Chapter 9

Exploit Payloads

In the exploit examples so far, you haven’t really done anything interesting after you have obtained code execution. The executable payloads in your exploits typically only issued a breakpoint trap to verify that you had obtained execution. In this chapter, you will see how to make your exploits do something more interesting.

The executable code found in exploits has traditionally been called shellcode because it typically executed an operating-system shell for the attacker. These days, however, many exploit payloads are much more complicated, with their own remote system call execution, library injection, or scripting languages. In addition, on platforms such as the iPhone, there typically is no shell to execute. For that reason, it makes more sense to refer to exploit payloads by that name and use shellcode to refer to payloads the give a shell to the remote attacker.

In this chapter we will show how to write exploit payloads for Mac OS X on both PowerPC and Intel x86, ranging from simple shellcode payloads for local exploits to more complicated payloads for remote exploits that dynamically execute arbitrary machine code fragments and inject Mach-O bundles into the running process. This chapter is very heavy on PowerPC and x86 assembly as well as low-level C code, so familiarity with these languages is important.

Mac OS X Exploit Payload Development

Exploit payloads are standalone machine code fragments meant to be injected into a running process and ...

Get The Mac Hacker's Handbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.