In the packing PDFs blog entry I mentioned that I created a tool for creating the documents I later released. At the time I decided that releasing the tool would not be in the best interest of everyone else, but then I thought of metasploit and these other tools making their rounds in various companies. They typically have a working exploit shortly after a new vulnerability is exposed making everyone the wiser or at least pushing them to be more secure. Some may argue that this aids the attackers, but that debate is for another day and one I care not to hear.
With that said and for the sake of progression, I am releasing the tool (heavy_pint) on Github and writing this entry to demonstrate how you can use the tool along with BigHands to constantly pull down new files, pack them and build a directory of malicious PDFs that you can use for research or testing. Having this tool in the public domain should result in the ability for analysts to recognize if and when it is being used for malicious purposes. Having the source code means we can identify files generated using this tool and therefore combat against the problem.
Heavy Pint Introductions
As stated before, this tool has a few working templates that can be used without any adjustments (minus the exploit choice and shellcode replacement) including an invoice and a live pull from a popular news source RSS feed. These files are documented and mentioned in the Github readme and will not be talked about in detail within this post.
The part of the library we are concerned with for this entry is “drop_packed.php”. This file is a bit of a hack, but assumes your “good” PDF files are stored in the directory (local to the project) “baby_crawler” which will then be later dumped to “packed_docs”. If you take a look at the drop_packed file you will see the portions of code that are commented out making it a bit easier to understand. The main problem in the case of auto generation is that FPDF occasionally hits fatal errors. Fatal errors in PHP cause PHP to stop any processing, so our shutdown handler essentially removes the problem file so that when the script is called again it will run without issue.
Building the Setup
Aside from directory changes or removing hardcoded values, you should be fine to dump your existing set of “good” PDFs in the proper directory and then run the caller.sh script. Oh, but you don’t have a lot of good PDFs? That is alright, we can use BigHands to pull down some. I recently updated this project to pull down files in a more efficient way and output them to a directory of our choice.
Do a git clone on the project and head over to the directory. I didn’t bother removing my caller script so you should see the shell scrip that can automate the calling of the tool. If you opt to just running the tool once then you can use this command:
python bighands.py -t pdf -a 100 -r -o “/your/output/directory/”
Google tries to sense abuse, so you may end up with nothing if you let it run too long or pound on the Google servers, so keep that in mind when running for extended periods of time. The best bet is to pick a decent amount size, have it run every few minutes and just collect your files. Using this you should be able to pull down a couple hundred PDF files without too much issue or effort.
Assuming your files are located in “baby_crawler” you can just run both caller.sh scripts and you will be in auto-packing heaven. Obviously this whole project could be a lot cleaner, but it does work like it should and outputs working PDF files.
Issues to Note
- Be smart when using this. I am not responsible for any successful exploiting of systems of which you have no business being on.
- FPDI offers a paid version of their parser that is capable of parsing through /ObjStms and therefore allowing you to pack PDF files past version 1.5 (very useful).
- Exploits have not been fully tested, but did result in a crash on corresponding vulnerable reader versions.
- This tool is intended for research and learning for those interested in malicious PDF files.