When writing the SET interactive shell for the Social-Engineer Toolkit, I had to ponder what the best route in creating a flexible reverse shell. This backdoor had to be a familiar programming language (to me) and be modular for me to add new things onto it. Python being my strongest language posed some significant challenges as it was not a compiled language. Fortunately there is a way to compile python into a binary by wrapping the interpreter and necessary modules into an executable. As you can imagine this can be somewhat large.

Writing a backdoor in C/C++ can be extremely small however when byte compiled in Python is around 1.4 megs packed. In SET I decided to take the route of leveraging Python and byte compiling for the SET interactive shell however I did it in a multi-staged approach where the initial downloader is written in native C which then downloads and executes the python-based compiled backdoor in the background. This allowed quick execution and redirection without the victim (if on a slow connection) downloading a large backdoor. What was also interesting is that since it integrates the python-interpreter in place. Just as a small example of how to create a very small backdoor via python, compile it and evade all 43 anti-virus vendors in 13 lines. I’m sure this could be slimmed down but I left some expanded definitions to make it clear to the reader.. This was just a small PoC for fun. For the listener you can just run nc -lvp 443 as the listener. Cool thing with this is it is platform independent so you can compile it for OSX, *nix, or Windows.


Be sure to change the IP-Address and PORT above. In order to compile this, download pyinstaller and on windows for example or nix, create a file called compile.bat and save the above code as shell.py and put the following in it:

This will create a compiled based executable under shell/dist. Simply run shell.exe and have netcat listening up. Surprisingly upload it to virustotal.com and you get 0/43 detected. Obviously this is a custom reverse shell, so A/V really shouldn’t be triggering on this.

avbypass

You can create your own custom listener as well:

Update: You can also use use exploit/multi/handler/set PAYLOAD linux/shell_reverse_tcp windows/shell_reverse_tcp etc. as a payload option in Metasploit to handler everything and take advantage of post exploitation modules if desired. Thanks Egypt!