#!/usr/bin/perl # Jeremy Brown [0xjbrown41@gmail.com/jbrownsec.blogspot.com] # PDF FUZZER -- TAKE IT TO THE HEAD # :) HAVE FUN :) use PDF::Create; use Getopt::Std; @overflow = ('A' x 8200, 'A' x 11000, 'A' x 110000, 'A' x 550000, 'A' x 1100000, 'A' x 2200000, 'A' x 12000000, "\0x99" x 1200, "//AAAA" x 250, "\\AAAA" x 250); @fmtstring = ("%n%n%n%n%n", "%p%p%p%p%p", "%s%s%s%s%s", "%d%d%d%d%d", "%x%x%x%x%x", "%s%p%x%d", "%.1024d", "%.1025d", "%.2048d", "%.2049d", "%.4096d", "%.4097d", "%99999999999s", "%08x", "%%20n", "%%20p", "%%20s", "%%20d", "%%20x", "%#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%", "\0xCD" x 50, "\0xCB" x 50); @numbers = ("0", "-0", "1", "-1", "32767", "-32768", "2147483647", "-2147483647", "2147483648", "-2147483648", "4294967294", "4294967295", "4294967296", "357913942", "-357913942", "536870912", "-536870912", "1.79769313486231E+308", "3.39519326559384E-313", "99999999999", "-99999999999", "0x100", "0x1000", "0x3fffffff", "0x7ffffffe", "0x7fffffff", "0x80000000", "0xffff", "0xfffffffe", "0xfffffff", "0xffffffff", "0x10000", "0x100000", "0x99999999", "65535", "65536", "65537", "16777215", "16777216", "16777217", "-268435455"); @miscbugs = ("test|touch /tmp/ZfZ-PWNED|test", "test`touch /tmp/ZfZ-PWNED`test", "test'touch /tmp/ZfZ-PWNED'test", "test;touch /tmp/ZfZ-PWNED;test", "test&&touch /tmp/ZfZ-PWNED&&test", "test|C:/WINDOWS/system32/calc.exe|test", "test`C:/WINDOWS/system32/calc.exe`test", "test'C:/WINDOWS/system32/calc.exe'test", "test;C:/WINDOWS/system32/calc.exe;test", "/bin/sh", "C:/WINDOWS/system32/calc.exe", "%0xa", "%u000"); getopts('t:o:', \%opts); $target = $opts{'t'}; $pdfdoc = $opts{'o'}; if(!defined($target) || !defined($pdfdoc)) { print "\n pdfUZZ - PDF Fuzzer"; print "\nJeremy Brown [0xjbrown41@gmail.com/http://jbrownsec.blogspot.com]"; print "\n Usage: $0 -t -o \n\n"; exit(0); } print "\n pdfUZZ - PDF Fuzzer"; print "\nJeremy Brown [0xjbrown41@gmail.com/http://jbrownsec.blogspot.com]\n"; print "\nFUZZING '$target' with '$pdfdoc' [STAGE->1(Version)]"; print "\n"; foreach(@numbers) { $fuzz = $_; $pdf = new PDF::Create('filename' => $pdfdoc, 'Version' => $fuzz, 'Author' => 'pdfUZZ', 'Title' => 'pdfUZZ', 'CreationDate' => [localtime], 'Subject' => 'pdfUZZ', 'Keywords' => 'pdfUZZ'); $main = $pdf->new_page('MediaBox' => $pdf->get_page_size('A4')); $pdf->close; system $target $pdfdoc; } print "FUZZING '$target' with '$pdfdoc' [STAGE->2(Author)]"; print "\n"; foreach(@overflow) { $fuzz = $_; $pdf = new PDF::Create('filename' => $pdfdoc, 'Version' => 1.2, 'Author' => $fuzz, 'Title' => 'pdfUZZ', 'CreationDate' => [localtime], 'Subject' => 'pdfUZZ', 'Keywords' => 'pdfUZZ'); $main = $pdf->new_page('MediaBox' => $pdf->get_page_size('A4')); $pdf->close; system $target $pdfdoc; } foreach(@fmtstring) { $fuzz = $_; $pdf = new PDF::Create('filename' => $pdfdoc, 'Version' => 1.2, 'Author' => $fuzz, 'Title' => 'pdfUZZ', 'CreationDate' => [localtime], 'Subject' => 'pdfUZZ', 'Keywords' => 'pdfUZZ'); $main = $pdf->new_page('MediaBox' => $pdf->get_page_size('A4')); $pdf->close; system $target $pdfdoc; } foreach(@miscbugs) { $fuzz = $_; $pdf = new PDF::Create('filename' => $pdfdoc, 'Version' => 1.2, 'Author' => $fuzz, 'Title' => 'pdfUZZ', 'CreationDate' => [localtime], 'Subject' => 'pdfUZZ', 'Keywords' => 'pdfUZZ'); $main = $pdf->new_page('MediaBox' => $pdf->get_page_size('A4')); $pdf->close; system $target $pdfdoc; } print "FUZZING '$target' with '$pdfdoc' [STAGE->3(Title)]"; print "\n"; foreach(@overflow) { $fuzz = $_; $pdf = new PDF::Create('filename' => $pdfdoc, 'Version' => 1.2, 'Author' => 'pdfUZZ', 'Title' => $fuzz, 'CreationDate' => [localtime], 'Subject' => 'pdfUZZ', 'Keywords' => 'pdfUZZ'); $main = $pdf->new_page('MediaBox' => $pdf->get_page_size('A4')); $pdf->close; system $target $pdfdoc; } foreach(@fmtstring) { $fuzz = $_; $pdf = new PDF::Create('filename' => $pdfdoc, 'Version' => 1.2, 'Author' => 'pdfUZZ', 'Title' => $fuzz, 'CreationDate' => [localtime], 'Subject' => 'pdfUZZ', 'Keywords' => 'pdfUZZ'); $main = $pdf->new_page('MediaBox' => $pdf->get_page_size('A4')); $pdf->close; system $target $pdfdoc; } foreach(@miscbugs) { $fuzz = $_; $pdf = new PDF::Create('filename' => $pdfdoc, 'Version' => 1.2, 'Author' => 'pdfUZZ', 'Title' => $fuzz, 'CreationDate' => [localtime], 'Subject' => 'pdfUZZ', 'Keywords' => 'pdfUZZ'); $main = $pdf->new_page('MediaBox' => $pdf->get_page_size('A4')); $pdf->close; system $target $pdfdoc; } print "FUZZING '$target' with '$pdfdoc' [STAGE->4(page_size)]"; print "\n"; foreach(@numbers) { $fuzz = $_; $pdf = new PDF::Create('filename' => $pdfdoc, 'Version' => 1.2, 'Author' => 'pdfUZZ', 'Title' => 'pdfUZZ', 'CreationDate' => [localtime], 'Subject' => 'pdfUZZ', 'Keywords' => 'pdfUZZ'); $main = $pdf->new_page('MediaBox' => [$fuzz, $fuzz, $fuzz, $fuzz]); $pdf->close; system $target $pdfdoc; } print "FUZZING '$target' with '$pdfdoc' [STAGE->5(Subject)]"; print "\n"; foreach(@overflow) { $fuzz = $_; $pdf = new PDF::Create('filename' => $pdfdoc, 'Version' => 1.2, 'Author' => 'pdfUZZ', 'Title' => 'pdfUZZ', 'CreationDate' => [localtime], 'Subject' => $fuzz, 'Keywords' => 'pdfUZZ'); $main = $pdf->new_page('MediaBox' => $pdf->get_page_size('A4')); $pdf->close; system $target $pdfdoc; } foreach(@fmtstring) { $fuzz = $_; $pdf = new PDF::Create('filename' => $pdfdoc, 'Version' => 1.2, 'Author' => $fuzz, 'Title' => 'pdfUZZ', 'CreationDate' => [localtime], 'Subject' => $fuzz, 'Keywords' => 'pdfUZZ'); $main = $pdf->new_page('MediaBox' => $pdf->get_page_size('A4')); $pdf->close; system $target $pdfdoc; } foreach(@miscbugs) { $fuzz = $_; $pdf = new PDF::Create('filename' => $pdfdoc, 'Version' => 1.2, 'Author' => $fuzz, 'Title' => 'pdfUZZ', 'CreationDate' => [localtime], 'Subject' => $fuzz, 'Keywords' => 'pdfUZZ'); $main = $pdf->new_page('MediaBox' => $pdf->get_page_size('A4')); $pdf->close; system $target $pdfdoc; } print "FUZZING '$target' with '$pdfdoc' [STAGE->6(Keywords)]"; print "\n"; foreach(@overflow) { $fuzz = $_; $pdf = new PDF::Create('filename' => $pdfdoc, 'Version' => 1.2, 'Author' => 'pdfUZZ', 'Title' => 'pdfUZZ', 'CreationDate' => [localtime], 'Subject' => 'pdfUZZ', 'Keywords' => $fuzz); $main = $pdf->new_page('MediaBox' => $pdf->get_page_size('A4')); $pdf->close; system $target $pdfdoc; } foreach(@fmtstring) { $fuzz = $_; $pdf = new PDF::Create('filename' => $pdfdoc, 'Version' => 1.2, 'Author' => $fuzz, 'Title' => 'pdfUZZ', 'CreationDate' => [localtime], 'Subject' => 'pdfUZZ', 'Keywords' => $fuzz); $main = $pdf->new_page('MediaBox' => $pdf->get_page_size('A4')); $pdf->close; system $target $pdfdoc; } foreach(@miscbugs) { $fuzz = $_; $pdf = new PDF::Create('filename' => $pdfdoc, 'Version' => 1.2, 'Author' => $fuzz, 'Title' => 'pdfUZZ', 'CreationDate' => [localtime], 'Subject' => 'pdfUZZ', 'Keywords' => $fuzz); $main = $pdf->new_page('MediaBox' => $pdf->get_page_size('A4')); $pdf->close; system $target $pdfdoc; } print "\nFUZZING '$target' with '$pdfdoc' [STAGE->7(font/Subtype)]"; print "\n"; foreach(@overflow) { $fuzz = $_; $pdf = new PDF::Create('filename' => $pdfdoc, 'Version' => 1.2, 'Author' => 'pdfUZZ', 'Title' => 'pdfUZZ', 'CreationDate' => [localtime], 'Subject' => 'pdfUZZ', 'Keywords' => 'pdfUZZ'); $main = $pdf->new_page('MediaBox' => $pdf->get_page_size('A4')); $page = $main->new_page; $ffont = $pdf->font('Subtype' => $fuzz, 'Encoding' => 'WinAnsiEncoding', 'BaseFont' => 'Times-Roman'); $page->string($ffont, 20, 300, 300, "pdfUZZ"); $pdf->close; system $target $pdfdoc; } foreach(@fmtstring) { $fuzz = $_; $pdf = new PDF::Create('filename' => $pdfdoc, 'Version' => 1.2, 'Author' => 'pdfUZZ', 'Title' => 'pdfUZZ', 'CreationDate' => [localtime], 'Subject' => 'pdfUZZ', 'Keywords' => 'pdfUZZ'); $main = $pdf->new_page('MediaBox' => $pdf->get_page_size('A4')); $page = $main->new_page; $ffont = $pdf->font('Subtype' => $fuzz, 'Encoding' => 'WinAnsiEncoding', 'BaseFont' => 'Times-Roman'); $page->string($ffont, 20, 300, 300, "pdfUZZ"); $pdf->close; system $target $pdfdoc; } foreach(@miscbugs) { $fuzz = $_; $pdf = new PDF::Create('filename' => $pdfdoc, 'Version' => 1.2, 'Author' => 'pdfUZZ', 'Title' => 'pdfUZZ', 'CreationDate' => [localtime], 'Subject' => 'pdfUZZ', 'Keywords' => 'pdfUZZ'); $main = $pdf->new_page('MediaBox' => $pdf->get_page_size('A4')); $page = $main->new_page; $ffont = $pdf->font('Subtype' => $fuzz, 'Encoding' => 'WinAnsiEncoding', 'BaseFont' => 'Times-Roman'); $page->string($ffont, 20, 300, 300, "pdfUZZ"); $pdf->close; system $target $pdfdoc; } print "FUZZING '$target' with '$pdfdoc' [STAGE->8(font/Encoding)]"; print "\n"; foreach(@overflow) { $fuzz = $_; $pdf = new PDF::Create('filename' => $pdfdoc, 'Version' => 1.2, 'Author' => 'pdfUZZ', 'Title' => 'pdfUZZ', 'CreationDate' => [localtime], 'Subject' => 'pdfUZZ', 'Keywords' => 'pdfUZZ'); $main = $pdf->new_page('MediaBox' => $pdf->get_page_size('A4')); $page = $main->new_page; $ffont = $pdf->font('Subtype' => 'Type1', 'Encoding' => $fuzz, 'BaseFont' => 'Times-Roman'); $page->string($ffont, 20, 300, 300, "pdfUZZ"); $pdf->close; system $target $pdfdoc; } foreach(@fmtstring) { $fuzz = $_; $pdf = new PDF::Create('filename' => $pdfdoc, 'Version' => 1.2, 'Author' => 'pdfUZZ', 'Title' => 'pdfUZZ', 'CreationDate' => [localtime], 'Subject' => 'pdfUZZ', 'Keywords' => 'pdfUZZ'); $main = $pdf->new_page('MediaBox' => $pdf->get_page_size('A4')); $page = $main->new_page; $ffont = $pdf->font('Subtype' => 'Type1', 'Encoding' => $fuzz, 'BaseFont' => 'Times-Roman'); $page->string($ffont, 20, 300, 300, "pdfUZZ"); $pdf->close; system $target $pdfdoc; } foreach(@miscbugs) { $fuzz = $_; $pdf = new PDF::Create('filename' => $pdfdoc, 'Version' => 1.2, 'Author' => 'pdfUZZ', 'Title' => 'pdfUZZ', 'CreationDate' => [localtime], 'Subject' => 'pdfUZZ', 'Keywords' => 'pdfUZZ'); $main = $pdf->new_page('MediaBox' => $pdf->get_page_size('A4')); $page = $main->new_page; $ffont = $pdf->font('Subtype' => 'Type1', 'Encoding' => $fuzz, 'BaseFont' => 'Times-Roman'); $page->string($ffont, 20, 300, 300, "pdfUZZ"); $pdf->close; system $target $pdfdoc; } print "FUZZING '$target' with '$pdfdoc' [STAGE->9(font/BaseFont)]"; print "\n"; foreach(@overflow) { $fuzz = $_; $pdf = new PDF::Create('filename' => $pdfdoc, 'Version' => 1.2, 'Author' => 'pdfUZZ', 'Title' => 'pdfUZZ', 'CreationDate' => [localtime], 'Subject' => 'pdfUZZ', 'Keywords' => 'pdfUZZ'); $main = $pdf->new_page('MediaBox' => $pdf->get_page_size('A4')); $page = $main->new_page; $ffont = $pdf->font('Subtype' => 'Type1', 'Encoding' => 'WinAnsiEncoding', 'BaseFont' => $fuzz); $page->string($ffont, 20, 300, 300, "pdfUZZ"); $pdf->close; system $target $pdfdoc; } foreach(@fmtstring) { $fuzz = $_; $pdf = new PDF::Create('filename' => $pdfdoc, 'Version' => 1.2, 'Author' => 'pdfUZZ', 'Title' => 'pdfUZZ', 'CreationDate' => [localtime], 'Subject' => 'pdfUZZ', 'Keywords' => 'pdfUZZ'); $main = $pdf->new_page('MediaBox' => $pdf->get_page_size('A4')); $page = $main->new_page; $ffont = $pdf->font('Subtype' => 'Type1', 'Encoding' => 'WinAnsiEncoding', 'BaseFont' => $fuzz); $page->string($ffont, 20, 300, 300, "pdfUZZ"); $pdf->close; system $target $pdfdoc; } foreach(@miscbugs) { $fuzz = $_; $pdf = new PDF::Create('filename' => $pdfdoc, 'Version' => 1.2, 'Author' => 'pdfUZZ', 'Title' => 'pdfUZZ', 'CreationDate' => [localtime], 'Subject' => 'pdfUZZ', 'Keywords' => 'pdfUZZ'); $main = $pdf->new_page('MediaBox' => $pdf->get_page_size('A4')); $page = $main->new_page; $ffont = $pdf->font('Subtype' => 'Type1', 'Encoding' => 'WinAnsiEncoding', 'BaseFont' => $fuzz); $page->string($ffont, 20, 300, 300, "pdfUZZ"); $pdf->close; system $target $pdfdoc; } print "\nFUZZING '$target' with '$pdfdoc' [STAGE->10(string/z+x+y)]"; print "\n"; foreach(@numbers) { $fuzz = $_; $pdf = new PDF::Create('filename' => $pdfdoc, 'Version' => 1.2, 'Author' => 'pdfUZZ', 'Title' => 'pdfUZZ', 'CreationDate' => [localtime], 'Subject' => 'pdfUZZ', 'Keywords' => 'pdfUZZ'); $main = $pdf->new_page('MediaBox' => $pdf->get_page_size('A4')); $page = $main->new_page; $ffont = $pdf->font('Subtype' => 'Type1', 'Encoding' => 'WinAnsiEncoding', 'BaseFont' => 'Times-Roman'); $page->string($ffont, $fuzz, $fuzz, $fuzz, "pdfUZZ"); $pdf->close; system $target $pdfdoc; } print "FUZZING '$target' with '$pdfdoc' [STAGE->11(string/text)]"; print "\n"; foreach(@overflow) { $fuzz = $_; $pdf = new PDF::Create('filename' => $pdfdoc, 'Version' => 1.2, 'Author' => 'pdfUZZ', 'Title' => 'pdfUZZ', 'CreationDate' => [localtime], 'Subject' => 'pdfUZZ', 'Keywords' => 'pdfUZZ'); $main = $pdf->new_page('MediaBox' => $pdf->get_page_size('A4')); $page = $main->new_page; $ffont = $pdf->font('Subtype' => 'Type1', 'Encoding' => 'WinAnsiEncoding', 'BaseFont' => 'Times-Roman'); $page->string($ffont, 20, 300, 300, $fuzz); $pdf->close; system $target $pdfdoc; } foreach(@fmtstring) { $fuzz = $_; $pdf = new PDF::Create('filename' => $pdfdoc, 'Version' => 1.2, 'Author' => 'pdfUZZ', 'Title' => 'pdfUZZ', 'CreationDate' => [localtime], 'Subject' => 'pdfUZZ', 'Keywords' => 'pdfUZZ'); $main = $pdf->new_page('MediaBox' => $pdf->get_page_size('A4')); $page = $main->new_page; $ffont = $pdf->font('Subtype' => 'Type1', 'Encoding' => 'WinAnsiEncoding', 'BaseFont' => 'Times-Roman'); $page->string($ffont, 20, 300, 300, $fuzz); $pdf->close; system $target $pdfdoc; } foreach(@miscbugs) { $fuzz = $_; $pdf = new PDF::Create('filename' => $pdfdoc, 'Version' => 1.2, 'Author' => 'pdfUZZ', 'Title' => 'pdfUZZ', 'CreationDate' => [localtime], 'Subject' => 'pdfUZZ', 'Keywords' => 'pdfUZZ'); $main = $pdf->new_page('MediaBox' => $pdf->get_page_size('A4')); $page = $main->new_page; $ffont = $pdf->font('Subtype' => 'Type1', 'Encoding' => 'WinAnsiEncoding', 'BaseFont' => 'Times-Roman'); $page->string($ffont, 20, 300, 300, $fuzz); $pdf->close; system $target $pdfdoc; } exit;