Finally cleaned up and published my hacky "toolchain" for running custom code on vulnerable Verifone POS devices, enjoy:

Hey cool, my PDF.js exploit made it to this list, thanks!

RT @netspooky: Ange just casually playing Tetris in a PDF

RT @angealbertini: We played with JavaScript in PDFs: API difference, text or hex literals or indirect objects. Triggers on document openin…

@Reelix I guess it was the inevitable next step so we had the same idea ;) Their execution is much neater though!

RT @linguinelabs: You know I had to do it Bad Apple but it's a PDF

@linguinelabs Love it!

I couldn't resist.

I got nerdsniped ;) In the end it was not too difficult, Emscripten really is magical. Source here:

@gzaloprgm Hah! Good catch, fixed ;)

The PDF is in plaintext but for a more readable version see here: Some more disclaimers: this only works (AFAIK) in desktop browsers, and even then it is a bit glitchy. The Tetris implementation could also use some work but it shows the concept :)

RT @alexjplaskett:

Credits to @b0n0b0__ and @g_dellimmagine for helping find and PoC these buffer overflows :)

RT @evilsocket: Attacking UNIX Systems via CUPS, Part I

@ben221199 Ah grappig. Als je serieuze dingen in die richting wil doen, dan alvast sterkte ;) Het is een hoop bureaucratie en je werkt met protocollen uit de jaren '80. Wel weer leuk vanuit een security oogpunt!