Results 1 to 10 of 10

Thread: PDFinjector

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    Mar 2008
    Posts
    10

    Default PDFinjector

    I just wrote this script. Its available at code . google . com / p / pdfinjector/
    It injects the Collab getIcon exploit into any non-password protected PDFs.

    You can check out the video here.
    bit.ly / 10KxOD

    I'm thinking of integrating it with some MITM tools for pdf on the fly replacement either via iframe or normal link replacement or integrating some email sending functions into the script.

    I have only tested this in BT4 and Windows XP. Let me know if this doesnt work for you. Thanks

  2. #2
    Junior Member loop4me's Avatar
    Join Date
    Mar 2008
    Posts
    54

    Default

    Hi keith55,
    i tried the script with -in option instead of -url, that i saw on your video and i get

    Traceback (most recent call last):
    File "pdfinjector7.py", line 20, in <module>
    options, remainder = getopt.getopt(sys.argv[1:], 'vo', ['verbose','in=','url=','output='])
    File "/usr/lib/python2.5/getopt.py", line 91, in getopt
    opts, args = do_shorts(opts, args[0][1:], shortopts, args[1:])
    File "/usr/lib/python2.5/getopt.py", line 191, in do_shorts
    if short_has_arg(opt, shortopts):
    File "/usr/lib/python2.5/getopt.py", line 207, in short_has_arg
    raise GetoptError('option -%s not recognized' % opt, opt)
    getopt.GetoptError: option -i not recognized

    And it's -in not -i (getopt.GetoptError: option -i not recognized) that i put,
    maybe i'm makeing some mistake here, or is there something else that should be installed to get this script work?
    Script sounds interesting, so you didn't have problem running it on bt4?

  3. #3
    Just burned his ISO
    Join Date
    Mar 2008
    Posts
    10

    Default PDFinjector

    Hi Loop4me,

    I just updated the script. The new version is 0.8. You can download it at code . google. com/p/pdfinjector

    To use a local file, you can use the command
    pdfinjector7.py --in test1.pdf -o out.pdf

    To use a file from a website, you can use the command
    pdfinjector7.py --url=theatlanticgateway.ca/test.pdf -o out.pdf

    Let me know if it doesnt work for you.
    If you have any feedback about any extra features you need, do let me know. Thanks

    Quote Originally Posted by loop4me View Post
    Hi keith55,
    i tried the script with -in option instead of -url, that i saw on your video and i get

    Traceback (most recent call last):
    File "pdfinjector7.py", line 20, in <module>
    options, remainder = getopt.getopt(sys.argv[1:], 'vo', ['verbose','in=','url=','output='])
    File "/usr/lib/python2.5/getopt.py", line 91, in getopt
    opts, args = do_shorts(opts, args[0][1:], shortopts, args[1:])
    File "/usr/lib/python2.5/getopt.py", line 191, in do_shorts
    if short_has_arg(opt, shortopts):
    File "/usr/lib/python2.5/getopt.py", line 207, in short_has_arg
    raise GetoptError('option -%s not recognized' % opt, opt)
    getopt.GetoptError: option -i not recognized

    And it's -in not -i (getopt.GetoptError: option -i not recognized) that i put,
    maybe i'm makeing some mistake here, or is there something else that should be installed to get this script work?
    Script sounds interesting, so you didn't have problem running it on bt4?

  4. #4
    Junior Member loop4me's Avatar
    Join Date
    Mar 2008
    Posts
    54

    Default

    Ok keith55,
    i'm gona download the new version ,and let you know as soon as posibile how it works.

  5. #5
    Junior Member loop4me's Avatar
    Join Date
    Mar 2008
    Posts
    54

    Default

    Sir keith55,

    first of all i wanna thank you for this great script, i got a problem with run it but i realized it's just a small issue and i managed to run it with big success!

    So, the problem was , the ("-o") output arg was already declared in script, i think, as 'out.pdf' (output_filename = 'out.pdf') and when i run it like this it gives me:

    ~python pdfinjector8.py --in Kevin.pdf -o out.pdf
    [*] pdfinjector.py 0.8 [-url][-js][-in][-o|--output]
    --url=url address Website to download pdf file from
    --in=filename Input filename
    -o | --output Output filename[*] Mail bug reports and suggestions to <keith.lee2012@gmail.com>.
    [*] Processing ......Traceback (most recent call last):
    File "pdfinjector8.py", line 298, in <module>
    fp = open(output_filename,"wb")
    IOError: [Errno 2] No such file or directory: ''
    But if i leave out "-o out.pdf" or whatever i wanna call the new pdf.
    The Script works perfectly and gives me out.pdf with the injected code.

    [*] Javascript has been injected into pdf. Please check out.pdf
    Ok, the big deal for me is that this pdfinjectors injected code that was triggered by the Adobe Reader 9.0. And i get bind shell with no problem, testing it on Xp box.

    This scrpit is a must have weapon.
    Keep up the good work!

  6. #6
    Just burned his ISO
    Join Date
    Mar 2008
    Posts
    10

    Default

    Hi Loop4me

    I just wrote something similar for excel files.
    Check it out if you are interested. Thanks
    forums.remote-exploit.org/programming/27112-xlsinjector.html

  7. #7
    Just burned his ISO
    Join Date
    Feb 2009
    Posts
    11

    Default

    keith555,
    Nice job ... but I do have some question for you.
    A complete injected pdf would have something like this ;

    python pdfinjector8.py --url=ht tp://blabla.com/bla.pdf --output=out1.pdf
    pdfinjector.py 0.8 [-url][-js]....
    Mail bug report ...
    Downloading file: ht tp://blabla....
    ..
    ..
    ..
    100%[====>]100kb
    Processing ...
    Javascript has been injected into pdf. Please check out1.pdf.

    Looks good until here, I did copy 'out1.pdf' to my other OS in Vmware (WinXP) with NAT connection through the host system (Vista). So I just double click the 'out1.pdf' and do some netstat -an. It seems like there is no TCP port 4444 opening. Does your script only sets up on port 4444 ?

  8. #8
    Just burned his ISO
    Join Date
    Mar 2008
    Posts
    10

    Default PDFInjector

    Hi Detail-Pls

    I have used the metasploit shell payload and its fixed to port 4444 at the moment. I have plans to add in reverse bind shell, meterpreter shell and custom ports when I can find the time.

    Thanks for your suggestion.

    Can you double check that you are using one of the below version of Adobe Acrobat reader?
    Adobe Acrobat Reader 7.1.1/8.1.3/9.1 ?


    Quote Originally Posted by Detail-Pls View Post
    keith555,
    Nice job ... but I do have some question for you.
    A complete injected pdf would have something like this ;

    python pdfinjector8.py --url=ht tp://blabla.com/bla.pdf --output=out1.pdf
    pdfinjector.py 0.8 [-url][-js]....
    Mail bug report ...
    Downloading file: ht tp://blabla....
    ..
    ..
    ..
    100%[====>]100kb
    Processing ...
    Javascript has been injected into pdf. Please check out1.pdf.

    Looks good until here, I did copy 'out1.pdf' to my other OS in Vmware (WinXP) with NAT connection through the host system (Vista). So I just double click the 'out1.pdf' and do some netstat -an. It seems like there is no TCP port 4444 opening. Does your script only sets up on port 4444 ?

  9. #9
    Just burned his ISO
    Join Date
    Feb 2009
    Posts
    11

    Default

    I use the vuln. Adobe Acrobat reader v9.0. Latest version that patch the vuln. is v9.1. I'll double check what is the problem.

  10. #10
    Just burned his ISO
    Join Date
    Feb 2010
    Posts
    1

    Default

    code . google . com / p / pdfinjector /
    Forbidden
    Your client does not have permission to get URL /p/pdfinjector/ from this server.

    If you have pdfinjector.py code please upload another place i need pdfinecjtor.py

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •