Re: Mac OS X shellcode and SIGTRAP
From: Dino Dai Zovi (ddz_at_theta44.org)
Date: Sat, 24 May 2003 18:05:18 -0600 To: firstname.lastname@example.org
The SIGTRAP you get is to notify the debugger that a new process was
started, so you can usually safely continue through it.
You are having a problem because you inserted your stuff before the
'bnel' instruction. The xor./bnel combo is what actually moves the pc
into the lr register. Without that, the value in r31 that you use is
bogus. So when you run it from the command line, you are getting a
segfault because you are trying to write to an illegal address.
Somehow, when you run it in GDB, the value that just happens to be r31
at the time does not cause an illegal access in the 'stbx' instruction.
If you move the 'bnel' back up to after the 'xor.', you will have a
valid value you can use in there.
Also, don't bother fixing up the 'sc' instruction. The unused bits in
it are ignored, so there is no need to set them back to nulls. It also
does no good right now because the data cache and instruction cache on
the PowerPC are separate. So the processor is executing the unmodified
'sc' instruction from the cache, not the one that you modified (which
will be stored in the data cache and written through to main memory).
You will need to put in an 'icbi' instruction to invalidate the
instruction cache block that contains the 'sc' instruction for the
processor to execute the modified instruction. But, that is a pain,
and unnecessary, so just don't bother.
Best of luck and have fun with my shellcode,
-- Dino Dai Zovi / email@example.com / www.theta44.org "Bein' Crazy is the least of my worries." - Jack Kerouac C439 2B06 D8D2 A2D8 1ABB 0A55 A61D 9057 63F5 9B1F