InsomniaShell is a tool for use during penetration tests, when you have ability to upload or create an arbitrary .aspx page. This .aspx page is an example of using native calls through pinvoke to provide either an ASP.NET reverse shell or a bind shell.

InsomniaShell – ASP.NET Reverse Shell Or Bind Shell

If the provider page is running on a server with a local SQL Server instance, the shell includes functionality for a named pipe impersonation attack. This requires knowledge of the sa password, and results in the theft of the token that the SQL server is executing under.

Devel is an easy level machine based on Windows, the initial approach is focused on FTP server that allow us to upload an ASP webshell. The privilege escalation stage is pretty easy with a few metasploit modules to help us.

This method, different from the metasploit, consists of a different ASPX webshell to get the reverse shell.The webshell that will be used is located at /usr/share/webshells/aspx/cmdasp.aspx and will be uploaded through FTP:

In this method the whole process is manual, without any metasploit help.To begin with, we need to download a modified version of the exploit based on the vulnerability MS11-046 that I made. I removed a small section from the original code and added a Powershell payload to our reverse shell connection:

After that we set up the netcat on listening mode, on the first reverse shell session that we got from manual ASPX webshell the compiled exploit will be executed, resulting in a second reverse shell with NT AUTHORITY\SYSTEM privileges :)

\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n"condition:1 of them}rule webshell_asp_cmd meta:description = "Web Shell - file cmd.asp"author = "Florian Roth"date = "2014/01/28"score = 70hash = "895ca846858c315a3ff8daa7c55b3119"strings:$s0 = "" fullword$s1 = "Set oFileSys = Server.CreateObject(\"Scripting.FileSystemObject\")" fullword$s3 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)" fullwordcondition:1 of themrule webshell_php_sh_server meta:description = "Web Shell - file server.php"author = "Florian Roth"date = "2014/01/28"score = 50hash = "d87b019e74064aa90e2bb143e5e16cfa"strings:$s0 = "eval(getenv('HTTP_CODE'));" fullwordcondition:all of themrule webshell_PH_Vayv_PH_Vayv meta:description = "Web Shell - file PH Vayv.php"author = "Florian Roth"date = "2014/01/28"score = 70hash = "35fb37f3c806718545d97c6559abd262"strings:$s0 = "style=\"BACKGROUND-COLOR: #eae9e9; BORDER-BOTTOM: #000000 1px in"$s4 = "SHOPEN

This Is The Server Information"$s20 = "ob_end_clean();" fullwordcondition:3 of themrule WebShell_php_webshells_MyShell meta:description = "PHP Webshells Github Archive - file MyShell.php"author = "Florian Roth"hash = "42e283c594c4d061f80a18f5ade0717d3fb2f76d"strings:$s3 = "MyShell error - Access Denied" fullword$s4 = "$adminEmail = \"youremail@yourserver.com\";" fullword$s5 = "//A workdir has been asked for - we chdir to that dir." fullword$s6 = "system($command . \" 1> /tmp/output.txt 2>&1; cat /tmp/output.txt; rm /tmp/o"$s13 = "#$autoErrorTrap Enable automatic error traping if command returns error." fullword$s14 = "/* No work_dir - we chdir to $DOCUMENT_ROOT */" fullword$s19 = "#every command you excecute." fullword$s20 = "" fullwordcondition:3 of themrule WebShell_php_webshells_pws {meta:description = "PHP Webshells Github Archive - file pws.php"author = "Florian Roth"hash = "7a405f1c179a84ff8ac09a42177a2bcd8a1a481b"strings:$s6 = "if ($_POST['cmd']){" fullword$s7 = "$cmd = $_POST['cmd'];" fullword$s10 = "echo \"FILE UPLOADED TO $dez\";" fullword$s11 = "if (file_exists($uploaded)) " fullword$s12 = "copy($uploaded, $dez);" fullword$s17 = "passthru($cmd);" fullwordcondition:4 of themrule WebShell_reader_asp_php {meta:description = "PHP Webshells Github Archive - file reader.asp.php.txt"author = "Florian Roth"hash = "70656f3495e2b3ad391a77d5208eec0fb9e2d931"strings:$s5 = "ster\" name=submit> \" METHOD=GET >execute command: 2ff7e9595c