Commit 06a4850f authored by Sophie Brun's avatar Sophie Brun

Merge tag 'upstream/0.3'

Upstream version 0.3
parents 769be519 8dba5609
-----------------------------------------------
peepdf 0.3 r235, 2014-06-09
-----------------------------------------------
* New features:
- Added descriptive titles for the vulns found
- Added detection of CVE-2013-2729 (Adobe Reader BMP/RLE heap corruption)
- Added support for more than one script block in objects containing Javascript (e.g. XFA objects)
- Updated colorama to version 3.1 (2014-04-19)
- Added detection of CVE-2013-3346 (ToolButton Use-After-Free)
- Added command "js_vars" to show the variables defined in the Javascript context and their content
- Added command "js_jjdecode" to decode Javascript code using the jjencode algorithm (Thanks to Nahuel Riva @crackinglandia)
- Added static detection for CVE-2010-0188
- Added detection for CoolType.dll SING uniqueName vulnerability (CVE-2010-2883). Better late than never ;p
- Added new command "vtcheck" to check for detection on VirusTotal (API key included)
- Added option to avoid automatic Javascript analysis (useful with endless loops)
- Added PyV8 as Javascript engine and removed Spidermonkey (Windows issues).
* Fixes:
- Fixed bug when encrypting/decrypting hexadecimal objects (Thanks to Timo Hirvonen for the feedback)
- Fixed silly bug related to abbreviated PDF Filters
- Fixed bug related to the GNU readline function not handling correctly colorized prompts
- Fixed log_output function, it was storing the previous command output instead of the current one
- Fixed bug in PDFStream to show the stream content when the stream dictionary is empty (Thanks to Nahuel Riva)
- Fixed Issue 12, related to bad JS code parsing due to HTML entities in the XFA form (Thanks to robomotic)
- Fixed Issue 10 related to bad error handling in the PDFFile.decrypt() method
- Fixed Issue 9, related to an uncaught exception when PyV8 is not installed
- Fixed bug in do_metadata() when objects contain /Metadata but they are not really Metadata objects
* Others
- Removed the old redirection method using the "set" command, it is useless now with the shell-like redirection (>, >>, $>, $>>)
* Known issues
- It exists a problem related to the readline module in Mac OS X (it uses editline instead of GNU readline), not handling correctly colorized prompts.
-----------------------------------------------
peepdf Black Hat Vegas (0.2 r156), 2012-07-25
-----------------------------------------------
......
This diff is collapsed.
This source diff could not be displayed because it is too large. You can view the blob instead.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
......@@ -3,7 +3,7 @@
# http://peepdf.eternal-todo.com
# By Jose Miguel Esparza <jesparza AT eternal-todo.com>
#
# Copyright (C) 2012 Jose Miguel Esparza
# Copyright (C) 2011-2014 Jose Miguel Esparza
#
# This file is part of peepdf.
#
......@@ -25,7 +25,7 @@
Module with some misc functions
'''
import os,re,htmlentitydefs
import os, re, htmlentitydefs, json, urllib, urllib2
def clearScreen():
'''
......@@ -413,4 +413,27 @@ def unescapeString(string):
else:
unescapedValue += string[i]
i += 1
return unescapedValue
\ No newline at end of file
return unescapedValue
def vtcheck(md5, vtKey):
'''
Function to check a hash on VirusTotal and get the report summary
@param md5: The MD5 to check (hexdigest)
@param vtKey: The VirusTotal API key needed to perform the request
@return: A dictionary with the result of the request
'''
vtUrl = 'https://www.virustotal.com/vtapi/v2/file/report'
parameters = {'resource':md5,'apikey':vtKey}
try:
data = urllib.urlencode(parameters)
req = urllib2.Request(vtUrl, data)
response = urllib2.urlopen(req)
jsonResponse = response.read()
except:
return (-1, 'The request to VirusTotal has not been successful')
try:
jsonDict = json.loads(jsonResponse)
except:
return (-1, 'An error has occurred while parsing the JSON response from VirusTotal')
return (0, jsonDict)
\ No newline at end of file
......@@ -6,9 +6,9 @@ http://twitter.com/peepdf
** Dependencies **
- In order to analyse Javascript code "python-spidermonkey" is needed:
- In order to analyse Javascript code "PyV8" is needed:
http://code.google.com/p/python-spidermonkey
http://code.google.com/p/pyv8/
- The "sctest" command is a wrapper of "sctest" (libemu). Besides libemu pylibemu is used and must be installed:
......
Pending tasks:
- User manual
- Add detection of more exploits/vulns
- Documentation of methods in PDFCore.py
- Add the rest of supported stream filters (better testing of existent)
- Automatic analysis of embedded PDF files
- Add AES to the encryption implementation
- Improve the automatic Javascript analysis, getting code from other parts of the documents (getAnnots, etc)
- GUI
- ActionScript analysis?
\ No newline at end of file
- ...
\ No newline at end of file
......@@ -3,7 +3,7 @@
# http://peepdf.eternal-todo.com
# By Jose Miguel Esparza <jesparza AT eternal-todo.com>
#
# Copyright (C) 2012 Jose Miguel Esparza
# Copyright (C) 2012-2014 Jose Miguel Esparza
#
# This file is part of peepdf.
#
......
This diff is collapsed.
......@@ -3,7 +3,7 @@
# http://peepdf.eternal-todo.com
# By Jose Miguel Esparza <jesparza AT eternal-todo.com>
#
# Copyright (C) 2012 Jose Miguel Esparza
# Copyright (C) 2012-2014 Jose Miguel Esparza
#
# This file is part of peepdf.
#
......
......@@ -7,7 +7,7 @@
<!ELEMENT date ( #PCDATA ) >
<!ELEMENT basic ( filename, md5, sha1, sha256, size, version, binary, linearized, encrypted, updates, num_objects, num_streams, comments, errors ) >
<!ELEMENT basic ( filename, md5, sha1, sha256, size, detection, pdf_version, binary, linearized, encrypted, updates, num_objects, num_streams, comments, errors ) >
<!ELEMENT filename ( #PCDATA ) >
......@@ -19,6 +19,12 @@
<!ELEMENT size ( #PCDATA ) >
<!ELEMENT detection ( rate?, report_link? ) >
<!ELEMENT rate ( #PCDATA ) >
<!ELEMENT report_link ( #PCDATA ) >
<!ELEMENT pdf_version ( #PCDATA ) >
<!ELEMENT binary EMPTY >
......@@ -51,7 +57,7 @@
<!ELEMENT advanced ( version* ) >
<!ELEMENT version ( catalog , info , objects , streams , js_objects, suspicious_elements , suspicious_urls ) >
<!ELEMENT version ( catalog, info, objects, streams ,js_objects, suspicious_elements, suspicious_urls ) >
<!ATTLIST version num NMTOKEN #REQUIRED >
<!ATTLIST version type ( original | update ) #REQUIRED >
......
This diff is collapsed.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment