[Code-Crunchers] 69 byte shellcode to add root user 'r00t'
Kris Katterjohn
kjak at ispwest.com
Fri Nov 17 11:22:38 CST 2006
Luciano Miguel Ferreira Rocha wrote:
> On Fri, Nov 17, 2006 at 10:59:58AM -0600, Mike Tremoulet wrote:
>> Great stuff. Sorry, a bit new to the game here, but this line:
>> * ; open("/etc//passwd", O_WRONLY | O_APPEND)
>>
>> Should it be //etc//passwd, /etc/passwd, or is the mix of single and
>> double slash correct?
>
> Unix collapses a sequence of /s to a single /. It could even be /////.
>
> But in this case, by using this form, the string "/etc//passwd" is a
> multiple of 4 bytes and can be constructed using normal int32 values.
> \0 must be excluded to not terminate the shell code string.
>
Grr.. as I was typing a response :) You said it better anyway.
-Kris
More information about the Code-Crunchers
mailing list