Re: Mac OS X shellcode and SIGTRAP

[Dino Dai Zovi <ddz () theta44 org>]

David,

The SIGTRAP you get is to notify the debugger that a new process was 
started, so you can usually safely continue through it.

You are having a problem because you inserted your stuff before the 
'bnel' instruction.  The xor./bnel combo is what actually moves the pc 
into the lr register.  Without that, the value in r31 that you use is 
bogus.  So when you run it from the command line, you are getting a 
segfault because you are trying to write to an illegal address.  
Somehow, when you run it in GDB, the value that just happens to be r31 
at the time does not cause an illegal access in the 'stbx' instruction. 
 If you move the 'bnel' back up to after the 'xor.', you will have a 
valid value you can use in there.

Also, don't bother fixing up the 'sc' instruction.  The unused bits in 
it are ignored, so there is no need to set them back to nulls.  It also 
does no good right now because the data cache and instruction cache on 
the PowerPC are separate.  So the processor is executing the unmodified 
'sc' instruction from the cache, not the one that you modified (which 
will be stored in the data cache and written through to main memory).  
You will need to put in an 'icbi' instruction to invalidate the 
instruction cache block that contains the 'sc' instruction for the 
processor to execute the modified instruction.  But, that is a pain, 
and unnecessary, so just don't bother.

Best of luck and have fun with my shellcode,

-Dino

--
         Dino Dai Zovi / ddz () theta44 org / www.theta44.org
      "Bein' Crazy is the least of my worries." - Jack Kerouac
         C439 2B06 D8D2 A2D8 1ABB  0A55 A61D 9057 63F5 9B1F