This script is designed to download & execute a `MAS_AIO.cmd` file, which is part of the Microsoft Activation Scripts project. MAS is used to activate Microsoft products through unofficial methods.
1.TLS 1.2 Compatibility
- `[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12`
- This line enforces the use of TLS 1.2 for secure communication, ensuring compatibility with older systems.
2. Download URLs
- The script defines two URLs (`$DownloadURL1` and `$DownloadURL2`) from which to download the `MAS_AIO.cmd` file. One from GitHub and one from Bitbucket, providing redundancy.
3. Random URL Selection
- `$RandomURL1 = Get-Random -InputObject $URLs`
- `$RandomURL2 = $URLs -ne $RandomURL1`
- The script randomly selects one URL to download the script. If the download fails from the first URL, it attempts to download from the second.
4. Error Handling
- The `try-catch` block handles potential download errors. If `Invoke-WebRequest` fails for the first URL, it tries the second URL.
5. File Path Determination
- `$isAdmin = [bool]([Security.Principal.WindowsIdentity]::GetCurrent().Groups -match 'S-1-5-32-544')`
- `$FilePath = if ($isAdmin) { "$env:SystemRoot\Temp\MAS_$rand.cmd" } else { "$env:TEMP\MAS_$rand.cmd" }`
- The script checks if the current user has administrative privileges. If so, it saves the downloaded script to the `C:\Windows\Temp` directory; otherwise, it saves to the user's temporary directory (`$env:TEMP`).
6. Script Execution
- `Start-Process $FilePath $ScriptArgs -Wait`
- This line executes the downloaded `MAS_AIO.cmd` script.
- The `-Wait` parameter ensures the script waits for `MAS_AIO.cmd` to finish before proceeding.
7. Cleanup
- `$FilePaths = @("$env:TEMP\MAS*.cmd", "$env:SystemRoot\Temp\MAS*.cmd")`
- `foreach ($FilePath in $FilePaths) { Get-Item $FilePath | Remove-Item }`
- The script cleans up temporary files created during the process, deleting any `MAS*.cmd` files from both the user's temp directory and the system's temp directory.
Security Analysis
1. Risk of Downloading from Untrusted Sources
- The script downloads and executes a `.cmd` file from a remote source, which poses a risk if the source is compromised or malicious.
- While the script uses HTTPS, it's crucial to trust the integrity of `massgrave.dev` and the linked raw content on GitHub/Bitbucket.
2. Execution of Arbitrary Code
- By downloading and executing a `.cmd` file, the script is essentially running arbitrary code on the system, which could be harmful if the downloaded script is malicious.
3. Administrative Privileges
- The script checks for administrative privileges and saves the downloaded file to a different location based on these privileges.
- Running `.cmd` scripts with administrative privileges can lead to system-wide changes, making it critical to trust the source.
4. No Integrity Check
- The script does not perform any integrity checks (e.g., hashing) on the downloaded `.cmd` file to ensure it hasn't been tampered with during transit.
5. Reliance on External Resources
- The script depends on external resources (GitHub, Bitbucket) which can be subject to downtime or tampering.
දැන් මගේ personal එකට මාරු කරත් මොකුත් වෙන්නේ නෑ.
