Weaponize PDF with java script

When it comes to phishing documents its 99% of the time Microsoft office documents, since it is so versatile with what you can do. Because of that people often neglect security measures for PDF documents. To be fair, since PDF documents wont allow an attacker to implement handy VBS script which opens a shell in an instant, it is a bit harder to use PDF for phishing purposes. However, one way to do so is by injecting java script into the PDF document.

1) Create a Microsoft word document and tailor its content just as you like. Afterwards export the document as PDF. Alternatively you can just pick any other already existing PDF document.

1. Create a word document and export it as PDF.

Open up the PDF document with a text editor of your choice. The PDF document usually consists of the following four parts.

Header: This is the first line of a PDF document and specifies the version number. To inject java script we do not need to edit anything here.

Body: This is where all the objects of the document are stored. The first line of the body is usually right next to the header and starts with “1 0 obj” to create the first object inside the PDF. Objects contain all the information within the PDF document aswell as the java script that we are going to add. The last line of the body contains “endobj” while the line after that usually starts the cross reference table (xref).

2. End of Body (red) with object numbers 24 and 25. Start of xref (green).

Cross reference table (xref): The table starts with the line that contains “xref” and it contains the references to all the objects in the document. Since we are going to add objects inside the body of the document to inject java script we need to edit the object number of the reference table later on. In figure 2 we can see that the document contains 25 objects inside the body at the moment, therefore the cross-reference table gets numbered as 26.

Trailer: This specifies how the application reading the PDF document is able to find the cross-reference table and other objects. The trailer also contains the total amount of all objects, which is why we need to edit the trailer aswell after adding java script.  Usually the trailer starts right behind the cross-reference table with the line “trailer” as shown in figure 3.

3. Shift between xref (green) and trailer (blue).

2) Now its time to inject java script into the document. Therefor we add three objects at the end of the PDF body, right before the cross-reference table. Keep in mind that the new objects have to be consecutively numbered. We also have to edit the object number inside the reference table accordingly as shown in figure 3.

4. Body (red). New objects inside body (orange). Reference table (green). Edited amount of objects (purple).

The first and the second object are for initialization of the java script and each of them references the next object. The third object contains the actual java script.

3) Since two out of the three new objects are already referencing each other we need to create only one new reference for the first object that we have added so that the object that contains the java script gets executed. To do this we need to edit the root (first) object which is usually at the beginning of the document. The root object begins with “1 0 obj” and contains various information about the document. Within the object we need to add the string “/Names X 0 R”, where X is the number of our first of three added objects, which in our case is 26.

5. Adding “/Names 26 0 R ” to the root object to reference our first added block.

4) The last step is to edit the trailer of the document. The trailer is at the end of the document as figure 3 already showed and contains the total amount of objects within the document. Sometimes there are two trailers. To reduce the risk of failures it is recommended to edit both of them, even though editing just the last one usually works aswell. Since the reference table is our last object inside the document and it is numbered as 29, we have to edit the trailer accordingly as shown in figure 6. For comparison, see the original trailer in figure 3.

6. Reference table (green). Trailer (blue). Editing size of the document with the new total amount of objects (orange).

After saving everything we are ready to test if everything is working as intended. When we open the document with an Adobe Acrobat Reader we see that the java script gets executed right away, asking for username and password.

7. The injected java script asks for a username.
8. Afterwards the java script asks for the corresponding password.

After entering a username and password, the java script tries to sent the data to the web server stored inside the source code. With default configuration the Acrobat Reader will display a security warning as shown in figure 9.

9. Acrobat security warning when any connection to an external resource happens.

If the user accepts the risk, the username and password will be sent to the web server of the attacker.

10. Using a web server for username and password exfiltration.

Alternatively an attacker can inject any other action that java script is capable of executing. For example to trick a user into downloading and executing a binary.

 

Countermeasures:

1) Make sure that all applications that you provide for viewing PDF documents within your environment do not allow the execution of java script.

11. Deactivate java script for Acrobat Reader.

2) Make sure that all applications that you provide for viewing PDF documents within your environment have restricted access or no access at all to the internet and other non-PDF documents.

12. Restrict access to the internet and all non-PDF attachments.

Malware/Phishing: Stealing Firefox Login-Information

Malicious E-Mails are very common these days. It is easy to place code inside an Office document that downloads and executes arbitrary files or even give initials access over a PowerShell reverse TCP connection (for further information about this topic take a look at the new Tool-List for Phishing). But what if you face a dedicated environment where running arbitrary executable files is not an option due to some sort of application white-/blacklisting? One security flaw that could exist in such an environment is the lack of restrain on how Firefox handles credentials. If you can steal login information off a target you might be able to login on some by that target frequently used Web-Applications for further information gathering or placing an implant. Or if you get lucky, that target allows some sort of remote connection (Remote Desktop Services or VPN for example) without a multi factor authentication.

To steal Login-Information that is stored/saved within Firefox you need three files: Logins.json, key4.db and cert9.db. All three files are stored in the %appdata%\Mozilla\Firefox\profiles folder inside the current user profile (for Windows). The goal is to read the content of that files, Base64 encode it and send it off to a HTTP-Server on the Internet. Once the data has been exfiltrated it is possible to recover all three files by decoding them and then access their content with a tool called Firefox Decrypt.

1. First we need to set up a rogue HTTP-Server that receives the exfiltrated data (LINK – PW: offensive).

1. Rogue Python HTTP-Server

 

2. The next step is to create a PowerShell script that reads the all three files, Base64 encodes the content and then sends each file inside the body of a POST-Method to our HTTP-Server (LINK – PW: offensive).

2. PowerShell script for data exfiltration

 

3. To use the PowerShell script inside an Office document we have to make some adjustments. First we rewrite the script into one line of code by deleting all line breaks and using semicolons. Then we save the whole code block in a variable which we execute at the end of the script with an Invoke-Command -ScriptBlock method (LINK – PW: offensive).

3. Rewriting the PowerShell script as a single line of code.

 

4. We then embed that code inside an Office document, preferably as Base64 encoded payload. To encode the payload as Base64 the following command can be used:
cat payload.txt | iconv -t UTF-16LE | base64 -w0

4. Payload inside Office document

 

5. Once the phishing script has been successfully executed the HTTP-Server receives the encoded data and stores it inside a new folder.

5. Incoming data handled by the HTTP-Server

 

6. Now all the received files can be decoded. Make sure to decode all three files per profile.

6. Decoding the logins.json file

 

7. The last step is to use the Firefox Decrypt tool to recover the stored login information.

7. Getting the clear text Login-Information

If the target made use of a master password to protect the stored information you could try to recover the passwords with a dictionary attack or credential stuffing.

Countermeasures:
-Do not save passwords with Firefox or use a really strong master password to protect them.
-Use execution policies, PowerShell code signing and Trust Center settings to prevent Office documents from executing arbitrary code.

Disclaimer:
-This post is for educational purposes only.
-Using these techniques outside of test environments is prosecutable and thereby prohibited.
-All (PowerShell-)code has been uploaded to VirusTotal before publishing.

Results VirusTotal.com for OriginalPowerShell.ps1

 

 

Results VirusTotal.com for OneLinerPowerShell.ps1