Mac osx 64_rop_chains
-
Upload
rahul-sasi -
Category
Education
-
view
968 -
download
2
description
Transcript of Mac osx 64_rop_chains
ROP Chains on Mac Osx x64 Bit
Who am I ?
Rahul SasiSecurity Researcher @ iSIGHT Partners .Member Garage4Hackers.
Garage 4 HackersInformation Security professionals from Fortune 500, Security research and Consulting firms from all across the world.
•Security Firms•Consulting Firms•Research Firms•Law Enforcements
http://www.Garage4Hackers.com
X64 Intro
X64 Instruction
X64 Debugging Tools
X64 Reversing Tools
X64 Programing
X64 Shell Codes
Mac / BSD System Arc
What's new in mac 10.6
Mac Protection Mechanism
Snow Leopard
DEP
ROP with dyld
Examples :
X64 Supported Processors. AMDX86-64AMD64
Extension to 32 bit x86 - x64 “long mode”Can address up to 64 bits (16EB) of virtual memory*Can address up to 52 bits (4PB) of physical memory
64 bit general purpose registers - RAX, RBX, ...8 new GP registers (R8-R15)8 new 128 bit XMM registers (XMM8-XMM15) New 64 bit
instructions: cdqe, lodsq, stosq, etcNew 64 bit instructions: cdqe, lodsq, stosq, etcAbility to reference data relative to instruction pointer
(rip)
Long mode64 bit flat (linear) addressingSegment base is always 0 except for FS and GS Stack (SS),
Code (CS), Data (DS) always in the samesegment Default address size is 64 bitsDefault operand size is 32 bits
64 bit operands (RAX, RBX, ...) are specified with “REX prefix” in the opcode encoding
64 bit instruction pointer (RIP)64 bit stack pointer (RSP)
x64 registers
32 bit registers extended to 64 bitseax → rax ebx → rbx esp → rsp
8 additional 64 bit registersr8, r9, r10, ... r15
8 additional 128 bit XMM (SSE) registersxmm8, xmm9, ... xmm15Used for vector and floating point arithmetic
X64 Registers
Registers
X64 Registers
System V x64 ABI
Used by Linux, BSD, Mac, others Totally different than MS x64 ABIAlso totally different than GCC's x86 Linux ABI
Calling convention uses many registers:6 registers for integer arguments 8 registers for float/double arguments
Some registers considered volatile and can change across function calls, others must be saved by the callee
Example 6 registers for integer parameters
RDI, RSI, RDX, RCX, R8, R9 8 registers for float/double/vector parameters
XMM0-XMM7
Examples!int func1(int a, float b, int c)
rax func1(rdi, xmm0, rsi)
The number of the syscall has to be passed in register rax.
rdi - used to pass 1st argument to functions rsi - used to pass 2nd argument to functions rdx - used to pass 3rd argument to functions rcx - used to pass 4th argument to functions r8 - used to pass 5th argument to functions r9 - used to pass 6th argument to functions
X32 How it did stuffs.
X64 Bit How stuffs are done.
How it rolls in x64
Hints to Start withLook here for mac System Call address
/usr/include/sys/syscall.h
Mac OS X or likely BSD has split up the system call numbers into several different “classes.”
The upper order bits of the syscall number represent the class of the system call, in the case of write and exit, it’s SYSCALL_CLASS_UNIX and hence the upper order bits are 2!
Thus, every Unix system call will be (0×2000000 + unix syscall #).
Debugging |Reversing Tools
Quick Shell Code
Demo
Original Sources http://thexploit.com/tag/assembly/http://thexploit.com/secdev/51-byte-x86_64-os-x-null-fr
ee-shellcode/
http://lolcathost.org/b/introx86.pdfhttp://gdtr.wordpress.com/2011/07/23/universal-rop-she
llcode-for-os-x-x64/
http://reverse.put.as/wp-content/uploads/2011/06/breaking_mac_osx.ppt