PolyShell: a polyglot suitable for Bash, Batch, and PowerShell

PolyShell: a polyglot suitable for Bash, Batch, and PowerShell

Tool introduction

PolyShell is a powerful polyglot script, which can be applied to Bash, Windows Bash and PowerShell at the same time.

This feature makes PolyShell a very useful template in penetration testing, because it can be executed in most target systems without the need for a target-specific payload. In addition, PolyShell can also use devices like USB Rubby Ducky and MalDuino to pass and send through input injection.

Tool download

Researchers can use the following commands to clone the source code of the project to the local:

git clone https://github.com/llamasoft/polyshell.git

how to use

Use as a stand-alone script:

1. Copy/rename the script and configure the correct file extension, such as .sh, .bat or .ps1; 2. Run the script as a batch file or PowerShell file;

Use the script using command injection:

1. Open a terminal window on the target device; 2. Run Payload; 3. Press Ctrl-C, and then run the "exit" command;

There are some differences between using the script in the way of output injection and direct execution of the script. When running as a separate script, once a language has been processed, the payload will immediately exit execution. If it is run by input injection, Payload will run in a read loop. If it is not run in a loop, Payload will close the current terminal window and continue to enter and execute in an unknown window. The key combination Ctrl-C can make the script exit the reading loop and ensure that no accidents will occur during the execution.

In addition, if you paste the script code directly into the terminal to run it, it may fail to run. When the script reaches the reading loop, some terminals will treat the remaining pasted text as the input data of the reading loop, which is very good, but some terminals may continue to execute when the reading loop exits Script, this is inappropriate.

Script working mechanism

When we try to run a command in the specified code language, the tool will try to parse the command. The analysis factors include parameter references, redirections, comments, and so on. You can refer to the following line of code:

echo/" <<'BATCH_SCRIPT' >/dev/null ">NUL "\"/`" <#"

Each language can recognize the echo command, but different languages ​​will parse subsequent commands in different ways. For example:

echo/" <<'BATCH_SCRIPT' >/dev/null ">NUL "\"/`" <#"Bash [-----] [---]Batch [---------- -------------------] [-] [---]PS [-------------------- ---------] [-]

Tool running screenshot

project address

PolyShell: https://github.com/llamasoft/polyshell

*Reference source: llamasoft , compiled by FB editor Alpha_h4ck, please indicate that it is from FreeBuf.COM

Reference: https://cloud.tencent.com/developer/article/1613642 PolyShell: a polyglot suitable for Bash, Batch, and PowerShell-Cloud + Community-Tencent Cloud