Exploiting in ‘OS X’ City.

Hey hey. How are you ppl?
I’ve been working a lot with OS X lately. It looks very similar to any Unix-like OS. But, of course, it has its own implications.

Basically im writing this post to have some kind of sticky with the things i’ve discovered, read on some blog or seen in some presentation. So, i’ll keep this post ‘in progress’ adding the stuff that i think will be useful to develop reliable exploits.

I will cover the last two major versions of OS X, 10.4.x and 10.5.x

* Tiger – i386

Static binary image base
Not randomized stack
Non executable stack
Not randomized heap base
Executable heap
No library randomization

* Leopard – i386

Randomized binary image base
Static stack addresses
Non executable stack
Library Randomization (poor, maybe bruteforceable)
Static heap base
Executable heap

Also, ive found that some binaries (like Quicktime) are compiled with ProPolice (that means, with the -fstack-protector-all gcc flag). And, it seems to be very well implemented so, this sucks if you were trying to do some ret smashing… will have to see what can we do just with the local variables 😀

~ by aLS -- on July 27, 2008.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: