Oct
10
2009
Origami – PDF exploitation framework
Posted by security in Exploit Framework / PenTestingorigami is a Ruby framework designed to parse, analyze, and forge PDF documents. This is NOT a PDF rendering library. It aims at providing a scripting tool to generate and analyze malicious PDF files. As well, it can be used to create on-the-fly customized PDFs, or to inject (evil) code into already existing documents.
Features
- Create PDF documents from scratch.
- Parse existing documents, modify them and recompile them.
- Explore documents at the object level, going deep into the document structure, uncompressing PDF object streams and desobfuscating names and strings.
- High-level operations, such as encryption/decryption, signature, file attachments…
- A GTK interface to quickly browse into the document contents.
Quick look
# Create a simple PDF document. contents = ContentStream.newcontents.write 'I AM EMPTY',=> 350, :y => 750, :rendering => PS::Text::Rendering::STROKE, :size => 15PDF.new.append_page(Page.new.setContents(contents)).saveas('empty.pdf')
# Read a PDF document and add an action.pdf = PDF.read("foo.pdf")pdf.onDocumentOpen Action::URI.new('http://google.com')pdf.saveas('bar.pdf')
# Return an array of objects whose name begins with 'JS'pdf.ls(/^JS/) # Return an array of objects containing '/bin/sh'pdf.grep('/bin/sh') # Add a JS script to execute on first page.pdf.pages.first.onOpen Action::JavaScript.new('app.alert("Hello");') # Attach an embedded file to a documentpdf.attach_file('other_doc.pdf')
Full scripts
We provide some scripts helping to perform common actions on PDF files. Feel free to send us your own scripts at origami(at)security-labs.org.
- detectjs.rb: search for all JavaScript objects.
- embed.rb: add an attachment to a PDF file.
- create-jspdf.rb: add a JavaScript to a PDF file, executed when the document is opened.
- moebius.rb: transform a PDF to a moebius strip.
- encrypt.rb: encrypt a PDF file.
More to come on next releases…
Entries (RSS)