Skip to content

Instantly share code, notes, and snippets.

@metaparanoid
Created March 6, 2014 00:00
Show Gist options
  • Save metaparanoid/9379376 to your computer and use it in GitHub Desktop.
Save metaparanoid/9379376 to your computer and use it in GitHub Desktop.
oDesk Team shared library exploit POC

oDesk Team shared library exploit POC

oDesk Team for contractors has some really nice features:

  • Keystroke logging
  • Watching the user's screen
  • Viewing the user's webcam

This simple hack notifies user before screenshot is taken. Yup. Get paid for watching porn.

    // libx11/src/GetIFocus.c
    int
    XGetInputFocus(
        register Display *dpy,
        Window *focus,
        int *revert_to)
    {
        // alert + delay
        system("mplayer ~/alert.mp3");

        xGetInputFocusReply rep;
        register xReq *req;
        ...
    }
$ LD_PRELOAD=/freshly/compiled/libX11.so odeskteam-qt4

Secure UNIX Programming FAQ

Reverse Engineering with LD_PRELOAD

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment