Reverse Shell Client

The reverse shell client is a Python based alternative for a netcat reverse shell listener (nc -lvp <port>).

The default reverse shell client (rsh-client.py) ships with lots of features such as uploading, downloading, executing and editing files on the (unix based) remote host you managed to get a shell on.

You can also download the standalone version (rsh-client-standalone.py), which is simply a smaller version without the custom commands, mostly useful for local privelege escalation when wanting to get a shell as another process when netcat is not available on the system.

Usage

Minimal usage
Using the reverse shell client is simple, simply execute the script via the command line without any parameters. This will make your shell listen on any interface address on your system for an inbound connection from a randomly selected port.

Example: python rsh-client.py

Viewing the help section
You can view the help page by executing the script with the --help or -h argument.

Example: python rsh-client.py --help

Listen on a specific port
You can specify what port to listen on with the --port <int> or -p <int> argument. This could be useful if your're behind a firewall and you have a specific port forwarded to you. It is recommended that you always use this argument to prevent errors when trying to create a reverse shell.

Example: python rsh-client.py --port 1337

Listen on a specific interface address
You can specify what interface address to listen on by executing the script with the --interface <string> or -i <string> argument. This could be to limit the inbound connections to only a specific interface such as 127.0.0.1. By default the script listens on any interface address.

Example: python rsh-client.py --interface 127.0.0.1

Setting an inbound connections whitelist
You can specify a whitelist to accept connections from by using the -A <string> or --accept <string> argument. This is to limit the inbound connections to the script as it only supports one connection at a time, however support for multiple connections might be added in the future.

Example: python rsh-client.py --accept "127.0.0.1,192.168.0.21"

Persistent mode
Persistent mode prevents you from losing your shell when pressing ^C (CTRL + C), as this normally stops any python script. This can be done by using the -P or --persistent argument.

You can still exit your shell by using the command rsh exit or by pressing ^Z (CTRL + Z), however using ^Z is not advised as it might keep the connection alive or prevent python from closing the current port you were listening on. If however you don't have any other choice but to ^Z your script, use the following bash command to kill all processes listening on the port you just used for the reverse shell client: kill -9 $(lsof -ti :<port>)

Example: python rsh-client.py --persistent

Debug mode
Debug mode is an experimental option mainly used to test features during development, this is why it is not listed when using viewing the help section. It can be enabled by using the --debug argument. It is not advised to use this option unless you're modifying the script, or if your connection does not send any data back.

Example: python rsh-client.py --debug

The RSH shell

Minimal usage
The RSH shell is activated once the script receives an inbound conenction. The command rsh .. is used to access special features such as uploading and downloading. However, if you wish to send the command itself to the remote host, you can use a backslash like so \rsh ... to prevent the command from being interpereted as a local method. This is the same for nano -> \nano or vim -> \vim as these can cause your shell to freeze or disconnect. (The rsh command is used on some linux distributions as a synonym for the ssh command).

Exiting the shell
Exits the current shell by closing the socket. By default, rsh exit is executed when ^C (CTRL + C) is pressed. This feature can be disabled by using the -P or --persistent argument when running the script.

Example: rsh exit

Uploading files
Uploading file to the remote host is done by reading the local file, and echoing the contents in blocks of 1024 bytes into the remote file. This is done like so: /bin/echo -en '\x08\x03\x00..' >> /remote/file. The script first checks if the shell has permission to write to the specified location and shows a prompt to upload to /tmp/.. instead if permission is denied. If no remote file is specified it will try to echo the file in the current working directory and if the file already exists, your shell will be prompted to overwrite the remote file.

Usage: rsh upload <localfile> [<remotefile>]
Examples: rsh upload /root/shell.php /home/www/evil.php

Downloading files Warning: Experimental
Downloading a file from the remote host is done by checking if the remote file is readable and then using the cat <remotefile> command to get the contents which are then outputted into a file on your local system.

Usage: rsh download <remotefile> [<localfile>]
Examples: rsh download /home/www/config.php /tmp/config.php

Executing files or scripts
Executing files is done by automatically uploading a file to the remote host in the /tmp/.. directory, executing it and then removing it so it doesn't leave a trail. Parameters will be added to the file execution. See rsh help upload and rsh help download for more information about file transfers.

Usage: rsh execute <localfile> [<params>]
Example: rsh execute /root/somebinary -abc

Editing files on the remote host Warning: Unfinished
As nano or vim have the tendency to break your shell, the rsh edit command downloads the file to your local machine, opens your default editor and then re-uploads the file to the remote host to prevent this. The script will first detect if the file has rights to read and write the files. If the local file after editing has not changed, no file will be re-uploaded. You can use the -f or --force parameter to force the script to re-upload the file.

Usage: rsh edit <remotefile> [-f | --force]
Example: rsh edit /home/www/index.php -f

Fingerprinting the remote host Warning: Unfinished
The fingerprinting command is simply a useful utility to find out more about the system and find possible ways to escalate local priveleges.

Usage: rsh fingerprint

Specifications

Current version 2.0.0
Language Python
License Creative Commons License

Downloads

File Version Hash (sha1)
rsh-client-standalone.py 2.0.0 bb1de10f9738e55b12cf72f88b7c5953bead5880
rsh-client.py 2.0.0 5de045ed8b0e692b3ff6ffaddacd85284ccf0e06

Changelog

File: rsh-client-standalone.py
Version: 2.0.0
Summary: No release message


Media

Disclaimer

By downloading software from this website the person in question agrees that they will use any of software in question in an ethical (non-malicious) way and agrees that the developer(s) are NOT held responsible for any damage caused by the use and or abuse of this software.

Misuse of any software from this website may result in criminal charges brought against the person in question depending on the country or state of residence which can result in probation, fines up to $100000 or prison sentences up to 20 years in federal prison.

Please think twice before you run a script if you don't know what you're doing.