Filling Adobe’s heap …

February 15, 2010

Follow feliam on Twitter
This post is about how to fill the Adobe Readers Heap. We’ll summarize and put in practice 3 ways of filling Adobe Reader memory. The idea is that when Adobe finnish parsing our PDF we could be pretty sure that at some fixed address there will be controled data. We’re not going to do any fancy feng-shui or heap massage, the idea of this is just to show 3 practical known ways for filling the Reader process memory. Can we fill it?

Read the rest of this entry »

OK! Let’s reinvent the wheel and make a minimal pdf file containing javascript.

As stated in the PDF3200:12.6 specification we can put ACTIONS into pdf files. There are many type of actions like an action to jump to some part of the document(PDF3200:12.6.4.2, “Go-To Actions”) or to play a sound (PDF3200:12.6.4.8, “Sound Actions”) but also and maybe more interesting from the insecurity point of view… to execute javascript. That is PDF3200:12.6.4.16, “JavaScript Actions”.  (For a complete list of actions check 12.6.4 Action Types in the PDF3200)

Actions may be triggered by several ways (PDF3200:12.6.3 Trigger Events). Most of the visible objects of a pdf could be related to a trigger dictionary and execute actions when the mouse passes the area, on clicks, onload… etc.

The catalog dictionary also has a way to add this kind of trigger dictionaries. Basically we can use the /AA tag or the /Openaction tag in the root catalog to describe an action that will be executed when the doc is opened.

We can also put an /AA triggering dictionary to the 1st page or something alike, but lets got step by step in the most common (and detectable) way, the catalog OpenAction.
Read the rest of this entry »

Follow

Get every new post delivered to your Inbox.