OSX Shellcode

There is the option to generate shellcode right away from command line but you can also interact with a interactive shell menu.

command line

The following features are available

[!] system('command_to_execute')
[+] osx_x86/system/none

[!] chmod('file_to_perm','perm_number')
[+] osx_x86/chmod/none

To use the commandline feature:

python zsc.py -p osx_x86/chmod/none "test.txt~~~6"

OWASP ZSC has a module for generating OSX x86 shellcode. This module is still in development and has been created by Akash Trehan (Codemaxx) and we encourage you to try it and submit any issues through the github issues here. To obtain the available options, press tab twice and the ZSC command line will show them. To select, type the command


download          generate          search            shell_storm_list
zsc/shellcode> generate

For OSX we have the following modules

zsc/shellcode/generate> osx_x86
zsc/shellcode/generate/osx_x86>  chmod   exec    system

Special Options

Every shellcode generation option has the posibility to generate assembly code, shellcode and an executable file in C language that you can use with the shellcode inserted

Output assembly code?(y or n)> 
Output shellcode to screen?(y or n)> 
Shellcode output to a .c file?(y or n)>

When using the option to generate a c file and you would like to compile it, keep in mind that for compiling properly in orde rto be able to run in 64 machine, use the following command: gcc -o shell shell.c m-32

Example on how to compile has been added too to the c generated files.


One command you can use to change the user's file permisison and generate a shellcode for this is the 'chmod' command to selected the command you just need to type chmod and to obtain the sub-menu, press twice

zsc/shellcode/generate/osx_x86/chmod> file_to_perm&&perm_number
file_to_perm> secret.pdf
perm_number> 6
[+] file_to_perm set to "secret.pdf"
[+] perm_number set to "6"
[+] none
[+] enter encode type
zsc/shellcode/generate/osx_x86/chmod/encode_type> none

Output assembly code?(y or n)> y
[+] Generated shellcode is:

Shellcode output to a .c file?(y or n)> y
Target .c file?> secret.c
[+] File saved as secret.c .


This module has the ability to create shellcode code from a binary/ executable file. Once it is selected, pressing twice will give you 1 option for selecting your 'file_to_execute'. make sure you provide the right path to the file. You can also decide if you want to encode the file or not.

chmod   exec    system  
zsc/shellcode/generate/osx_x86> exec
zsc/shellcode/generate/osx_x86/exec> file_to_execute
file_to_execute> cdir

[+] file_to_execute set to "cdir"
[+] none
[+] enter encode type


The System feature will allow you to generate shellcode for System command calls such as in this Shell-Storm example: http://shell-storm.org/shellcode/files/shellcode-692.php With this feauture you will be able to create your own system calls and executable terminal commands, example:

zsc> shellcode
zsc/shellcode> generate
zsc/shellcode/generate> osx_x86
zsc/shellcode/generate/osx_x86> system
zsc/shellcode/generate/osx_x86/system> command_to_execute
command_to_execute> ls -l
[+] command_to_execute set to "ls -l"
[+] none
[+] enter encode type
zsc/shellcode/generate/osx_x86/system/encode_type> none
Output assembly code?(y or n)> y

push $0x6c909090
pop %ecx
shr    $0x10,%ecx
shr    $0x8,%ecx
push %ecx
push $0x2d20736c
mov    %esp,%ecx
push   $0x632d9090
pop    %edx
shr    $0x10,%edx
push   %edx
mov    %esp,%edx
push   $0x68732f90
pop    %ebx
shr    $0x8,%ebx
push   %ebx
push   $0x6e69622f
mov    %esp,%ebx
xor    %eax,%eax
push   %eax
push   %ecx
push   %edx
push   %ebx
mov    %esp,%ecx
xor    %edx,%edx
push   %edx
push   %ecx
push   %ebx
mov    $0x3b,%al
push   $0x2a
int    $0x80
mov    $0x1,%al
mov    $0x1,%bl
int    $0x80

Output shellcode to screen?(y or n)> y
[+] Generated shellcode is:

results matching ""

    No results matching ""