Using this tool you can create malicious PDF documents using known JavaScript exploits. These files can then be used in research and testing to further improve how PDF analysis is done. Releasing this library also means that it on the radar of tools that may be used by attackers to generate their documents. Knowing this, the security community can be more prepared and spend more time handling this issue rather than avoiding it.
- drop_invoice.php - uses the forms, lists and other information to produce an invoice packed with exploits
- details need to be cleaned up
- drop_news.php - uses RSS to produce PDF files with current news information packed with exploits
- pulls several articles on the generation but can be adjusted to fit needs
- drop_packed.php - takes in a directory of "good" PDF files and packs them with exploits
- ran through the command line using ./caller.sh
- rips through directory for files and trys to pack them
- deletes files after attempting to pack, but could be adjusted to track progress
Part of the main libraries or used in the creation process. It is messy, but it is best just to leave it alone unless you do plenty of testing.
- JavaScript is obfuscated using random variables
- Version is taken into account so that exploits are not fired if the reader is not vulnerable
- Files are encrypted using RC4
- Streams are dorked by adding a corrupt GZIP stream to the JavaScript object
- Metadata is left blank in versions