Log in

View Full Version : PDF_stream_inflater

bobby
September 26th, 2008, 06:12
http://sourceforge.net/project/showfiles.php?group_id=203466

I've made this tool because PDF exploits (JavaScript inside PDF) are mostly hidden inside compressed streams.
It will find and decompress zlib compressed streams. A new file per stream found will be created, where every such file will contain the decompressed stream content.

Hope you will find it useful.

I've made it in 3 hours (inclusive doing a research about streams in PDF files), so it may have some glitches and bugs. Please report your findings and/or suggestions.

I have tested it on PDF files created by a couple of tools as there are some differences in created files between tools (different EOL, EOL after token identifier etc.)
dELTA
September 29th, 2008, 13:01
Looks great, thanks for sharing.

CRCETL:
http://www.woodmann.com/collaborative/tools/PDF_Streams_Inflater
5aLIVE
September 29th, 2008, 14:27
Thankyou for sharing your work. What compiler do you recommend to view/complile the .dpr file?
bobby
September 29th, 2008, 14:33
dpr is Delphi Project File, so you'll need Delphi.
Eventually, you can try to compile it with Lazarus/FreePascal, but I do not know if the ZlibEx will compile with FreePascal without modifications. FreePascal come with zlib library, so you can probably modify my code for that library.
joren
October 2nd, 2008, 19:07
Very useful tool, especially with the rise in abuse.

Thanks bobby!
evaluator
October 3rd, 2008, 02:17
1. maybe it is DEFLATER!?
2. how about deflating anything inside PDF!?
bobby
October 3rd, 2008, 09:44
Deflate is compression algorithm, inflate is the reverse process:
http://en.wikipedia.org/wiki/DEFLATE

It does inflate anything it finds as valid zlib stream.

@joren
You are welcome
evaluator
October 4th, 2008, 08:04
jaa, so until now i knew inversed
binjo
October 10th, 2008, 04:06
hi, all

I found it's really simple if you known what's the key point

Bobby, thanks for your malzilla and PDF_streams_inflater

Code:


#!/usr/bin/env python

# -*- coding : utf-8 -*-

# xxx_pdf.py

# Binjo @ 2008-10-10 16:41:08

#-------------------------------------------------------------------------------

import sys, os, zlib



def main():

    """TODO

    """

    fh = open( sys.argv[1], 'rb' )

    xx = fh.read()

    fh.close()



    while True:

        yy = []

        pos = xx.find( 'FlateDecode' )

        if pos == -1: break

        xx = xx[pos+12:]



        sop = xx.find( 'stream' )

        yy  = xx[sop+7:xx.find('endstream')]



        print "\nhoooooooooooooo \n%s" % zlib.decompress(yy)



#-------------------------------------------------------------------------------

if __name__ == '__main__':

    main()

#-------------------------------------------------------------------------------

# EOF
bobby
October 10th, 2008, 05:55
@binjo

Hi,
Yup, that's the point (like in your code), but there is also some minor problem that you need to take care about - it may happen that there is extra bytes between "stream" and actual stream begin (LF, CR or both). You should take care about them. Same thing at the end of the stream, before "endstream".
Zlib will not decompress if you have these extra bytes at the begin of the stream.
binjo
October 10th, 2008, 06:41
hi, bobby

Thanks for your pointing out.
It seems the python's zlib module has taken care of those extra bytes, coz it just works and decrypts the right thing. :P
However I do encounter some errors, it can't decrypt correctly, throws some error. And your tool can't handle it either.
I don't have time to figure out what's going wrong though...Maybe next monday I'll upload one piece of sample.
bobby
November 18th, 2008, 12:02
Hi to all.

I apologize a lot, but a serious bug is found in PDF_streams_inflater.
If you use it, please delete and download the bugfix version from the same URL.
bobby
November 22nd, 2008, 15:57
Do anyone needs Linux version?
I will not upload it to sourceforge (code license issues), but I can upload it here if needed.
aeon
November 23rd, 2008, 11:18
file does not seem to be available on sorceforge servers , can anybody reup ?
bobby
November 23rd, 2008, 11:21
Yes, you can download it from my old site:
http://www.mc-antivirus-test.com/modules/PDdownloads/singlefile.php?cid=6&lid=25
bobby
November 26th, 2008, 14:48
We have now Windows, Linux and Mac version.
You can download them from http://www.mc-antivirus-test.com