How to extract streams and shellcodes from a PDF, the easy way |
Maybe it was not evident enough or not well documented, but until the moment there was a way of extracting streams, Javascript code, shellcodes and any type of information shown in the console output. What it's true is that it was not very straightforward. To extract something it was needed to set the especial variable "output" to a file or variable in order to store the console output in that new destination. For this to be accomplished we used the set command and after this the reset command to restore the original value of "output".
PPDF> set output file myFile
PPDF> rawstream 2
78 da dd 53 cb 6e c2 30 10 bc f7 2b 22 df c9 36 |x..S.n.0...+"..6|
39 54 15 72 c2 ad 3f 40 39 57 c6 5e 07 43 fc 50 |9T.r..?@9W.^.C.P|
6c 1e fd fb 6e 4a 02 04 54 a9 67 2c 59 9e 9d f5 |l...nJ..T.g,Y...|
8e 77 56 32 5f 9c 6c 9b 1d b0 8b c6 bb 8a 15 f9 |.wV2_.l.........|
2b cb d0 49 af 8c 6b 2a b6 fa fc 98 bd b3 45 fd |+..I..k*......E.|
92 d1 e2 27 15 e6 b4 33 aa 70 b1 47 15 db a4 14 |...'...3.p.G....|
e6 00 2e e6 42 f9 35 e6 d2 5b a0 04 b0 73 09 15 |....B.5..[...s..|
a1 aa 77 22 08 0e 04 46 4e 7a a7 4d 43 3a 92 84 |..w"...FNz.MC:..|
2e 22 c7 e3 31 b7 46 76 3e 7a 9d 72 df 35 10 e5 |."..1.Fv>z.r.5..|
06 ad 80 93 34 50 e6 6f 57 51 92 08 1d 46 74 e9 |....4P.oWQ...Ft.|
ca f4 9c d2 b7 31 31 83 af ba e0 30 c2 e9 05 bd |.....11....0....|
55 bb 36 8a ad f6 2a fc 1e 61 ab e8 5a ad 39 fc |U.6...*..a..Z.9.|
95 9a 0a 18 97 b0 13 32 99 03 f6 af dc 86 b7 ad |.......2........|
c1 a4 37 0a a7 ed 73 38 8f e4 12 27 b4 a1 15 09 |..7...s8...'....|
69 46 4a 0b fd bf 31 69 ad a2 98 8d a5 50 ea c9 |iFJ...1i.....P..|
c4 e2 7e ad 7d 67 33 27 2c 56 ac 87 05 cb 5a f1 |..~.}g3',V....Z.|
ed f7 a9 62 69 4d d8 4b d1 52 0a dd d7 6a c9 a6 |...biM.K.R...j..|
93 15 0d 2e 31 dd 59 ba 27 39 0c 6f 5c 6d 8d cd |....1.Y.'9.o\m..|
3c 18 2b 9e c5 59 f1 60 ad 7c 16 6b e5 f0 ef 61 |<.+..Y.`.|.k...a|
f8 f8 f5 0f a2 a0 3b 6d 0a |......;m.| PPDF> reset output PPDF> exit
$ hexdump -C myFile
00000000 78 da dd 53 cb 6e c2 30 10 bc f7 2b 22 df c9 36 |x..S.n.0...+"..6|
00000010 39 54 15 72 c2 ad 3f 40 39 57 c6 5e 07 43 fc 50 |9T.r..?@9W.^.C.P|
00000020 6c 1e fd fb 6e 4a 02 04 54 a9 67 2c 59 9e 9d f5 |l...nJ..T.g,Y...|
00000030 8e 77 56 32 5f 9c 6c 9b 1d b0 8b c6 bb 8a 15 f9 |.wV2_.l.........|
00000040 2b cb d0 49 af 8c 6b 2a b6 fa fc 98 bd b3 45 fd |+..I..k*......E.|
00000050 92 d1 e2 27 15 e6 b4 33 aa 70 b1 47 15 db a4 14 |...'...3.p.G....|
00000060 e6 00 2e e6 42 f9 35 e6 d2 5b a0 04 b0 73 09 15 |....B.5..[...s..|
00000070 a1 aa 77 22 08 0e 04 46 4e 7a a7 4d 43 3a 92 84 |..w"...FNz.MC:..|
00000080 2e 22 c7 e3 31 b7 46 76 3e 7a 9d 72 df 35 10 e5 |."..1.Fv>z.r.5..|
00000090 06 ad 80 93 34 50 e6 6f 57 51 92 08 1d 46 74 e9 |....4P.oWQ...Ft.|
000000a0 ca f4 9c d2 b7 31 31 83 af ba e0 30 c2 e9 05 bd |.....11....0....|
000000b0 55 bb 36 8a ad f6 2a fc 1e 61 ab e8 5a ad 39 fc |U.6...*..a..Z.9.|
000000c0 95 9a 0a 18 97 b0 13 32 99 03 f6 af dc 86 b7 ad |.......2........|
000000d0 c1 a4 37 0a a7 ed 73 38 8f e4 12 27 b4 a1 15 09 |..7...s8...'....|
000000e0 69 46 4a 0b fd bf 31 69 ad a2 98 8d a5 50 ea c9 |iFJ...1i.....P..|
000000f0 c4 e2 7e ad 7d 67 33 27 2c 56 ac 87 05 cb 5a f1 |..~.}g3',V....Z.|
00000100 ed f7 a9 62 69 4d d8 4b d1 52 0a dd d7 6a c9 a6 |...biM.K.R...j..|
00000110 93 15 0d 2e 31 dd 59 ba 27 39 0c 6f 5c 6d 8d cd |....1.Y.'9.o\m..|
00000120 3c 18 2b 9e c5 59 f1 60 ad 7c 16 6b e5 f0 ef 61 |<.+..Y.`.|.k...a|
00000130 f8 f8 f5 0f a2 a0 3b 6d 0a |......;m.|
These were the steps to extract something until now. But as some people have told me that it's not very easy or evident (thanks to them!!) I have implemented an easy way to do it, like simple redirections in a command shell.
PPDF> rawstream 2 > myFile
PPDF> exit
$ hexdump -C myFile
00000000 78 da dd 53 cb 6e c2 30 10 bc f7 2b 22 df c9 36 |x..S.n.0...+"..6|
00000010 39 54 15 72 c2 ad 3f 40 39 57 c6 5e 07 43 fc 50 |9T.r..?@9W.^.C.P|
00000020 6c 1e fd fb 6e 4a 02 04 54 a9 67 2c 59 9e 9d f5 |l...nJ..T.g,Y...|
00000030 8e 77 56 32 5f 9c 6c 9b 1d b0 8b c6 bb 8a 15 f9 |.wV2_.l.........|
00000040 2b cb d0 49 af 8c 6b 2a b6 fa fc 98 bd b3 45 fd |+..I..k*......E.|
00000050 92 d1 e2 27 15 e6 b4 33 aa 70 b1 47 15 db a4 14 |...'...3.p.G....|
00000060 e6 00 2e e6 42 f9 35 e6 d2 5b a0 04 b0 73 09 15 |....B.5..[...s..|
00000070 a1 aa 77 22 08 0e 04 46 4e 7a a7 4d 43 3a 92 84 |..w"...FNz.MC:..|
00000080 2e 22 c7 e3 31 b7 46 76 3e 7a 9d 72 df 35 10 e5 |."..1.Fv>z.r.5..|
00000090 06 ad 80 93 34 50 e6 6f 57 51 92 08 1d 46 74 e9 |....4P.oWQ...Ft.|
000000a0 ca f4 9c d2 b7 31 31 83 af ba e0 30 c2 e9 05 bd |.....11....0....|
000000b0 55 bb 36 8a ad f6 2a fc 1e 61 ab e8 5a ad 39 fc |U.6...*..a..Z.9.|
000000c0 95 9a 0a 18 97 b0 13 32 99 03 f6 af dc 86 b7 ad |.......2........|
000000d0 c1 a4 37 0a a7 ed 73 38 8f e4 12 27 b4 a1 15 09 |..7...s8...'....|
000000e0 69 46 4a 0b fd bf 31 69 ad a2 98 8d a5 50 ea c9 |iFJ...1i.....P..|
000000f0 c4 e2 7e ad 7d 67 33 27 2c 56 ac 87 05 cb 5a f1 |..~.}g3',V....Z.|
00000100 ed f7 a9 62 69 4d d8 4b d1 52 0a dd d7 6a c9 a6 |...biM.K.R...j..|
00000110 93 15 0d 2e 31 dd 59 ba 27 39 0c 6f 5c 6d 8d cd |....1.Y.'9.o\m..|
00000120 3c 18 2b 9e c5 59 f1 60 ad 7c 16 6b e5 f0 ef 61 |<.+..Y.`.|.k...a|
00000130 f8 f8 f5 0f a2 a0 3b 6d 0a |......;m.|
It is also possible to use the ">>" symbol to add content to the file instead of creating a new file. If we want to store the content in a variable to modify or use it with other commands then we will use "$>" and "$>>":
PPDF> js_code 12
var QqLE0KzZO2jD="%";var kStZXWbb2V="uC0";var B1ZfvWohAn="DA";var qoFNry7D0FoG="%uF";
var p9ZU1ERAy="424";var VJGMaYtcjK4y="%";var SfixjpV="u";var OfoEOMzYq="C92";
var XKxfBjqmCo52="BF5";var Ol7Qtlr="B%u";var hFZMJbrF="D";var shbtpJm2b="289";
var jD7lLhabX="%u";var GzG5duMDXuP="C5";var APOqakYJgq="F%";var nXSIeR0="1%";
var wqpaywVhBl="B83";var uWMLzqlbLiFv="%";var DIJqup3ic="C%";var IaJR3m5="u1";
var CItywfyy8hCc="%uE";var GPZk7EGZbO3h="F30";var GnEBVKbT="%u";var BjwCWEV="u";
var KR2kgUh="BC%";var HHX0Sfe1p="u";var pJROvwQC="52C";var dyPiUK6OO0="%";
var scOB04BIQmq="48A";var Ma4Stjk4Qa0V="B0";var jaG1FTBk8ds="8%u";var EVBnE1eW="0";
var jqEeQWFDCh="9";var RoCLyOpG5="%u";var XMuK7Be="DD5";var WcUwtNu="F%";
var Gu7HEFLPprCD="u";var THw7pkxc13l="0";var VGOex11gd="5%";var x6mobyr="u84";
var AdmOc0b="F";var DUog0Ur2m1="9%";var t9vz1vz3="2";var y6Xi3c4EUko="8";
var duCZyR8g="E";var Gwu9FWc7="%uF";var h3bkDnQFEXB="84";var SxkZfOFeDA2o="D";
...
PPDF> js_code 12 $> myJS
PPDF> js_analyse variable myJS $> sh
PPDF> show sh
da c0 d9 74 24 f4 2b c9 5b bf 89 d2 2f c5 b1 5e |...t$.+.[.../..^|
83 eb fc 31 7b 13 03 f2 c1 cd 30 ef f6 4b f1 dc |...1{.....0..K..|
3f 0d bc 1e c1 52 8a 54 58 b0 09 83 5f dd 05 ac |?....R.TX..._...|
9f e2 aa 1e f9 84 d2 5d 04 8e 4d f8 6e 76 9f 23 |.......]..M.nv.#|
05 9b 49 56 12 8e 50 c9 49 ef 70 03 c8 fd 99 54 |..IV..P.I.p....T|
f2 98 08 48 12 25 56 0e ce 81 ea 64 9a e2 3b b0 |...H.%V....d..;.|
71 5b 59 22 64 c8 ad 35 48 64 6d d4 d8 b9 57 3c |q[Y"d..5Hdm...W<|
85 a4 84 3b 49 17 f2 7c bb c3 e9 5d 01 71 57 29 |...;I..|...].qW)|
02 1c 30 03 a2 df d3 c2 51 ff 51 7e 0f a7 21 e5 |..0.....Q.Q~..!.|
2a 0f c0 80 d1 ea f6 d1 f7 64 ed 4a 6f 6a 58 87 |*........d.JojX.|
12 4b 2b ae b4 d5 55 2a 98 71 ae 85 40 b4 54 da |.K+...U*.q..@.T.|
9f 09 64 44 5f f8 2e ed f9 62 34 52 70 5b 96 75 |..dD_....b4Rp[.u|
23 7d c5 e6 32 d1 0c 2f 5e 58 96 bd 1a 51 51 0b |#}..2../^X...QQ.|
c2 5b d7 d5 96 fe dd 11 1f 02 83 3c fa 66 dd 42 |.[.........<.f.B|
62 01 b4 e3 5c fb 03 dc 96 9a 5d 87 3a 26 ab 8d |b...\.....].:&..|
5d 66 42 d8 c4 b8 f8 70 51 70 1f dd 8e 1a d7 16 |]fB....pQp......|
81 11 81 e3 dd 66 7c 88 96 cc d8 34 28 ae bd ae |.....f|....4(...|
ac 0e bd c3 f8 44 c8 e1 23 67 c8 fe 28 72 d9 99 |.....D..#g..(r..|
0f 7f f3 53 4f 6a e1 9f 64 b6 0a b4 79 b3 06 bc |..SOj..d...y...|
69 a4 01 d9 a0 d5 45 05 dd ea 50 2c c2 f2 55 a3 |i.....E...P,..U.|
36 05 7e c7 31 1b 18 e2 34 1c e6 d9 49 26 f2 19 |6.~.1...4...I&..|
42 39 dd 40 79 51 2b 86 74 51 4d aa b2 4b b3 c4 |B9.@yQ+.tQM..K..|
ab 83 b9 de cc 91 8f e8 f2 9a e5 e8 d5 c2 6e 64 |..............nd|
92 84 54 ab 75 13 c8 c1 e0 b9 66 40 dd 5e 18 e7 |..T.u.....f@.^..|
0e d0 97 96 7f 7d 2d 2c e5 af bd a4 95 2f |....}-,...../|
This new feature is included in the last SVN package and it will be of course included in the next release I hope to publish in one month, more or less. Both methods will be included but I think the latter is much easier to extract information from the interactive console. If you have more suggestions and comments let me know, I'm waiting for them! ;)
