‘PDFuzzer – PDF File Standard Fuzzer’
Summary
”
Credit:
‘The information has been provided by Jeremy Brown.
To keep updated with the tool visit the project’s homepage at: http://jbrownsec.blogspot.com/2008/11/introducing-pdf-fuzzing.html‘
Details
‘Tool source:
#!/usr/bin/perl
# Jeremy Brown [0xjbrown41@gmail.com/jbrownsec.blogspot.com]
# PDF FUZZER — TAKE IT TO THE HEAD
# 🙂 HAVE FUN 🙂
use PDF::Create;
use Getopt::Std;
@overflow = (‘A’ x 8200, ‘A’ x 11000, ‘A’ x 110000, ‘A’ x 550000, ‘A’ x 1100000, ‘A’ x 2200000, ‘A’ x 12000000, ‘�x99’ x 1200, ‘//AAAA’ x 250, ‘\AAAA’ x 250);
@fmtstring = (‘%n%n%n%n%n’, ‘%p%p%p%p%p’, ‘%s%s%s%s%s’, ‘%d%d%d%d%d’, ‘%x%x%x%x%x’,
‘%s%p%x%d’, ‘%.1024d’, ‘%.1025d’, ‘%.2048d’, ‘%.2049d’, ‘%.4096d’, ‘%.4097d’,
‘%99999999999s’, ‘%08x’, ‘%%20n’, ‘%%20p’, ‘%%20s’, ‘%%20d’, ‘%%20x’,
‘%#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%’, ‘�xCD’ x 50, ‘�xCB’ x 50);
@numbers = (‘0’, ‘-0’, ‘1’, ‘-1’, ‘32767’, ‘-32768’, ‘2147483647’, ‘-2147483647’, ‘2147483648’, ‘-2147483648’,
‘4294967294’, ‘4294967295’, ‘4294967296’, ‘357913942’, ‘-357913942’, ‘536870912’, ‘-536870912’,
‘1.79769313486231E+308’, ‘3.39519326559384E-313’, ‘99999999999’, ‘-99999999999’, ‘0x100’, ‘0x1000’,
‘0x3fffffff’, ‘0x7ffffffe’, ‘0x7fffffff’, ‘0x80000000’, ‘0xffff’, ‘0xfffffffe’, ‘0xfffffff’, ‘0xffffffff’,
‘0x10000’, ‘0x100000’, ‘0x99999999’, ‘65535’, ‘65536’, ‘65537’, ‘16777215’, ‘16777216’, ‘16777217’, ‘-268435455’);
@miscbugs = (‘test|touch /tmp/ZfZ-PWNED|test’, ‘test`touch /tmp/ZfZ-PWNED`test’, ‘test’touch /tmp/ZfZ-PWNED’test’, ‘test;touch /tmp/ZfZ-PWNED;test’,
‘test&&touch /tmp/ZfZ-PWNED&&test’, ‘test|C:/WINDOWS/system32/calc.exe|test’, ‘test`C:/WINDOWS/system32/calc.exe`test’,
‘test’C:/WINDOWS/system32/calc.exe’test’, ‘test;C:/WINDOWS/system32/calc.exe;test’, ‘/bin/sh’, ‘C:/WINDOWS/system32/calc.exe’, ‘%0xa’, ‘%u000’);
getopts(‘t:o:’, %opts);
$target = $opts{‘t’};
$pdfdoc = $opts{‘o’};
if(!defined($target) || !defined($pdfdoc))
{
print ‘n pdfUZZ – PDF Fuzzer’;
print ‘nJeremy Brown [0xjbrown41@gmail.com/http://jbrownsec.blogspot.com]’;
print ‘n Usage: $0 -t <targetapp> -o <output.pdf>nn’;
exit(0);
}
print ‘n pdfUZZ – PDF Fuzzer’;
print ‘nJeremy Brown [0xjbrown41@gmail.com/http://jbrownsec.blogspot.com]n’;
print ‘nFUZZING ‘$target’ with ‘$pdfdoc’ [STAGE->1(Version)]’;
print ‘n’;
foreach(@numbers) { $fuzz = $_;
$pdf = new PDF::Create(‘filename’ => $pdfdoc,
‘Version’ => $fuzz,
‘Author’ => ‘pdfUZZ’,
‘Title’ => ‘pdfUZZ’,
‘CreationDate’ => [localtime],
‘Subject’ => ‘pdfUZZ’,
‘Keywords’ => ‘pdfUZZ’);
$main = $pdf->new_page(‘MediaBox’ => $pdf->get_page_size(‘A4’));
$pdf->close;
system $target $pdfdoc; }
print ‘FUZZING ‘$target’ with ‘$pdfdoc’ [STAGE->2(Author)]’;
print ‘n’;
foreach(@overflow) { $fuzz = $_;
$pdf = new PDF::Create(‘filename’ => $pdfdoc,
‘Version’ => 1.2,
‘Author’ => $fuzz,
‘Title’ => ‘pdfUZZ’,
‘CreationDate’ => [localtime],
‘Subject’ => ‘pdfUZZ’,
‘Keywords’ => ‘pdfUZZ’);
$main = $pdf->new_page(‘MediaBox’ => $pdf->get_page_size(‘A4’));
$pdf->close;
system $target $pdfdoc; }
foreach(@fmtstring) { $fuzz = $_;
$pdf = new PDF::Create(‘filename’ => $pdfdoc,
‘Version’ => 1.2,
‘Author’ => $fuzz,
‘Title’ => ‘pdfUZZ’,
‘CreationDate’ => [localtime],
‘Subject’ => ‘pdfUZZ’,
‘Keywords’ => ‘pdfUZZ’);
$main = $pdf->new_page(‘MediaBox’ => $pdf->get_page_size(‘A4’));
$pdf->close;
system $target $pdfdoc; }
foreach(@miscbugs) { $fuzz = $_;
$pdf = new PDF::Create(‘filename’ => $pdfdoc,
‘Version’ => 1.2,
‘Author’ => $fuzz,
‘Title’ => ‘pdfUZZ’,
‘CreationDate’ => [localtime],
‘Subject’ => ‘pdfUZZ’,
‘Keywords’ => ‘pdfUZZ’);
$main = $pdf->new_page(‘MediaBox’ => $pdf->get_page_size(‘A4’));
$pdf->close;
system $target $pdfdoc; }
print ‘FUZZING ‘$target’ with ‘$pdfdoc’ [STAGE->3(Title)]’;
print ‘n’;
foreach(@overflow) { $fuzz = $_;
$pdf = new PDF::Create(‘filename’ => $pdfdoc,
‘Version’ => 1.2,
‘Author’ => ‘pdfUZZ’,
‘Title’ => $fuzz,
‘CreationDate’ => [localtime],
‘Subject’ => ‘pdfUZZ’,
‘Keywords’ => ‘pdfUZZ’);
$main = $pdf->new_page(‘MediaBox’ => $pdf->get_page_size(‘A4’));
$pdf->close;
system $target $pdfdoc; }
foreach(@fmtstring) { $fuzz = $_;
$pdf = new PDF::Create(‘filename’ => $pdfdoc,
‘Version’ => 1.2,
‘Author’ => ‘pdfUZZ’,
‘Title’ => $fuzz,
‘CreationDate’ => [localtime],
‘Subject’ => ‘pdfUZZ’,
‘Keywords’ => ‘pdfUZZ’);
$main = $pdf->new_page(‘MediaBox’ => $pdf->get_page_size(‘A4’));
$pdf->close;
system $target $pdfdoc; }
foreach(@miscbugs) { $fuzz = $_;
$pdf = new PDF::Create(‘filename’ => $pdfdoc,
‘Version’ => 1.2,
‘Author’ => ‘pdfUZZ’,
‘Title’ => $fuzz,
‘CreationDate’ => [localtime],
‘Subject’ => ‘pdfUZZ’,
‘Keywords’ => ‘pdfUZZ’);
$main = $pdf->new_page(‘MediaBox’ => $pdf->get_page_size(‘A4’));
$pdf->close;
system $target $pdfdoc; }
print ‘FUZZING ‘$target’ with ‘$pdfdoc’ [STAGE->4(page_size)]’;
print ‘n’;
foreach(@numbers) { $fuzz = $_;
$pdf = new PDF::Create(‘filename’ => $pdfdoc,
‘Version’ => 1.2,
‘Author’ => ‘pdfUZZ’,
‘Title’ => ‘pdfUZZ’,
‘CreationDate’ => [localtime],
‘Subject’ => ‘pdfUZZ’,
‘Keywords’ => ‘pdfUZZ’);
$main = $pdf->new_page(‘MediaBox’ => [$fuzz, $fuzz, $fuzz, $fuzz]);
$pdf->close;
system $target $pdfdoc; }
print ‘FUZZING ‘$target’ with ‘$pdfdoc’ [STAGE->5(Subject)]’;
print ‘n’;
foreach(@overflow) { $fuzz = $_;
$pdf = new PDF::Create(‘filename’ => $pdfdoc,
‘Version’ => 1.2,
‘Author’ => ‘pdfUZZ’,
‘Title’ => ‘pdfUZZ’,
‘CreationDate’ => [localtime],
‘Subject’ => $fuzz,
‘Keywords’ => ‘pdfUZZ’);
$main = $pdf->new_page(‘MediaBox’ => $pdf->get_page_size(‘A4’));
$pdf->close;
system $target $pdfdoc; }
foreach(@fmtstring) { $fuzz = $_;
$pdf = new PDF::Create(‘filename’ => $pdfdoc,
‘Version’ => 1.2,
‘Author’ => $fuzz,
‘Title’ => ‘pdfUZZ’,
‘CreationDate’ => [localtime],
‘Subject’ => $fuzz,
‘Keywords’ => ‘pdfUZZ’);
$main = $pdf->new_page(‘MediaBox’ => $pdf->get_page_size(‘A4’));
$pdf->close;
system $target $pdfdoc; }
foreach(@miscbugs) { $fuzz = $_;
$pdf = new PDF::Create(‘filename’ => $pdfdoc,
‘Version’ => 1.2,
‘Author’ => $fuzz,
‘Title’ => ‘pdfUZZ’,
‘CreationDate’ => [localtime],
‘Subject’ => $fuzz,
‘Keywords’ => ‘pdfUZZ’);
$main = $pdf->new_page(‘MediaBox’ => $pdf->get_page_size(‘A4’));
$pdf->close;
system $target $pdfdoc; }
print ‘FUZZING ‘$target’ with ‘$pdfdoc’ [STAGE->6(Keywords)]’;
print ‘n’;
foreach(@overflow) { $fuzz = $_;
$pdf = new PDF::Create(‘filename’ => $pdfdoc,
‘Version’ => 1.2,
‘Author’ => ‘pdfUZZ’,
‘Title’ => ‘pdfUZZ’,
‘CreationDate’ => [localtime],
‘Subject’ => ‘pdfUZZ’,
‘Keywords’ => $fuzz);
$main = $pdf->new_page(‘MediaBox’ => $pdf->get_page_size(‘A4’));
$pdf->close;
system $target $pdfdoc; }
foreach(@fmtstring) { $fuzz = $_;
$pdf = new PDF::Create(‘filename’ => $pdfdoc,
‘Version’ => 1.2,
‘Author’ => $fuzz,
‘Title’ => ‘pdfUZZ’,
‘CreationDate’ => [localtime],
‘Subject’ => ‘pdfUZZ’,
‘Keywords’ => $fuzz);
$main = $pdf->new_page(‘MediaBox’ => $pdf->get_page_size(‘A4’));
$pdf->close;
system $target $pdfdoc; }
foreach(@miscbugs) { $fuzz = $_;
$pdf = new PDF::Create(‘filename’ => $pdfdoc,
‘Version’ => 1.2,
‘Author’ => $fuzz,
‘Title’ => ‘pdfUZZ’,
‘CreationDate’ => [localtime],
‘Subject’ => ‘pdfUZZ’,
‘Keywords’ => $fuzz);
$main = $pdf->new_page(‘MediaBox’ => $pdf->get_page_size(‘A4’));
$pdf->close;
system $target $pdfdoc; }
print ‘nFUZZING ‘$target’ with ‘$pdfdoc’ [STAGE->7(font/Subtype)]’;
print ‘n’;
foreach(@overflow) { $fuzz = $_;
$pdf = new PDF::Create(‘filename’ => $pdfdoc,
‘Version’ => 1.2,
‘Author’ => ‘pdfUZZ’,
‘Title’ => ‘pdfUZZ’,
‘CreationDate’ => [localtime],
‘Subject’ => ‘pdfUZZ’,
‘Keywords’ => ‘pdfUZZ’);
$main = $pdf->new_page(‘MediaBox’ => $pdf->get_page_size(‘A4’));
$page = $main->new_page;
$ffont = $pdf->font(‘Subtype’ => $fuzz,
‘Encoding’ => ‘WinAnsiEncoding’,
‘BaseFont’ => ‘Times-Roman’);
$page->string($ffont, 20, 300, 300, ‘pdfUZZ’);
$pdf->close;
system $target $pdfdoc; }
foreach(@fmtstring) { $fuzz = $_;
$pdf = new PDF::Create(‘filename’ => $pdfdoc,
‘Version’ => 1.2,
‘Author’ => ‘pdfUZZ’,
‘Title’ => ‘pdfUZZ’,
‘CreationDate’ => [localtime],
‘Subject’ => ‘pdfUZZ’,
‘Keywords’ => ‘pdfUZZ’);
$main = $pdf->new_page(‘MediaBox’ => $pdf->get_page_size(‘A4’));
$page = $main->new_page;
$ffont = $pdf->font(‘Subtype’ => $fuzz,
‘Encoding’ => ‘WinAnsiEncoding’,
‘BaseFont’ => ‘Times-Roman’);
$page->string($ffont, 20, 300, 300, ‘pdfUZZ’);
$pdf->close;
system $target $pdfdoc; }
foreach(@miscbugs) { $fuzz = $_;
$pdf = new PDF::Create(‘filename’ => $pdfdoc,
‘Version’ => 1.2,
‘Author’ => ‘pdfUZZ’,
‘Title’ => ‘pdfUZZ’,
‘CreationDate’ => [localtime],
‘Subject’ => ‘pdfUZZ’,
‘Keywords’ => ‘pdfUZZ’);
$main = $pdf->new_page(‘MediaBox’ => $pdf->get_page_size(‘A4’));
$page = $main->new_page;
$ffont = $pdf->font(‘Subtype’ => $fuzz,
‘Encoding’ => ‘WinAnsiEncoding’,
‘BaseFont’ => ‘Times-Roman’);
$page->string($ffont, 20, 300, 300, ‘pdfUZZ’);
$pdf->close;
system $target $pdfdoc; }
print ‘FUZZING ‘$target’ with ‘$pdfdoc’ [STAGE->8(font/Encoding)]’;
print ‘n’;
foreach(@overflow) { $fuzz = $_;
$pdf = new PDF::Create(‘filename’ => $pdfdoc,
‘Version’ => 1.2,
‘Author’ => ‘pdfUZZ’,
‘Title’ => ‘pdfUZZ’,
‘CreationDate’ => [localtime],
‘Subject’ => ‘pdfUZZ’,
‘Keywords’ => ‘pdfUZZ’);
$main = $pdf->new_page(‘MediaBox’ => $pdf->get_page_size(‘A4’));
$page = $main->new_page;
$ffont = $pdf->font(‘Subtype’ => ‘Type1’,
‘Encoding’ => $fuzz,
‘BaseFont’ => ‘Times-Roman’);
$page->string($ffont, 20, 300, 300, ‘pdfUZZ’);
$pdf->close;
system $target $pdfdoc; }
foreach(@fmtstring) { $fuzz = $_;
$pdf = new PDF::Create(‘filename’ => $pdfdoc,
‘Version’ => 1.2,
‘Author’ => ‘pdfUZZ’,
‘Title’ => ‘pdfUZZ’,
‘CreationDate’ => [localtime],
‘Subject’ => ‘pdfUZZ’,
‘Keywords’ => ‘pdfUZZ’);
$main = $pdf->new_page(‘MediaBox’ => $pdf->get_page_size(‘A4’));
$page = $main->new_page;
$ffont = $pdf->font(‘Subtype’ => ‘Type1’,
‘Encoding’ => $fuzz,
‘BaseFont’ => ‘Times-Roman’);
$page->string($ffont, 20, 300, 300, ‘pdfUZZ’);
$pdf->close;
system $target $pdfdoc; }
foreach(@miscbugs) { $fuzz = $_;
$pdf = new PDF::Create(‘filename’ => $pdfdoc,
‘Version’ => 1.2,
‘Author’ => ‘pdfUZZ’,
‘Title’ => ‘pdfUZZ’,
‘CreationDate’ => [localtime],
‘Subject’ => ‘pdfUZZ’,
‘Keywords’ => ‘pdfUZZ’);
$main = $pdf->new_page(‘MediaBox’ => $pdf->get_page_size(‘A4’));
$page = $main->new_page;
$ffont = $pdf->font(‘Subtype’ => ‘Type1’,
‘Encoding’ => $fuzz,
‘BaseFont’ => ‘Times-Roman’);
$page->string($ffont, 20, 300, 300, ‘pdfUZZ’);
$pdf->close;
system $target $pdfdoc; }
print ‘FUZZING ‘$target’ with ‘$pdfdoc’ [STAGE->9(font/BaseFont)]’;
print ‘n’;
foreach(@overflow) { $fuzz = $_;
$pdf = new PDF::Create(‘filename’ => $pdfdoc,
‘Version’ => 1.2,
‘Author’ => ‘pdfUZZ’,
‘Title’ => ‘pdfUZZ’,
‘CreationDate’ => [localtime],
‘Subject’ => ‘pdfUZZ’,
‘Keywords’ => ‘pdfUZZ’);
$main = $pdf->new_page(‘MediaBox’ => $pdf->get_page_size(‘A4’));
$page = $main->new_page;
$ffont = $pdf->font(‘Subtype’ => ‘Type1’,
‘Encoding’ => ‘WinAnsiEncoding’,
‘BaseFont’ => $fuzz);
$page->string($ffont, 20, 300, 300, ‘pdfUZZ’);
$pdf->close;
system $target $pdfdoc; }
foreach(@fmtstring) { $fuzz = $_;
$pdf = new PDF::Create(‘filename’ => $pdfdoc,
‘Version’ => 1.2,
‘Author’ => ‘pdfUZZ’,
‘Title’ => ‘pdfUZZ’,
‘CreationDate’ => [localtime],
‘Subject’ => ‘pdfUZZ’,
‘Keywords’ => ‘pdfUZZ’);
$main = $pdf->new_page(‘MediaBox’ => $pdf->get_page_size(‘A4’));
$page = $main->new_page;
$ffont = $pdf->font(‘Subtype’ => ‘Type1’,
‘Encoding’ => ‘WinAnsiEncoding’,
‘BaseFont’ => $fuzz);
$page->string($ffont, 20, 300, 300, ‘pdfUZZ’);
$pdf->close;
system $target $pdfdoc; }
foreach(@miscbugs) { $fuzz = $_;
$pdf = new PDF::Create(‘filename’ => $pdfdoc,
‘Version’ => 1.2,
‘Author’ => ‘pdfUZZ’,
‘Title’ => ‘pdfUZZ’,
‘CreationDate’ => [localtime],
‘Subject’ => ‘pdfUZZ’,
‘Keywords’ => ‘pdfUZZ’);
$main = $pdf->new_page(‘MediaBox’ => $pdf->get_page_size(‘A4’));
$page = $main->new_page;
$ffont = $pdf->font(‘Subtype’ => ‘Type1’,
‘Encoding’ => ‘WinAnsiEncoding’,
‘BaseFont’ => $fuzz);
$page->string($ffont, 20, 300, 300, ‘pdfUZZ’);
$pdf->close;
system $target $pdfdoc; }
print ‘nFUZZING ‘$target’ with ‘$pdfdoc’ [STAGE->10(string/z+x+y)]’;
print ‘n’;
foreach(@numbers) { $fuzz = $_;
$pdf = new PDF::Create(‘filename’ => $pdfdoc,
‘Version’ => 1.2,
‘Author’ => ‘pdfUZZ’,
‘Title’ => ‘pdfUZZ’,
‘CreationDate’ => [localtime],
‘Subject’ => ‘pdfUZZ’,
‘Keywords’ => ‘pdfUZZ’);
$main = $pdf->new_page(‘MediaBox’ => $pdf->get_page_size(‘A4’));
$page = $main->new_page;
$ffont = $pdf->font(‘Subtype’ => ‘Type1’,
‘Encoding’ => ‘WinAnsiEncoding’,
‘BaseFont’ => ‘Times-Roman’);
$page->string($ffont, $fuzz, $fuzz, $fuzz, ‘pdfUZZ’);
$pdf->close;
system $target $pdfdoc; }
print ‘FUZZING ‘$target’ with ‘$pdfdoc’ [STAGE->11(string/text)]’;
print ‘n’;
foreach(@overflow) { $fuzz = $_;
$pdf = new PDF::Create(‘filename’ => $pdfdoc,
‘Version’ => 1.2,
‘Author’ => ‘pdfUZZ’,
‘Title’ => ‘pdfUZZ’,
‘CreationDate’ => [localtime],
‘Subject’ => ‘pdfUZZ’,
‘Keywords’ => ‘pdfUZZ’);
$main = $pdf->new_page(‘MediaBox’ => $pdf->get_page_size(‘A4’));
$page = $main->new_page;
$ffont = $pdf->font(‘Subtype’ => ‘Type1’,
‘Encoding’ => ‘WinAnsiEncoding’,
‘BaseFont’ => ‘Times-Roman’);
$page->string($ffont, 20, 300, 300, $fuzz);
$pdf->close;
system $target $pdfdoc; }
foreach(@fmtstring) { $fuzz = $_;
$pdf = new PDF::Create(‘filename’ => $pdfdoc,
‘Version’ => 1.2,
‘Author’ => ‘pdfUZZ’,
‘Title’ => ‘pdfUZZ’,
‘CreationDate’ => [localtime],
‘Subject’ => ‘pdfUZZ’,
‘Keywords’ => ‘pdfUZZ’);
$main = $pdf->new_page(‘MediaBox’ => $pdf->get_page_size(‘A4’));
$page = $main->new_page;
$ffont = $pdf->font(‘Subtype’ => ‘Type1’,
‘Encoding’ => ‘WinAnsiEncoding’,
‘BaseFont’ => ‘Times-Roman’);
$page->string($ffont, 20, 300, 300, $fuzz);
$pdf->close;
system $target $pdfdoc; }
foreach(@miscbugs) { $fuzz = $_;
$pdf = new PDF::Create(‘filename’ => $pdfdoc,
‘Version’ => 1.2,
‘Author’ => ‘pdfUZZ’,
‘Title’ => ‘pdfUZZ’,
‘CreationDate’ => [localtime],
‘Subject’ => ‘pdfUZZ’,
‘Keywords’ => ‘pdfUZZ’);
$main = $pdf->new_page(‘MediaBox’ => $pdf->get_page_size(‘A4’));
$page = $main->new_page;
$ffont = $pdf->font(‘Subtype’ => ‘Type1’,
‘Encoding’ => ‘WinAnsiEncoding’,
‘BaseFont’ => ‘Times-Roman’);
$page->string($ffont, 20, 300, 300, $fuzz);
$pdf->close;
system $target $pdfdoc; }
exit;’