How does an attacker send the search request to access internal file shares via Exchange ActiveSync?

The attacker sends an HTTP POST request to the EAS endpoint with a `Cmd=Search` parameter and a WBXML (WAP Binary XML) body. The WBXML encodes an XML document that specifies the UNC path to query (e.g., `\\myserver\myshare`). The tool PEAS handles the WBXML conversion automatically, but understanding the protocol—as detailed in the article on Application Techniques of Troubleshooting Platform in Penetration Testing—is crucial for custom exploit development.