[Code-Crunchers] 69 byte shellcode to add root user 'r00t'
Luciano Miguel Ferreira Rocha
strange at nsk.no-ip.org
Fri Nov 17 11:11:06 CST 2006
On Fri, Nov 17, 2006 at 10:59:58AM -0600, Mike Tremoulet wrote:
> Great stuff. Sorry, a bit new to the game here, but this line:
> * ; open("/etc//passwd", O_WRONLY | O_APPEND)
>
> Should it be //etc//passwd, /etc/passwd, or is the mix of single and
> double slash correct?
Unix collapses a sequence of /s to a single /. It could even be /////.
But in this case, by using this form, the string "/etc//passwd" is a
multiple of 4 bytes and can be constructed using normal int32 values.
\0 must be excluded to not terminate the shell code string.
--
lfr
0/0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://whitestar.linuxbox.org/pipermail/code-crunchers/attachments/20061117/511e2c2c/attachment.pgp
More information about the Code-Crunchers
mailing list