Due to the recent advances in exploitation techniques it became really important to put flash every were we can.


In this post we are going to show how to add a swf(Flash) file to a PDF file using our miniPDF.py lib.

Flash support is relatively new in PDF and come into the scene primary for doing the PDF portable collection thing and such. We’ll follow the steps described in Adobe® Supplement to the ISO 32000 , so you probably need to grab it and keep it close to you. In the case you’ve missed the previous posts here you have a copy of the miniPDF.py so you can take a quick look. We are going to use that lib mainly as we did in earlier posts and start adding PDF objects until… –FLASH!– we end up with a one paged PDF with a running embedded SWF. OK, so lets start…
Read the rest of this entry »

This post is about hiding an evil PDF into a saint PDF. The objective is to embed a pdf into another pdf, and make the reader parse the embedded one without user intervention. If we manage to do this we’ll be able to ‘filter’ the embedded file and hide it through some pdf encoding filters (flatedecode, crypt, etc), that way making it invisible from the outside. And at last, as we’ll be using miniPDF.py, we’ll pass everything through the (unfinished) obfuscated version of the miniPDF.py lib, here.

Read the rest of this entry »

OK! Let’s reinvent the wheel and make a minimal pdf file containing javascript.

As stated in the PDF3200:12.6 specification we can put ACTIONS into pdf files. There are many type of actions like an action to jump to some part of the document(PDF3200:, “Go-To Actions”) or to play a sound (PDF3200:, “Sound Actions”) but also and maybe more interesting from the insecurity point of view… to execute javascript. That is PDF3200:, “JavaScript Actions”.  (For a complete list of actions check 12.6.4 Action Types in the PDF3200)

Actions may be triggered by several ways (PDF3200:12.6.3 Trigger Events). Most of the visible objects of a pdf could be related to a trigger dictionary and execute actions when the mouse passes the area, on clicks, onload… etc.

The catalog dictionary also has a way to add this kind of trigger dictionaries. Basically we can use the /AA tag or the /Openaction tag in the root catalog to describe an action that will be executed when the doc is opened.

We can also put an /AA triggering dictionary to the 1st page or something alike, but lets got step by step in the most common (and detectable) way, the catalog OpenAction.
Read the rest of this entry »

Last year I coded a mini PDF rendering library from scratch. Mostly as a way to go through all PDF spec and learn something about it. Nowadays you’ll find other probably better options for managing PDF programatically like pyPDF or PDF::Writer. Anyway mine is here. (Also presented at uCon in Feb 2009.  Slides here)
Read the rest of this entry »