Shared Libraries

The Mac OS X user community tends to have one thing in common - they keep their systems up to date. The Apple Software Update service, once enabled, is very insistent about installing new software releases as they become available. The result is that nearly every single Mac OS X system has the exact same binaries. System libraries are often loaded at the exact same virtual address across all applications. In this sense, Mac OS X is starting to resemble the Windows platform.

If all processes on all Mac OS X system have the same virtual addresses for the same libraries, Windows-style shellcode starts to become possible. Assuming you can find the right argument-setting code in a shared library, return-to-library payloads also become much more feasible. These libraries can be used as return addresses, similar to how Windows exploits often return back to a loaded DLL. Some useful addresses are listed below:

• 0x90000000: The base address of the system library (libSystem.B.dylib), most of the function locations are static across all versions of OS X.
• 0xffff8000: The base address of the "common" page. A number of useful functions and instructions can be found here. These functions include __memcpy, __sys_dcache_flush, __sys_icache_invalidate, and __bcopy.

The following NULL-free example uses the __sys_icache_invalidate function to flush 1040 bytes from the instruction cache, starting at the address of the payload:

;;
;; Flush the instruction cache in 32 bytes
;;
main:
_main:
xor.    r5, r5, r5
bnel    main
mflr    r3

;; flush 1040 bytes starting after the branch
li      r4, 1024+16

;; 0xffff8520 is __sys_icache_invalidate()
addis   r8, r5, hi16(0xffff8520)
ori     r8, r8, lo16(0xffff8520)
mtctr   r8
bctrl