Break On
$nul=SetOption("WrapAtEOL","On")
$nul=SetOption("Explicit","On")
DIM $wksta,$Pass,$Index,$OSV,$OS,$KBFile,$KBpath,$KBBatPath,$KBBatFile
DIM $Win32Admin,$AdminAccount,$CheckAdmin,$grouptoadd1,$grouptoadd2,$group
$wksta = 'computer to run against'
$Pass = 'pass1','pass2','pass3','pass4' ; etc... array of known passwords
$Win32Admin = createobject("Win32Admin")
$AdminAccount = $Win32Admin.GetAdminAccount("$wksta");
$CheckAdmin = RemoteAdmin($wksta)
$KBBatPath='\\SERVER\SHARE\KB823980.bat'
; Contents of batch is:
; KB823980.exe /q /f
$KBBatFile='KB823980.bat'
SELECT
CASE $CheckAdmin
? 'You have admin rights on '+$wksta
$OSV = OSVer($wksta)
SELECT
CASE $OSV = '4.0'
$KBpath='\\SERVER\SHARE\Q823980i.EXE'
$KBFile='Q823980i.EXE'
CASE $OSV = '5.0'
$KBpath='\\SERVER\SHARE\Windows2000-KB823980-x86-ENU.exe'
$KBFile='Windows2000-KB823980-x86-ENU.exe'
CASE $OSV = '5.1'
$KBpath='\\SERVER\SHARE\WindowsXP-KB823980-x86-ENU.exe'
$KBFile='WindowsXP-KB823980-x86-ENU.exe'
CASE 1
EXIT @ERROR
ENDSELECT
USE P: '\\'+$wksta+'\Admin$$'
COPY $KBpath 'P:\SYSTEM32\KB823980.exe'
COPY $KBBatPath 'P:\SYSTEM32'
$grouptoadd1="Domain Admins"
$grouptoadd2="Desktop Support"
$group = getobject("WinNT://$wksta/administrators")
$group.add("WinNT://Domain/$grouptoadd1")
? 'Adding group '+$grouptoadd1+ 'error was: '+@error+' : '+@serror
$group.add("WinNT://Domain/$grouptoadd2")
? 'Adding group '+$grouptoadd2+ 'error was: '+@error+' : '+@serror
$group=0
RemoteExec($KBBatFile,$wksta)
? 'Remote Execute error was: '+@error+' : '+@serror
USE 'P:' /DEL
CASE NOT $CheckAdmin
Do
USE P: '\\'+$wksta+'\Admin$$' /user:$wksta+'\'+$AdminAccount /password:$Pass[$Index]
? 'Mapping with password "'+$Pass[$Index]+'" was: '+@ERROR+' - '+@SERROR
$Index = $Index + 1
Until @ERROR = 0 or $Index = Ubound($Pass)+1
IF @ERROR = 0
? 'You successfully mapped the Admin$ share as an admin - with password "'+$Pass[$Index-1]+'"'
$OSV = OSVer($wksta)
SELECT
CASE $OSV = '4.0'
$KBpath='\\SERVER\SHARE\Q823980i.EXE'
$KBFile='Q823980i.EXE'
CASE $OSV = '5.0'
$KBpath='\\SERVER\SHARE\Windows2000-KB823980-x86-ENU.exe'
$KBFile='Windows2000-KB823980-x86-ENU.exe'
CASE $OSV = '5.1'
$KBpath='\\SERVER\SHARE\WindowsXP-KB823980-x86-ENU.exe'
$KBFile='WindowsXP-KB823980-x86-ENU.exe'
CASE 1
EXIT @ERROR
ENDSELECT
COPY $KBpath 'P:\SYSTEM32\KB823980.exe'
COPY $KBBatPath 'P:\SYSTEM32'
$grouptoadd1="Domain Admins"
$grouptoadd2="Desktop Support"
$group = getobject("WinNT://$wksta/administrators")
$group.add("WinNT://Domain/$grouptoadd1")
? 'Adding group '+$grouptoadd1+ 'error was: '+@error+' : '+@serror
$group.add("WinNT://Domain/$grouptoadd2")
? 'Adding group '+$grouptoadd2+ 'error was: '+@error+' : '+@serror
$group=0
RemoteExec($KBBatFile,$wksta)
? 'Remote Execute error was: '+@error+' : '+@serror
USE 'P:' /DEL
Else
? 'Tried all known passwords - Unable to map as an Administrator'
EndIf
CASE 1
ENDSELECT
$Win32Admin = 0
EXIT @ERROR
Function RemoteAdmin($wksta)
dim $dir,$err
$dir=dir('\\'+$wksta+'\admin$$')
$err=@error
$RemoteAdmin=iif(not $err,1,0)
exit $err
endfunction
Function OSVer(Optional $wksta)
If $wksta = ""
$OSVer = @DOS
Exit @ERROR
Else
If Left($wksta,2) <> "\\" $wksta = "\\" + $wksta EndIf
If Right($wksta,1) <> "\" $wksta = $wksta + "\" EndIf
$OSVer = ReadValue($wksta + "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion", "CurrentVersion")
Exit @ERROR
EndIf
EndFunction
FUNCTION RemoteExec($command, optional $computer)
dim $Connect, $Process
if not $computer $computer='.' endif
if instr($computer,'\')
$computer=substr($computer,instrrev($computer,'\')+1)
endif
$Connect = GetObject('winmgmts:{impersonationLevel=impersonate}!\\'+$computer+'/root/cimv2:Win32_Process')
$Process = $Connect.Create($Command)
? 'Processed the remote command '+@error+' : '+@serror
exit @error
ENDFUNCTION
|
