DEV Community

python7427 ython
python7427 ython

Posted on

Building a Custom Netcat in Python: Achieving RCE and Remote File Uploads on Android πŸ“±πŸ’»

Introduction
Understanding how malicious actors gain Remote Code Execution (RCE) or exfiltrate data requires a solid grasp of low-level networking tools. While standard tools like netcat are readily available, rewriting them from scratch is one of the best ways to master socket programming and threat concepts.

In this project, I built a custom Python implementation of Netcat (netcat.py). Using nothing but my Android device running Termux, I successfully bound the script to the local wildcard address (0.0.0.0), simulated an RCE payload execution, and remotely pushed a file to the system. Here is how the tool works and how I tested it in a mobile lab environment.
How the Script Works
Instead of breaking down the code line by line, let’s look at the architectural design of this tool.
The core of the netcat.py script relies on Python’s standard socket, threading, and subprocess modules. It is built as a multi-functional networking utility governed by command-line arguments handled via argparse. The tool operates in two fundamental modes:
Client Mode (send): Connects directly to a targeted remote IP and port to transmit a data buffer or initiate an interactive session. Server Mode (listen): Binds to a local interface (like 0.0.0.0 to listen on all available network interfaces) and waits for incoming connections. To keep the server responsive, each incoming client connection is offloaded to a separate worker thread
Once a connection is established in server mode, the script executes one of three core workflows based on user flags:

Command Execution (-e): Runs a specific system command via the host OS shell using subprocess and returns the output to the client.
File Upload (-u): Continuous packets are read directly from the socket stream and compiled into a file buffer, which is then written locally to the target's disk. Interactive Shell (-c): Spawns a lightweight loop acting as a remote command shell, passing received strings directly to the underlying terminal execution environment and feeding the results back across the socket.
The Android Lab Setup & Proof of Concept
Testing offensive scripts on an unrooted Android device provides a highly contained sandbox environment. Here is how I validated the application's core functionality.

  1. Simulating the Target Environment (Listener) First, I set up the script inside Termux to act as the target server. By binding it to 0.0.0.0, the script listens on all available interfaces, allowing connections locally or from the local network.

To simulate a scenario where we want to remotely drop a file onto the device, I initiated the listener with the upload flag:
python netcat.py -t 0.0.0.0 -p 5555 -l -u=dropped_file.txt

  1. Executing the Remote File Upload (Client) From a separate terminal instance (or a separate device on the same local network), I acted as the operator. By piping the contents of a local file into our custom client, the network socket cleanly transferred the data payload: echo "This file was transferred via custom Python Netcat!" | python netcat.py -t 127.0.0.1 -p 5555 Upon receiving the stream, the listener on the Android environment successfully terminated the connection, closed the buffer, and saved dropped_file.txt to the file system exactly as intended. Using the shell execution (-c or -e) flags, this same architecture effortlessly grants standard Remote Code Execution (RCE) to issue commands within the application's user permissions. Takeaways & Defensive Considerations Replicating these utilities reinforces a few crucial security paradigms:

Permissions Matter: Even without root access on Android, a userland environment like Termux can host network services capable of executing arbitrary commands within its application sandbox.
Ingress Monitoring: Security systems must heavily monitor internal networks for unexpected listeners binding to wildcard addresses (0.0.0.0).
Building tools like this completely reframes how you look at network protocols. If you are interested in trying this out or studying the implementation further, the full source code is available in my repository!
If you are interested in trying this out, the full source code is available in my GitHub Repository!

Top comments (0)