rce_example.ps

1. # URL to check
2. $url = "http://example.com"
3.  
4. # Made By Taylor Christian Newsome Remove This Line
5.  
6. # Path to your Chrome executable (update as needed)
7. $chromePath = "C:\Program Files\Google\Chrome\Application\chrome.exe"
8.  
9. # Define a port for remote debugging
10. $remoteDebuggingPort = 9222
11.  
12. # Download WebSocket4Net if not already installed
13. $nugetUrl = "https://www.nuget.org/api/v2/package/WebSocket4Net/0.15.0"
14. $webSocketLibPath = "$env:TEMP\WebSocket4Net"
15.  
16. if (-not (Test-Path $webSocketLibPath)) {
17.     Write-Host "Downloading WebSocket4Net..."
18.     Invoke-WebRequest -Uri $nugetUrl -OutFile "$env:TEMP\WebSocket4Net.zip"
19.  
20.     # Extract the DLL from the NuGet package
21.     Add-Type -AssemblyName "System.IO.Compression.FileSystem"
22.     [System.IO.Compression.ZipFile]::ExtractToDirectory("$env:TEMP\WebSocket4Net.zip", $webSocketLibPath)
23. }
24.  
25. # Locate all DLLs inside the extracted WebSocket4Net directory
26. $dllFiles = Get-ChildItem "$webSocketLibPath" -Recurse -Filter "*.dll"
27.  
28. # Load each DLL using reflection
29. foreach ($dll in $dllFiles) {
30.     try {
31.         [System.Reflection.Assembly]::LoadFile($dll.FullName) | Out-Null
32.         Write-Host "Loaded: $($dll.Name)"
33.     } catch {
34.         Write-Host "Failed to load: $($dll.FullName)"
35.     }
36. }
37.  
38. # Launch Chrome with remote debugging enabled
39. Start-Process -FilePath $chromePath -ArgumentList "--new-window", "--incognito", "--remote-debugging-port=$remoteDebuggingPort", $url
40.  
41. # Wait for Chrome to start and load the page
42. Start-Sleep -Seconds 10
43.  
44. # Prompt for JavaScript code to execute remotely
45. $javascriptCode = Read-Host -Prompt "Enter the JavaScript code to execute remotely"
46.  
47. # Try to connect to Chrome DevTools Protocol
48. try {
49.     # Get the DevTools endpoint
50.     $chromeEndpoint = Invoke-RestMethod -Uri "http://localhost:$remoteDebuggingPort/json" | Where-Object { $_.url -like "*$url*" }
51.  
52.     if ($chromeEndpoint) {
53.         $webSocketDebuggerUrl = $chromeEndpoint.webSocketDebuggerUrl
54.  
55.         # Create a WebSocket connection
56.         $ws = New-Object WebSocket4Net.WebSocket($webSocketDebuggerUrl)
57.  
58.         # Event handler for receiving messages
59.         $receivedMessage = $null
60.         $ws.OnMessage += {
61.             param ($sender, $e)
62.             $receivedMessage = $e.Message
63.         }
64.  
65.         # Open the WebSocket connection
66.         $ws.Open()
67.         Start-Sleep -Seconds 5  # Allow time for the connection to be established
68.  
69.         # Prepare the command to evaluate the custom JavaScript
70.         $jsonCommand = @{
71.             "id" = 1;
72.             "method" = "Runtime.evaluate";
73.             "params" = @{
74.                 "expression" = $javascriptCode;
75.                 "returnByValue" = $true  # Ensure return values are included
76.             }
77.         } | ConvertTo-Json
78.  
79.         # Send the command to evaluate the custom JavaScript
80.         $ws.Send($jsonCommand)
81.         Start-Sleep -Seconds 5  # Allow time to receive the response
82.  
83.         # Close the WebSocket connection
84.         $ws.Close()
85.  
86.         # Process the response
87.         if ($receivedMessage) {
88.             $response = $receivedMessage | ConvertFrom-Json
89.             if ($response.result) {
90.                 $resultValue = $response.result.value
91.                 Write-Host "Execution Result: $resultValue"
92.             } else {
93.                 Write-Host "No result or error in execution."
94.             }
95.         } else {
96.             Write-Host "No response received from Chrome."
97.         }
98.     } else {
99.         Write-Host "Chrome process for the specified URL not found."
100.     }
101. } catch {
102.     Write-Host "Error: Could not connect to Chrome's DevTools Protocol."
103. }
104.