The serious bug I found in Foxit PDF Reader permits arbitrary files to be written with arbitrary content, like this:
https://cevans-app.appspot.com/static/pdfjs.html?js=createDataObject('c:/autoexec.bat','echo hi mom')
Files can be overwritten as well as created.
I did some hackery on the generated PDF and managed to squeeze a full valid PDF, including simple JS payload, into 136 characters. This means I can tweet the full PoC PDF, which I will do shortly :) Here it is for completeness: