BITS 32 ;ELF Header and the idea to hide code in the header taken from ;http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html ;Used to keep nasm from adding some extra junk to the header ;so that the file becomes smaller once compiled. org 0x08048000 ehdr: ; Elf32_Ehdr db 0x7F, "ELF", 1, 1, 1 ; e_ident times 9 db 0 dw 2 ; e_type dw 3 ; e_machine dd 1 ; e_version dd _start ; e_entry dd phdr - $$ ; e_phoff dd 0 ; e_shoff dd 0 ; e_flags dw ehdrsize ; e_ehsize dw phdrsize ; e_phentsize dw 1 ; e_phnum dw 0 ; e_shentsize dw 0 ; e_shnum dw 0 ; e_shstrndx ehdrsize equ $ - ehdr phdr: ; Elf32_Phdr dd 1 ; p_type dd 0 ; p_offset dd $$ ; p_vaddr dd $$ ; p_paddr dd filesize ; p_filesz dd filesize ; p_memsz dd 5 ; p_flags dd 0x1000 ; p_align phdrsize equ $ - phdr ;End ELF Header _start: mov bx,0x01f4 ;UID 500 mov ax,0x17 ;setuid() int 0x80 ;call kernel xor ecx,ecx push ecx ;put null on the stack push 0x68732f2f ;hex for //sh push 0x6e69622f ;hex for /bin /bin//sh == /bin/sh ;This is smaller then using a variable ;The extra slash is due to push ;requireing 4 bytes. mov ebx,esp ;point ebx to the stack which ;now holds /bin//sh push ecx ;put null on the stack push ebx ;put ebx on the stack mov ecx,esp ;put the new esp in ecx cdq ;edx == 0 using the signed bit from eax ;if -eax then edx == 1 ;if +eax then edx == 0 mov ax,0x0B ;execve() ;execve('/bin//sh',null,null) int 0x80 ;call the kernel filesize equ $-$$ ;extra bit for the header