How does pdf exploit work

The cross-reference table uses 6 objects. The first object with an offset 0x0 and the generation number is always present and is not used. The other objects are represented by the following lines. The first used object is located at the byte offset 17 and contains the generation number 0. The cross-reference table is clear and provides just the information that we need: there are 6 used objects with different byte offsets usually present in the body of the PDF document which is encrypted and obfuscated.

The last line ends the PDF document file format. We must be aware of the fact that Adobe documents can use several filters to compress or encode specific objects in the PDF document, making them unreadable in plain-text format. There are several tools that we can use to do just that. We must be aware of the fact that Adobe PDF Reader uses some open source software components that provide certain features.

However, the jsunpack-n JavaScript unpacker has a tool named pdf. The pdf. Whenever the above command is run, we get the following output, which prints all the objects from the PDF document.

The first part of the output presents the attributes of each object. The outlines object has an ID 2. OpenAction specifies the destination that shall be displayed when the document is opened. It is true that there are some people out there that want to use powerful tools like these, in order to harm other people, compromise devices or spread malicious software.

Obviously, if you are aiming to use our tool for these reasons, we want to keep you away, and let you know that you will have serious legal repercussions. XeroSploit offers products for cybersecurity enthusiasts, as well as serious companies that want to make sure their cyber defenses are up to date, and their systems bulletproof from any malicious attacks.

Call Us Today! Be The First to Know. Learn More. And How It Helps You. PDF Exploit Being able to convert any. PDF Exploit Features. Vulnerabilities Stay ahead of hackers and competitors, by having access to pdf vulnerabilities the day they come out. Full Compatibility PDF files are very popular in many environments, so your hidden. Easy Spreading You can easily transfer a PDF file through email, social media, chat applications and many more.

Purchase PDF Exploit. After a few checks, this zone could be a good news. By reading the metasploit module, it is visible that the data important for the exploitation is written at the offset 0x11c of the TTF file. Why this bytes correction? In short, it might be possible to manipulate bytes from the TTF file between bytes and , which is both before the significant shellcode bytes but also inside the antivirus detection zone, thus without "damaging" the exploit or having to dive into the assembly in order to modify it.

And finally, the following was simpler than foreseen :- By going back to a PDF that held the new obfuscated JavaScript in stream 12, and by making a new round with the chunker. Actually, the first produced file, as soon as offset , does its job like a charm!

Curiosity urges to check what the script did overwrite exactly:. We won't go any further in parsing the TTF header to know what are these bytes precisely, given that the goal is reached and that it is now possible to enjoy successful exploitation and code execution despite the workstation's antivirus.

It was possible to combine already known signature isolation techniques with tools able to perform a good parsing of the targeted file format, in order to achieve antivirus bypass. The general approach was:. This methodology can be extended to other file formats, given access to tools able to extract structures and data that make up those formats. If antivirus remain useful to block most malicious codes, they are generally efficient only against already known codes.

Moreover, we have just seen that it is relatively easy to make undetectable a file that was previously flagged, without altering its operation. Therefore, the defense in depth principle is necessary in order to limit the potential of damage by a malicious code making its way into the heart of internal networks. Moreover, the malicious presence detection capacities must not limit to virus detection, but should take into account suspicious behaviours in every parts of the Information System.

Skip to main content. EN FR. September 12, by Florent Poulain. Preparation The exploit used here is generated by the metasploit module "adobe cooltype sing", exploiting CVE in an old version of a PDF reader, and of course detected by most antiviruses. Identifying where are the signatures Once the file open, peepdf gives a few interesting statistics.

You also agree to the Terms of Use and acknowledge the data collection and usage practices outlined in our Privacy Policy. My Profile Log Out.

Join Discussion. Add Your Comment. Security company faces backlash for waiting 12 months to disclose Palo Alto 0-day Security. CISA warns of equipment vulnerabilities from multiple vendors Security. Costco customers complain of fraudulent charges before company confirms card skimming attack Security.