Skip to content

Instantly share code, notes, and snippets.

@bradleyjkemp
Created May 9, 2021 14:07
Show Gist options
  • Save bradleyjkemp/b099abb85648bd8497af404f70487b88 to your computer and use it in GitHub Desktop.
Save bradleyjkemp/b099abb85648bd8497af404f70487b88 to your computer and use it in GitHub Desktop.
package main
import (
"fmt"
"os"
"path/filepath"
"golang.org/x/sys/unix"
"howett.net/plist"
)
var searchPaths = []string{
"/Library/LaunchAgents",
"/Library/LaunchDaemons",
}
type launchAgentDaemon struct {
Program string `plist:"Program"`
ProgramArguments []string `plist:"ProgramArguments"`
}
func main() {
for _, path := range searchPaths {
filepath.Walk(path, func(path string, info os.FileInfo, err error) error {
switch {
case err != nil:
return err
case info.IsDir():
return nil
}
file, err := os.Open(path)
if err != nil {
return err
}
launch := launchAgentDaemon{}
if err := plist.NewDecoder(file).Decode(&launch); err != nil {
return err
}
binaryPath := launch.Program
if binaryPath == "" {
binaryPath = launch.ProgramArguments[0]
}
if unix.Access(binaryPath, unix.W_OK) == nil {
fmt.Printf("%s launches a vulnerable binary as root! The target binary (%s) is writeable by current user\n", path, binaryPath)
}
if unix.Access(filepath.Dir(binaryPath), unix.W_OK) == nil {
fmt.Printf("%s launches a vulnerable binary as root! The target binary is in a writeable directory (%s)\n", path, filepath.Dir(binaryPath))
}
return nil
})
}
}

Usage

go run launchdaemon_hijacking.go
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment