/calling_printf_osx.c
Created Nov 24, 2016
| #include <string.h> | |
| #include <stdlib.h> | |
| #include <unistd.h> | |
| #include <mach-o/dyld.h> | |
| #include <mach-o/nlist.h> | |
| #include <mach-o/dyld_images.h> | |
| #include <mach/mach_vm.h> | |
| /* Dyld is the OSX Dynamic Linker | |
| * /usr/include//mach-o/loader.h | |
| * | |
| * Tested on OSX 10.10.5 (Yosemite) | |
| * and macOS 10.12.1 (Sierra) | |
| * | |
| * build with: | |
| * gcc -D KERNEL_VERSION=$(uname -r | cut -d. -f1) call_printf.c | |
| * | |
| */ | |
| // Dyld shared cache structures | |
| typedef struct { | |
| char magic[16]; | |
| uint32_t mappingOffset; | |
| uint32_t mappingCount; | |
| uint32_t imagesOffset; | |
| uint32_t imagesCount; | |
| uint64_t dyldBaseAddress; | |
| uint64_t codeSignatureOffset; | |
| uint64_t codeSignatureSize; | |
| uint64_t slideInfoOffset; | |
| uint64_t slideInfoSize; | |
| uint64_t localSymbolsOffset; | |
| uint64_t localSymbolsSize; | |
| char uuid[16]; | |
| #if KERNEL_VERSION >= 16 | |
| // New addition for macOS Sierra | |
| char sierra_reserved[0x30]; | |
| #endif | |
| } dyld_cache_header; | |
| typedef struct { | |
| uint64_t address; | |
| uint64_t size; | |
| uint64_t file_offset; | |
| uint32_t max_prot; | |
| uint32_t init_prot; | |
| } shared_file_mapping_np; | |
| static char *find_libc_and_cache_base(char *program_name, char **cache_rx_base) | |
| { | |
| // Get DYLD task infos | |
| struct task_dyld_info dyld_info; | |
| mach_msg_type_number_t count = TASK_DYLD_INFO_COUNT; | |
| kern_return_t ret; | |
| ret = task_info(mach_task_self_, | |
| TASK_DYLD_INFO, | |
| (task_info_t)&dyld_info, | |
| &count); | |
| if (ret != KERN_SUCCESS) { | |
| return NULL; | |
| } | |
| // Get image array's size and address | |
| mach_vm_address_t image_infos = dyld_info.all_image_info_addr; | |
| struct dyld_all_image_infos *infos = (struct dyld_all_image_infos *)image_infos; | |
| uint32_t image_count = infos->infoArrayCount; | |
| struct dyld_image_info *image_array = infos->infoArray; | |
| // Find libsystem_c.dylib among them | |
| struct dyld_image_info *image; | |
| char *libc = NULL; | |
| char *first_lib = NULL; | |
| for (int i = 0; i < image_count; ++i) { | |
| image = image_array + i; | |
| // Find libsystem_c.dylib's load address | |
| if (strstr(image->imageFilePath, "libsystem_c.dylib")) { | |
| libc = (char*)image->imageLoadAddress; | |
| //printf("libc base @ %p\n", libc); | |
| #if KERNEL_VERSION >= 16 | |
| // Thanks Sierra | |
| *cache_rx_base = (char*)infos->sharedCacheBaseAddress; | |
| return libc; | |
| #endif | |
| } | |
| // Look for first dynamic library | |
| if (!strstr(image->imageFilePath, program_name)) { | |
| char *load_addr = (char*)image->imageLoadAddress; | |
| if (!first_lib || first_lib > load_addr) { | |
| first_lib = load_addr; | |
| } | |
| } | |
| } | |
| // find beginning of RX mapping | |
| // this method sucks | |
| while (memcmp(first_lib, "dyld_v1 x86_64h", 16)) { | |
| --first_lib; | |
| } | |
| *cache_rx_base = first_lib; | |
| return libc; | |
| } | |
| static char *find_printf(char *libc, char *shared_cache_rx_base) | |
| { | |
| struct mach_header_64 *libc_header = (struct mach_header_64 *)libc; | |
| uint32_t ncmds = libc_header->ncmds; | |
| struct symtab_command *symcmd = NULL; | |
| struct segment_command_64 *cmd; | |
| cmd = (struct segment_command_64*)(libc + sizeof(struct mach_header_64)); | |
| // Get symtab and dysymtab | |
| for (uint32_t i = 0; i < ncmds; ++i) { | |
| if (cmd->cmd == LC_SYMTAB) { | |
| symcmd = (struct symtab_command*)cmd; | |
| break; | |
| } | |
| cmd = (struct segment_command_64*)((char *)cmd + cmd->cmdsize); | |
| } | |
| dyld_cache_header *h = (dyld_cache_header*) shared_cache_rx_base; | |
| shared_file_mapping_np *mapping = (void*)(h + 1); | |
| /* | |
| * DYLD SHARED CACHE MAPPINGS* | |
| * =========================== | |
| * | |
| * (*): Without ASLR slide | |
| * | |
| * ## OSX Yosemite | |
| * | |
| * ---------------------- 0x7fff70000000 | |
| * | | | |
| * | | | |
| * | | | |
| * | | | |
| * | RW- | | |
| * | | | |
| * | | | |
| * | | | |
| * |----------------------| 0x7fff70000000 + [RW-].size | |
| * | Junk | | |
| * |----------------------| 0x7fff80000000 | |
| * | Cache Header | | |
| * |----------------------| | |
| * | | | |
| * | R-X | | |
| * | | | |
| * | ... | | |
| * | libsystem_c.dylib | | |
| * | ... | | |
| * | | | |
| * | | | |
| * |----------------------| 0x7fff80000000 + [R-X].size | |
| * | | | |
| * | | | |
| * | | | |
| * | R-- | | |
| * | | | |
| * | | | |
| * | | | |
| * | | | |
| * ---------------------- 0x7fff80000000 + [R-X].size + [R--].size | |
| * | |
| * cache.base = [R-X].address + [R-X].size - [R--].offset | |
| * | |
| * | |
| * | |
| * ## macOS Sierra | |
| * | |
| * Memory mapping follows file layout, so nothing strange to | |
| * take into account. The only thing to take into account is | |
| * presence of junk between each mapping, so offsets have to be | |
| * handled cleverly. | |
| * | |
| */ | |
| char *shared_cache_base = shared_cache_rx_base; | |
| size_t rx_size; | |
| size_t rw_size; | |
| uint64_t rx_addr; | |
| uint64_t ro_addr; | |
| off_t ro_off; | |
| for (int i = 0; i < h->mappingCount; ++i) { | |
| if (mapping[i].init_prot & VM_PROT_EXECUTE) { | |
| // Get size and address of [R-X] mapping | |
| rx_size = mapping[i].size; | |
| rx_addr = mapping[i].address; | |
| } else if (mapping[i].init_prot & VM_PROT_WRITE) { | |
| // Get size of [RW-] mapping | |
| rw_size = mapping[i].size; | |
| } else if (mapping[i].init_prot == VM_PROT_READ) { | |
| // Get file offset of [R--] mapping | |
| ro_off = mapping[i].file_offset; | |
| ro_addr = mapping[i].address; | |
| } | |
| } | |
| // Can be determined by dyld_all_image_info->sharedCacheSlide but meh. | |
| uint64_t aslr_slide = (uint64_t)shared_cache_rx_base - rx_addr; | |
| /* | |
| * Previously 'shared_cache_base + symcmd->XXXX', but since there is some | |
| * gap between each mapping, it would only work on Yosemite out of luck and | |
| * segfault in Sierra. Uglier, but it works on both versions. | |
| */ | |
| char *shared_cache_ro = (char*)(ro_addr + aslr_slide); | |
| uint64_t stroff_from_ro = symcmd->stroff - rx_size - rw_size; | |
| uint64_t symoff_from_ro = symcmd->symoff - rx_size - rw_size; | |
| struct nlist_64 *symtab; | |
| char *strtab = shared_cache_ro + stroff_from_ro; | |
| symtab = (struct nlist_64 *)(shared_cache_ro + symoff_from_ro); | |
| for(uint32_t i = 0; i < symcmd->nsyms; ++i){ | |
| uint32_t strtab_off = symtab[i].n_un.n_strx; | |
| uint64_t func = symtab[i].n_value; | |
| if(strcmp(&strtab[strtab_off], "_printf") == 0) { | |
| return (char*)(func + aslr_slide); | |
| } | |
| } | |
| return NULL; | |
| } | |
| int main (int argc, char *argv[]) | |
| { | |
| char *shared_cache_rx_base = NULL; | |
| char *libc = find_libc_and_cache_base(argv[0], &shared_cache_rx_base); | |
| if (!libc) { | |
| //printf("libsystem_c not found - aborting\n"); | |
| return 1; | |
| } | |
| if (!shared_cache_rx_base) { | |
| //printf("shared cache base not found - aborting\n"); | |
| return 1; | |
| } | |
| char *printf_addr = find_printf(libc, shared_cache_rx_base); | |
| if (!printf_addr) { | |
| //printf("printf not found - aborting\n"); | |
| return 1; | |
| } | |
| void (*print)(const char *fmt, ...) = (void *)printf_addr; | |
| print("Gotcha\n"); | |
| return 0; | |
| } |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment
Hide comment
Siguza
commented
Jun 19, 2017
|
FWIW you can get the |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment
Hide comment
P1kachu
Jul 2, 2017
Oh indeed. But that would have defeated the "don't use syscalls" rule ;) (that I already broke once actually)
|
Oh indeed. But that would have defeated the "don't use syscalls" rule ;) (that I already broke once actually) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
FWIW you can get the
cache_rx_baseeven pre-Sierra the same way dyld gets it: