PoC or GTFO, Volume 2
Page 26
From the documentation:17
onDisclose — A required method that is called to determine whether the host application is permitted to send messages to the document. This allows the PDF document author to control the conditions under which messaging can occur for security reasons. [...] The method is passed two parameters cURL and cDocumentURL [...]. If the method returns true, the host container is permitted to post messages to the message handler.
For our purposes we need a function reference that, when called returns true—or a ‘truth-y’ value (this is JavaScript, after all!). To save characters, how about a Date constructor?
In the end, the shortened javascript payload is just:
Phew! The whole embedding HTML page can now use object.postMessage to deliver the second stage PDF JavaScript code. We’re looking forward to Adobe Reader supporting ES5 arrow functions as that will shorten the payload even more.
The XDP In his PoC,18 @insertScript proposed the following payload for the XDP with a hardcoded URL (some wrapping XDP structure has been removed here and below for simplicity):