Introduction

With the introduction of Mac OS X, Apple has been viewed with mixed feelings by the security community. On one hand, the BSD core offers the familiar Unix security model that security veterans already understand. On the other, the amount of proprietary extensions, network-enabled software, and growing mass of advisories is giving some a cause for concern. Exploiting buffer overflows, format strings, and other memory-corruption vulnerabilities on Mac OS X is a bit different from what most exploit developers are familiar with. The incoherent instruction cache, combined with the RISC fixed-length instruction set, raises the bar for exploit and payload developers.

On September 12th of 2003, B-r00t published a paper titled "Smashing the Mac for Fun and Profit". B-root's paper covered the basics of Mac OS X shellcode development and built on the PowerPC work by LSD, Palante, and Ghandi. This paper is an attempt to extend, rather than replace, the material already available on writing shellcode for the Mac OS X operating system. The first section covers the fundamentals of the PowerPC architecture and what you need to know to start writing shellcode. The second section focuses on avoiding NULL bytes and other characters through careful use of the PowerPC instruction set. The third section investigates some of the unique behavior of the Mac OS X platform and introduces some useful techniques.