robins / pdfcrack Goto Github PK

PDF Crack

Home Page: http://sourceforge.net/projects/pdfcrack/

License: GNU General Public License v2.0

Makefile 0.51% C 97.97% C++ 1.52%

pdfcrack's Introduction

Code and documentation are copyright 2006-2008 Henning Norén

Parts of pdfcrack.c and md5.c is derived/copied/inspired from 
xpdf/poppler and are copyright 1995-2006 Glyph & Cog, LLC.

The PDF data structures, operators, and specification are
copyright 1985-2006 Adobe Systems Inc.


Project page: http://sourceforge.net/projects/pdfcrack/


pdfcrack is a simple tool for recovering passwords from pdf-documents.
It should be able to handle all pdfs that uses the standard security handler
but the pdf-parsing routines are a bit of a quick hack so you might stumble
across some pdfs where the parser needs to be fixed to handle.

Type 'make' (or 'gmake' if you have BSD-make as default) to build the program.
You will need to have GNU Make and a recent version of GCC installed but there
are no external dependencies on libraries.
You will have to add the -march-switch in the CFLAGS-option in Makefile
for best optimization on your platform. Look into the GCC-manual 
(http://gcc.gnu.org/onlinedocs/) if you are unsure.

The program is distributed under GPL version 2 (or later).

Features available in this release (check TODO for features that might come):
* Both owner- and user-passwords with the Standard Security Handler, rev 2 & 3.
* Search by wordlist
* Search by bruteforcing with specific charset
* Optimized search for owner-password when user-password is known (or empty)
* Extremely simple permutations of passwords (makes first letter uppercase)

- currently only useful for bruteforcing with charsets:
* Auto-save when interrupted (Ctrl-C or send SIGINT to the process)
* Loading saved state

- currently only for bruteforcing with charsets:
* Minimum length of password to start at
* Maximum length of password to try


Sort your wordlist by length for best performance and consider that almost
all passwords in PDFs are in iso latin 1 so use the correct character encoding
in your terminal and/or wordlist when using special characters.

This tool can not decrypt a Password Protected PDF. 
Look up the pdftk toolkit which can do that, when you know the password.

pdfcrack's People

Contributors

Stargazers

Watchers

Forkers

sarang25491 phatcabbage gwerz sunzhenguo stepborc fromasmtodisasm ac120 liheyuan swappy8088 lvxingtu andycate lduros getinwiththem anr2me as010101 raulcesar any35 adrianchira piaoxue85

pdfcrack's Issues

NULL Pointer Dereference In md5.c

Crash sample

PDF: 1.5
R: 7
V: 2
P: -4
L: 128
MetaData: 1
FileID(16): 40 45 164 14 12 208 211 176 75 95 181 243 43 87 176 235
Filter(8tandard
O: 67 18 169 93 105 229 5 30 147 205 95 39 254 231 128 183 53 50 203 15 249 145 88 232 187 182 200 179 103 148 103 120
U: 183 202 255 185 154 118 28 228 136 106 178 230 238 94 29 35 40 191 78 94 78 117 138 65 100 0 78 86 255 250 1 8
User: 1
UserPw: 0
Permutate: 0

PM: 2
MaxPWL: 5
Charset(14): 32332fffsfsrfe
 12 9 1 7 1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1

downloadLink: null.sav

Crash State

We See it executes at 0x0

Reasons

Where md5_50_init will not be executed，So md5_50_variant is NULL

Which ends with a NULL Pointer Dereference ...

NULL Pointer Reference in pdfcrack.c:747

NULL Pointer Reference 2

sampledownload:
null3.sav

crash State

Reasons

We Clearly See len == 0, so e-s_handler haven't been malloced a space, it is Null.

While Next is attampts to write '\0' in e-s_handler， So Crash!

-n switch not working

When I try pdfcrack with -n='x' it still tries passwords with less characters than 'x':

pdfcrack -f 001_00327_20180831_1.pdf -n=10 -c 0123456789

PDF version 1.6
Security Handler: Standard
V: 2
R: 3
P: -1324
Length: 128
Encrypted Metadata: True
FileID: 0b3a986298241ea763283d74ab520988
U: 0a76cdde4d42bb2266b40c3b0fa9020d00000000000000000000000000000000
O: 95f61a8f94076be08abda5b58d2e12979dced56b94624b158db047cb2367bebe
Average Speed: 51047.3 w/s. Current Word: '638909'
Average Speed: 50945.8 w/s. Current Word: '1578290'
Average Speed: 51060.8 w/s. Current Word: '8699491'

If this works correctly the "Current Word" should be 10 characters or more?

Thank you.

stack-buffer-overflow in runCrackRev3 > md5

Memory access overflows 'enckey' variable

version: pdfcrack-0.16
compiler options: clang

output:
Loaded state for forasgmt.sav
PDF version 1.4
Security Handler: Strd
O:
V: 2
R: 1
P: -3
Length: 176
Encrypted Metadata: True
FileID: 66d36a30a97e0f16f39955c6221e0c2a
U: 3b64a47ae69c81add269ec98ad14615991f1dd59d88e5b6e5e0a7954217a8f78
O: 43c9dc2870a984994bc1265a57c7f8ada724fa891e652bb0654f50170f72f5ee
Segmentation fault (core dumped)

crash link:
https://raw.githubusercontent.com/hoohoo-b/poc/master/input.sav

trigger command:
./pdfcrack -l input.sav

ASAN output:

NULL Pointer Reference in psfcrack.c:425

sample .sav

PDF: 1.5
R: 1
V: 2
P: -4
L: 128
MetaData: 1
FileID(16): 40 45 164 14 12 208 211 176 75 95 181 243 43 87 176 235
Filter(8tandard
O: 67 18 169 93 105 229 5 30 147 205 95 39 254 231 128 183 53 50 203 15 249 145 88 232 187 182 200 179 103 148 103 120
U: 183 202 255 185 154 118 28 228 136 106 178 230 238 94 29 35 40 191 78 94 78 117 138 65 100 0 78 86 255 250 1 8
User: 1
UserPw: 0
Permutate: 0

PM: 2
MaxPWL: 5
Charset(14): 32332fffsfsrfe
 12 9 1 7 1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1

downloadLink
null2.sav

Crash State

We see, there is an attempt to read from NULL.

Reasons

We see when memcmp(test, recv3TestKey, SIZE); recv3TestKey is NULL

robins / pdfcrack Goto Github PK

pdfcrack's Introduction

pdfcrack's People

Contributors

Stargazers

Watchers

Forkers

pdfcrack's Issues

Crash sample

Crash State

Reasons

crash State

Reasons

sample .sav

Crash State

Reasons

Recommend Projects

Recommend Topics

Recommend Org