Informative Information for the Uninformed | ||||||||||||||
|
||||||||||||||
Shared LibrariesThe Mac OS X user community tends to have one thing in common - they keep their systems up to date. The Apple Software Update service, once enabled, is very insistent about installing new software releases as they become available. The result is that nearly every single Mac OS X system has the exact same binaries. System libraries are often loaded at the exact same virtual address across all applications. In this sense, Mac OS X is starting to resemble the Windows platform. If all processes on all Mac OS X system have the same virtual addresses for the same libraries, Windows-style shellcode starts to become possible. Assuming you can find the right argument-setting code in a shared library, return-to-library payloads also become much more feasible. These libraries can be used as return addresses, similar to how Windows exploits often return back to a loaded DLL. Some useful addresses are listed below:
The following NULL-free example uses the __sys_icache_invalidate function to flush 1040 bytes from the instruction cache, starting at the address of the payload:
;; ;; Flush the instruction cache in 32 bytes ;; main: _main: xor. r5, r5, r5 bnel main mflr r3 ;; flush 1040 bytes starting after the branch li r4, 1024+16 ;; 0xffff8520 is __sys_icache_invalidate() addis r8, r5, hi16(0xffff8520) ori r8, r8, lo16(0xffff8520) mtctr r8 bctrl
|