Mac osx 64_rop_chains
Download as PPTX, PDF
2 likes1,332 views
This document provides an overview of 64-bit (x64) architecture and programming on Mac OS X. It discusses x64 registers, instructions, debugging and reversing tools, system calls, and examples of return-oriented programming (ROP) shells on Mac OS X. Code examples demonstrate x64 calling conventions and passing arguments in registers. The document aims to introduce security researchers and hackers to key concepts for working with x64 binaries on Mac OS X.
Mac osx 64_rop_chains
- 1. ROP Chains on Mac Osx x64 Bit
- 2. Who am I ? Rahul Sasi Security Researcher @ iSIGHT Partners . Member Garage4Hackers.
- 3. Garage 4 Hackers Information Security professionals from Fortune 500, Security research and Consulting firms from all across the world. Security Firms Consulting Firms Research Firms Law Enforcements http://www.Garage4Hackers.com
- 4. X64 Intro X64 Instruction X64 Debugging Tools X64 Reversing Tools X64 Programing X64 Shell Codes
- 5. Mac / BSD System Arc What's new in mac 10.6 Mac Protection Mechanism Snow Leopard DEP ROP with dyld Examples :
- 7. Extension to 32 bit x86 - x64 long mode Can address up to 64 bits (16EB) of virtual memory* Can address up to 52 bits (4PB) of physical memory 64 bit general purpose registers - RAX, RBX, ... 8 new GP registers (R8-R15) 8 new 128 bit XMM registers (XMM8-XMM15) New 64 bit instructions: cdqe, lodsq, stosq, etc New 64 bit instructions: cdqe, lodsq, stosq, etc Ability to reference data relative to instruction pointer (rip)
- 8. Long mode 64 bit flat (linear) addressing Segment base is always 0 except for FS and GS Stack (SS), Code (CS), Data (DS) always in the same segment Default address size is 64 bits Default operand size is 32 bits 64 bit operands (RAX, RBX, ...) are specified with REX prefix in the opcode encoding 64 bit instruction pointer (RIP) 64 bit stack pointer (RSP)
- 9. x64 registers 32 bit registers extended to 64 bits eax rax ebx rbx esp rsp 8 additional 64 bit registers r8, r9, r10, ... r15 8 additional 128 bit XMM (SSE) registers xmm8, xmm9, ... xmm15 Used for vector and floating point arithmetic
- 10. X64 Registers
- 11. Registers
- 12. X64 Registers
- 13. System V x64 ABI Used by Linux, BSD, Mac, others Totally different than MS x64 ABI Also totally different than GCC's x86 Linux ABI Calling convention uses many registers: 6 registers for integer arguments 8 registers for float/double arguments Some registers considered volatile and can change across function calls, others must be saved by the callee
- 14. Example 6 registers for integer parameters RDI, RSI, RDX, RCX, R8, R9 8 registers for float/double/vector parameters XMM0-XMM7 Examples! int func1(int a, float b, int c) rax func1(rdi, xmm0, rsi)
- 15. The number of the syscall has to be passed in register rax. rdi - used to pass 1st argument to functions rsi - used to pass 2nd argument to functions rdx - used to pass 3rd argument to functions rcx - used to pass 4th argument to functions r8 - used to pass 5th argument to functions r9 - used to pass 6th argument to functions
- 16. X32 How it did stuffs.
- 17. X64 Bit How stuffs are done.
- 18. How it rolls in x64
- 19. Hints to Start with Look here for mac System Call address /usr/include/sys/syscall.h Mac OS X or likely BSD has split up the system call numbers into several different classes. The upper order bits of the syscall number represent the class of the system call, in the case of write and exit, its SYSCALL_CLASS_UNIX and hence the upper order bits are 2! Thus, every Unix system call will be (02000000 + unix syscall #).
- 22. Original Sources http://thexploit.com/tag/assembly/ http://thexploit.com/secdev/51-byte-x86_64-os-x-null- free-shellcode/ http://lolcathost.org/b/introx86.pdf http://gdtr.wordpress.com/2011/07/23/universal-rop- shellcode-for-os-x-x64/ http://reverse.put.as/wp- content/uploads/2011/06/breaking_mac_osx.ppt