exe­cu­tion. Note that with Ope­n­Ac­tion 6 (object block 6) this block is exe­cut­ed when the doc­u­ment is opened.

%PDF-1.6
1 0 obj
<< /Type /Catalog
   /Pages 2 0 R
   /OpenAction 6 0 R
>>
endobj
2 0 obj
<< /Type /Pages
   /Kids [3 0 R]
   /Count 1
>>
endobj
3 0 obj
<< /Type /Page
   /Parent 2 0 R
   /MediaBox [0 0 595 842]
   /Contents 4 0 R
   /Resources << /Font << /F1 5 0 R >> >>
>>
endobj
4 0 obj
<< /Length 44 >>
stream
BT
/F1 20 Tf
100 700 Td
(Hello World) Tj
ET
endstream
endobj
5 0 obj
<< /Type /Font
   /Subtype /Type1
   /BaseFont /Helvetica
>>
endobj
6 0 obj
<< /S /JavaScript
   /JS (app.alert("Hello");)
>>
endobj
7 0 obj
<< /Type /Action
   /S /JavaScript
   /JS 6 0 R
>>
endobj
xref
0 8
0000000000 65535 f 
0000000010 00000 n 
0000000060 00000 n 
0000000110 00000 n 
0000000210 00000 n 
0000000266 00000 n 
0000000322 00000 n 
0000000381 00000 n 
trailer
<< /Size 8
   /Root 1 0 R
>>
startxref
450
%%EOF

Oth­er way to cre­ate a mali­cious PDF:

  1. Pre­pare / down­load a trust­wor­thy look­ing PDF.
  2. Use exploit/windows/fileformat/adobe_utilprintf to cre­ate a PDF with a shell listener.
  3. Open a listener
  4. Bring the vic­tim to open the file.

Analyse a PDF file

If a PDF file is com­pressed, decom­press it first.

pdftk input.pdf output output.pdf uncompress

Get details with Pdfin­fo

pdfinfo file.pdf

Get infos with Pdf-parser.py

  1. Get gen­er­al infos
    pdf-parser.py file.pdf
    pdf-parser 2020-12-15-upload.pdf | grep /Creator
  2. At a object (obj 10 0) there could be bina­ry files attached, which are not in the out­put. If you see some­thing like a check­sum or an indi­ca­tion that a file could be includ­ed at this object, try the fol­low­ing:
    pdf-parser.py -o 10 -d out file.pdf

Check for inte­grat­ed streams, vari­ant with pdfde­tach. (If the file is com­pressed, try it with both ones!)

  1. Use pdfdetach -list $file to get the includ­ed streams.
  2. Extract a stream with pdfdetach -save $streamId $file

Check for inte­grat­ed streams, vari­ant with base64dump.: (If the file is com­pressed, try it with both ones!)

  1. Check streams:
    base64dump.py -e bc file.pdf
  2. Extract stream 1 in a file:
    base64dump.py -e bx -s 1 -d file.pdf > stream1.exe_

Check for inte­grat­ed… files with bin­walk; it could be, that files are inte­grat­ed which are not stored as a stream: (If the file is com­pressed, try it with both ones!)

  1. Check for inte­grat­ed files:
    binwalk file.pdf
  2. Extract files:
    binwalk --dd '.*' file.pdf
    Now, the cur­rent direc­to­ry has sub­di­rec­to­ries with the extract­ed files.

Get the pdf source

pdftosrc file.pdf

Injection in PDF files

Include oth­er files via anno­ta­tion: See https://github.com/mpdf/mpdf/issues/356

Leave a Reply

About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Categories

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';