ROP Chains on Mac Osx x64 Bit

Who am I ?

Rahul SasiSecurity Researcher @ iSIGHT Partners .Member Garage4Hackers.

Garage 4 HackersInformation Security professionals from Fortune 500, Security research and Consulting firms from all across the world.

•Security Firms•Consulting Firms•Research Firms•Law Enforcements

http://www.Garage4Hackers.com

X64 Intro

X64 Instruction

X64 Debugging Tools

X64 Reversing Tools

X64 Programing

X64 Shell Codes

Mac / BSD System Arc

What's new in mac 10.6

Mac Protection Mechanism

Snow Leopard

DEP

ROP with dyld

Examples :

X64 Supported Processors. AMDX86-64AMD64

Extension to 32 bit x86 - x64 “long mode”Can address up to 64 bits (16EB) of virtual memory*Can address up to 52 bits (4PB) of physical memory

64 bit general purpose registers - RAX, RBX, ...8 new GP registers (R8-R15)8 new 128 bit XMM registers (XMM8-XMM15) New 64 bit

instructions: cdqe, lodsq, stosq, etcNew 64 bit instructions: cdqe, lodsq, stosq, etcAbility to reference data relative to instruction pointer

(rip)

Long mode64 bit flat (linear) addressingSegment base is always 0 except for FS and GS Stack (SS),

Code (CS), Data (DS) always in the samesegment Default address size is 64 bitsDefault operand size is 32 bits

64 bit operands (RAX, RBX, ...) are specified with “REX prefix” in the opcode encoding

64 bit instruction pointer (RIP)64 bit stack pointer (RSP)

x64 registers

32 bit registers extended to 64 bitseax → rax ebx → rbx esp → rsp

8 additional 64 bit registersr8, r9, r10, ... r15

8 additional 128 bit XMM (SSE) registersxmm8, xmm9, ... xmm15Used for vector and floating point arithmetic

X64 Registers

Registers

X64 Registers

System V x64 ABI

Used by Linux, BSD, Mac, others Totally different than MS x64 ABIAlso totally different than GCC's x86 Linux ABI

Calling convention uses many registers:6 registers for integer arguments 8 registers for float/double arguments

Some registers considered volatile and can change across function calls, others must be saved by the callee

Example 6 registers for integer parameters

RDI, RSI, RDX, RCX, R8, R9 8 registers for float/double/vector parameters

XMM0-XMM7

Examples!int func1(int a, float b, int c)

rax func1(rdi, xmm0, rsi)

The number of the syscall has to be passed in register rax.

rdi - used to pass 1st argument to functions rsi - used to pass 2nd argument to functions rdx - used to pass 3rd argument to functions rcx - used to pass 4th argument to functions r8 - used to pass 5th argument to functions r9 - used to pass 6th argument to functions

X32 How it did stuffs.

X64 Bit How stuffs are done.

How it rolls in x64

Hints to Start withLook here for mac System Call address

/usr/include/sys/syscall.h

Mac OS X or likely BSD has split up the system call numbers into several different “classes.”

The upper order bits of the syscall number represent the class of the system call, in the case of write and exit, it’s SYSCALL_CLASS_UNIX and hence the upper order bits are 2!

Thus, every Unix system call will be (0×2000000 + unix syscall #).

Debugging |Reversing Tools

Quick Shell Code

Demo

Original Sources http://thexploit.com/tag/assembly/http://thexploit.com/secdev/51-byte-x86_64-os-x-null-fr

ee-shellcode/

http://lolcathost.org/b/introx86.pdfhttp://gdtr.wordpress.com/2011/07/23/universal-rop-she

llcode-for-os-x-x64/

http://reverse.put.as/wp-content/uploads/2011/06/breaking_mac_osx.ppt