Nicely laid out programs. Plenty of study materials. I can call if I need assistance. Lots of guidance to keep you on track. It was helpful to have all this as I was pursuing multiple security certifications. I self study normally so getting guidance like this is comforting that I know I have a plan to follow to study for my exams especially not knowing what materials you might need to review for the exam. I took one of their boot camps because I wanted to speed things up and get things done.
Impressive instructors. Lots of available materials. There are videos and plenty of practice questions. They point out where to go to get the best of breed study materials as well. Instructors seem to have very impressive backgrounds and knowledgeable.
That's a bit of a stretch to take an exam of that magnitude right after studying new material. They do give you access to their materials as soon as you pay for the camp so that was nice I just wish I had more time to go through it all before the camp.
Table Of Contents. Description Foxit Reader v9. Vulnerable Application Foxit Reader v9. Start Foxit Reader then open pdf from Foxit's Menu. Error Messages. There are two types of numbers in a PDF document: integer and real. An integer consists of one or more digits optionally preceded by a plus or minus sign. An example of integer objects may be seen below:. The real value can be represented with one or more digits, with an optional sign and a leading, trailing or embedded decimal point a period.
An example of real numbers can be seen below:. There is a limitation of the length of the name element, which may be only bytes long. When writing a name, a slash must be used to introduce a name; the slash is not part of the name but is a prefix indicating that what follows is a sequence of characters representing the name.
If we want to use whitespace or any other special character as part of the name, it must be encoded with two-digit hexadecimal notation. Figure 6: PDF names source. Strings in a PDF document are represented as a series of bytes surrounded by parenthesis or angle brackets, but can be a maximum of bytes long. Any character may be represented by ASCII representation, and alternatively with octal or hexadecimal representations.
Octal representation requires the character to be written in the form ddd, where ddd is an octal number. An example of representing a string embedded in parentheses can be seen below:. We can also use special well-known characters when representing a string. Those are: n for new line, r for carriage return, t for horizontal tabulator, b for backspace, f for form feed, for left parenthesis, for right parenthesis and for backslash.
Arrays in PDF documents are represented as a sequence of PDF objects, which may be of different types and enclosed in square brackets. This is why an array in a PDF document can hold any object types, like numbers, strings, dictionaries and even other arrays. An array may also have zero elements. An array is presented with a square bracket. An example of an array is presented below:. The key must be the name object, whereas the value can be any object, including another dictionary.
The maximum number of entries in a dictionary is entries. A stream object is represented by a sequence of bytes and may be unlimited in length, which is why images and other big data blocks are usually represented as streams.
A stream object is represented by a dictionary object followed by the keywords stream followed by newline and endstream.
The stream dictionary specifies the exact number of bytes of the stream. After the data there should be a newline and the endstream keyword. Common keywords used in all stream dictionaries are the following note that the Length entry is mandatory :. The stream data in the object stream will contain N pairs of integers, where the first integer represents the object number and the second integer represents the offset in the decoded stream of that object.
The First entry in the dictionary identifies the first object in the object stream. In PDF 1. Each cross-reference stream contains the information equivalent to the cross-reference table and trailer.
First of all, we must know that any object in a PDF document can be labeled as an indirect object. This gives the object a unique object identifier, which other objects can use to reference the indirect object. By declaring an object an indirect object, we are able to use it in the PDF document cross-reference table and reuse it by any page, dictionary and so on in the document. Since every indirect object has its own entry in the cross-reference table, the indirect objects may be accessed very quickly.
The object identifier of the indirect object consists of two parts; the first part is an object number of the current indirect object. The second part is the generation number, which is set to zero for all objects in a newly-created file. This number is later incremented when the objects are updated. We can refer to the indirect objects with indirect reference, which consists of the object number, the generation number and the keyword R.
To reference the above indirect object, we must write something like below:. Most of the objects in a PDF document are dictionaries.
Page objects are connected together and form a page tree, which is declared with an indirect reference in the document catalog. The whole structure of the PDF document can be represented with the picture below [1]:. Figure 7: Structure of the PDF document source. In the picture above, we can see that the document catalog contains references to the page tree, outline hierarchy, article threads, named destinations and interactive form.
From the picture above, we can see that the Document Catalog is the root of the objects in the PDF document.
It also contains the information that declares how the document will be displayed on the screen. The entries in the document catalog are as follows:. The reader can take a look at our sources for details.
An example of the document catalog is presented below: 1 0 obj. The pages of the document are accessed through the page tree, which defines all the pages in the PDF document. When we open the malicious PDF document in a vulnerable Adobe PDF Reader, a new meterpreter session should be opened as can be seen on the picture below:.
We can then use the newly created session to interact with the compromised computer. The exploit works and gives us the meterpreter session that we want, so why should we care about the details of how this is done? For example, the Header of the PDF document is presented in the picture below:. And the bytes are at the beginning of the file, because applications normally read a first few bytes of the file to determine if they can handle the specific file and open it. Then there is the Body PDF section that is presented in the picture below:.
The character followed by two characters is a single character represented in a hexadecimal notation. In the picture above we also have one encrypted stream, which is non-recognizable right now. In line 29 that stream is terminated by the endstream and on line 30 with endobj keywords. What follows is the Xref table, which we can see in the following picture:.
The cross-reference table uses 6 objects. The first object with an offset 0x0 and the generation number is always present and is not used. The other objects are represented by the following lines. The first used object is located at the byte offset 17 and contains the generation number 0. The cross-reference table is clear and provides just the information that we need: there are 6 used objects with different byte offsets usually present in the body of the PDF document which is encrypted and obfuscated.
0コメント