Skip to content

Instantly share code, notes, and snippets.

@metaparanoid

metaparanoid/odesk-ld-poc.md

Created March 6, 2014 00:00
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save metaparanoid/9379376 to your computer and use it in GitHub Desktop.
Save metaparanoid/9379376 to your computer and use it in GitHub Desktop.
Download ZIP
oDesk Team shared library exploit POC
Raw
odesk-ld-poc.md

oDesk Team shared library exploit POC

oDesk Team for contractors has some really nice features:

  • Keystroke logging
  • Watching the user's screen
  • Viewing the user's webcam

This simple hack notifies user before screenshot is taken. Yup. Get paid for watching porn.

    // libx11/src/GetIFocus.c
    int
    XGetInputFocus(
        register Display *dpy,
        Window *focus,
        int *revert_to)
    {
        // alert + delay
        system("mplayer ~/alert.mp3");

        xGetInputFocusReply rep;
        register xReq *req;
        ...
    }
$ LD_PRELOAD=/freshly/compiled/libX11.so odeskteam-qt4

Secure UNIX Programming FAQ

Reverse Engineering with LD_PRELOAD

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment