go run launchdaemon_hijacking.go
Created
May 9, 2021 14:07
-
-
Save bradleyjkemp/b099abb85648bd8497af404f70487b88 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package main | |
import ( | |
"fmt" | |
"os" | |
"path/filepath" | |
"golang.org/x/sys/unix" | |
"howett.net/plist" | |
) | |
var searchPaths = []string{ | |
"/Library/LaunchAgents", | |
"/Library/LaunchDaemons", | |
} | |
type launchAgentDaemon struct { | |
Program string `plist:"Program"` | |
ProgramArguments []string `plist:"ProgramArguments"` | |
} | |
func main() { | |
for _, path := range searchPaths { | |
filepath.Walk(path, func(path string, info os.FileInfo, err error) error { | |
switch { | |
case err != nil: | |
return err | |
case info.IsDir(): | |
return nil | |
} | |
file, err := os.Open(path) | |
if err != nil { | |
return err | |
} | |
launch := launchAgentDaemon{} | |
if err := plist.NewDecoder(file).Decode(&launch); err != nil { | |
return err | |
} | |
binaryPath := launch.Program | |
if binaryPath == "" { | |
binaryPath = launch.ProgramArguments[0] | |
} | |
if unix.Access(binaryPath, unix.W_OK) == nil { | |
fmt.Printf("%s launches a vulnerable binary as root! The target binary (%s) is writeable by current user\n", path, binaryPath) | |
} | |
if unix.Access(filepath.Dir(binaryPath), unix.W_OK) == nil { | |
fmt.Printf("%s launches a vulnerable binary as root! The target binary is in a writeable directory (%s)\n", path, filepath.Dir(binaryPath)) | |
} | |
return nil | |
}) | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment