![Page 1: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/1.jpg)
A Journey from the Exploit Kit to the Shellcode
PDF ATTACK
Jose Miguel Esparza @EternalTodo
![Page 2: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/2.jpg)
• Jose Miguel Esparza
• Senior Cybercrime Analyst at Fox-IT InTELL
– Malware, Botnets, C&Cs, Exploit Kits, …
• Security Researcher at Home ;p
– PDF, NFC, …
• http://eternal-todo.com
• @EternalTodo on Twitter
Who am I
![Page 3: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/3.jpg)
• A Journey from the Exploit Kit to the Shellcode
– Exploit Kits: the source of evil
– PDF basics
– Some basic peepdf commands
– Analyzing PDF exploits
• Extracting and analyzing shellcodes
– Obfuscation of PDF files
Agenda
![Page 4: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/4.jpg)
• Linux distribution
– Libemu / Pylibemu
– V8 / PyV8
• Last peepdf version
– Checkout from the repository or update!
Requirements
![Page 5: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/5.jpg)
• Best way to infect a computer
• Effective and fresh exploits
– IE
– Java
– Flash
– …
• Average of 6-7 exploits
Exploit Kits: the source of evil
![Page 6: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/6.jpg)
Exploit Kits: the source of evil
![Page 7: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/7.jpg)
Exploit Kits: the source of evil
Java 7u11
Java Byte Verify
Java CMM
Java < 7u17
![Page 8: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/8.jpg)
• Most used nowadays– Magnitude (TopExp)
– Neutrino
– Infinity (Goon/RedKit v2)
– Ramayana (DotkaChef)
– Fiesta
– Styx
– Nuclear
– …
Exploit Kits: the source of evil
KahuSecurity
![Page 9: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/9.jpg)
• Infection steps
– Visit injected website / Click SPAM link
– Redirection (maybe more than one)
– Obfuscated Javascript
– Plugin detection
– Trying exploits
– Done!
Exploit Kits: the source of evil
![Page 10: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/10.jpg)
• Traffic Distribution Systems (TDS)
– Country specific attacks
– TDS + Exploit Kits = WIN!
Exploit Kits: the source of evil
![Page 11: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/11.jpg)
• Analyzing exploit kits
– Avoiding researchers
• Filtering by User-Agent and/or Referer
• Blocking IPs
• One-time infections
• Country filters
Exploit Kits: the source of evil
![Page 12: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/12.jpg)
• Analyzing obfuscated Javascript code
– The “easy” way
• Automatic tools– Online services
» Wepawet
» JSUNPACK
– Low-interaction honeyclient
» Thug
• You can miss some info
Exploit Kits: the source of evil
![Page 13: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/13.jpg)
• Analyzing obfuscated Javascript code
– The traditional way
• Executing different stages of JS code– Beautify the code
– Looking for the eval function
» s/eval/print/
– Hooking the eval function with Javascript engines
• Looking for exploits / shellcodes
• You cannot miss any detail
Exploit Kits: the source of evil
![Page 14: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/14.jpg)
• Analyzing obfuscated Javascript code
– The traditional way
• Let’s play ;)
Exploit Kits: the source of evil
![Page 15: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/15.jpg)
• PDF format?
• PDF structure?
• Objects?
• Filters?
PDF basics
![Page 16: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/16.jpg)
Header
Body
Cross reference table
Trailer
![Page 17: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/17.jpg)
• Body– Sequence of objects
– Object types• Boolean: true false
• Numbers: 123 -98 4. -.002 123.6
• Strings: (hola) <686f6c61>– 68 (h) 6f (o) 6c (l) 61 (a)
• Names: /Type /Filter
• Dictionaries: << /Type /Catalog /Root 1 0 R >>
• Arrays: [ 1.0 (test) <</Length 273>> ]
• Streams
PDF basics
![Page 18: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/18.jpg)
PDF basics
![Page 19: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/19.jpg)
• Object types
– Indirect objects
• Reference: “object_id generation_number R”
PDF basics
![Page 20: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/20.jpg)
• Object types
– Indirect objects
• Reference: “object_id generation_number R”
PDF basics
![Page 21: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/21.jpg)
• Tree structure References
• Root node
– /Catalog
• If an element isn’t in the downward path from the /Catalog DOES NOT EXIST
PDF basics
![Page 22: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/22.jpg)
• You can use just a text editor!!
PDF basics
![Page 23: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/23.jpg)
“peepdf sounds like the Swiss army knife of PDF security apps”
peepdf
http://peepdf.eternal-todo.com
![Page 24: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/24.jpg)
• Characteristics
– Python
– Command line
– Interactive console (colorized)
– Included in REMnux and BackTrack / Kali Linux
peepdf
http://peepdf.eternal-todo.com
![Page 25: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/25.jpg)
peepdf
http://peepdf.eternal-todo.com
![Page 26: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/26.jpg)
• Characteristics
– Command file option
• Batch / Automation
– XML output
– Easily updated from repository
peepdf
http://peepdf.eternal-todo.com
![Page 27: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/27.jpg)
• Why peepdf?
– Support for:
• Encryption
• Object Streams (compressed objects)
• Most used filters
• FlateDecode / LZWDecode Parameters
– Javascript Analysis
– Shellcode emulation
peepdf
![Page 28: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/28.jpg)
• Why peepdf?
– Shows Suspicious Elements
– Shows potential Vulnerabilities
– Powerful Interactive Console
– Easy extraction of objects / JS code / shellcode
– PDF Obfuscation
– Alive project!!
peepdf
![Page 29: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/29.jpg)
• Recent commits
– s/Spidermonkey/PyV8/g
peepdf
![Page 30: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/30.jpg)
• Recent commits
– vtcheck
peepdf
![Page 31: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/31.jpg)
• Recent commits
– js_vars
– js_jjdecode
peepdf
![Page 32: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/32.jpg)
• Commands
– Console
• help
• log
• open
• reset
• quit
• exit
peepdf
![Page 33: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/33.jpg)
• Commands– Showing information
• Whole document– info
– tree
– offsets
– hash
– bytes
– metadata
– changelog
– save_version
– errors
peepdf
![Page 34: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/34.jpg)
• Commands
– Showing information
• Objects– object
– rawobject
– stream
– rawstream
– references
– hash
peepdf
![Page 35: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/35.jpg)
• Commands
– Extracting information
• Output redirection is possible– set
» set output file path_to_my_file
» set output variable myVar
peepdf
![Page 36: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/36.jpg)
• Commands
– Extracting information
• Shell redirection is easier ;)– Files
» stream 6 > stream6_file
» js_code 12 >> pdf_js_code_file
– Variables
» js_unescape variable myVar $> unescaped_sh
» rawstream 5 $>> all_my_rawstreams_var
peepdf
![Page 37: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/37.jpg)
• Commands
– Javascript functions
• js_code
• js_eval
• js_analyse
• js_unescape
• js_join
peepdf
![Page 38: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/38.jpg)
• Commands
– Shellcode emulation
• sctest– pylibemu: libemu wrapper for Python
peepdf
![Page 39: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/39.jpg)
• Commands– Modification / Creation
• modify• filters• decode• encode• encode_strings• embed• encrypt• malformed_output• create• save
peepdf
![Page 40: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/40.jpg)
• Commands
– Misc
• set
• search
• show
• xor
• xor_search
peepdf
![Page 41: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/41.jpg)
• How to identify malicious files– Suspicious elements
• /Action
• /OpenAction
• /AA
• /AcroForm
• /Names
• /JavaScript
• /EmbeddedFile
• Known vulnerabilities
Analyzing PDF exploits
![Page 42: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/42.jpg)
• Most used vulnerabilities
– LibTiff (TIFF images)
– Collab.collectEmailInfo
– Collab.getIcon
– Doc.media.newPlayer
– …
Analyzing PDF exploits
![Page 43: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/43.jpg)
• How to identify malicious files
– Obfuscation
• Strange codification in objects
• Encryption
• Malformed objects
• Embeded PDFs
• Javascript
Analyzing PDF exploits
![Page 44: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/44.jpg)
• How to identify malicious files
– Patterns
• One page without content
• Big objects
• Gaps between objects (offsets)
• Strange structure
• Characteristic strings– Metadata
– Tools
Analyzing PDF exploits
![Page 45: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/45.jpg)
• How to identify malicious files
– Malformed documents
• Headers
• Objects Tags
Analyzing PDF exploits
![Page 46: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/46.jpg)
• Practicing all the theory
• Not a sample exploit, a real one
• Extracting the interesting parts
• Extracting the shellcode
• Analyzing the shellcode
Analyzing real exploits
![Page 47: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/47.jpg)
• Playing with real exploits
Analyzing real exploits
![Page 48: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/48.jpg)
• Some developments based on peepdf
– SWF Mastah (Brandon Dixon)
Using peepdf as a library
![Page 49: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/49.jpg)
• Remove characteristic strings• Split up Javascript code (/Names)• If the code is in:
– String octal encoding (\143\172)– Stream filters (not usual, parameters)
• Compress (object streams)• Encrypt (default password)• Malform (endobj, header)• Nest PDFs
PDF obfuscation
![Page 50: PDF ATTACK - Black Hat · PDF filePDF ATTACK Jose Miguel Esparza @EternalTodo •Jose Miguel Esparza ... –Included in REMnux and BackTrack / Kali Linux peepdf . peepdf](https://reader031.vdocuments.us/reader031/viewer/2022030512/5abcf1217f8b9a441d8ea3cc/html5/thumbnails/50.jpg)
THANKS!!
Jose Miguel Esparzajesparza AT eternal-todo.com
http://eternal-todo.com
@EternalTodo