two06/PyCel.py

## PyCel.py
#!/usr/bin/python3
import requests
import sys
import uuid
from requests.packages.urllib3.exceptions import InsecureRequestWarning

#Disable annoying warnings about using burp proxy.
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

http_proxy  = "http://127.0.0.1:8080"
https_proxy = "http://127.0.0.1:8080"

proxies = {
              "http"  : http_proxy,
              "https" : https_proxy
            }

bearer_token = "Bearer <REDACTED>"
session_id = str(uuid.uuid4())
correlation_ID = str(uuid.uuid4())

headers = {
    "Connection": "Keep-Alive",
    "Content-Type": "application/json",
    "Authorization": bearer_token,
    "User-Agent": "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16818; Pro)",
    "SessionId": session_id,
    "X-Correlation-ID": correlation_ID
  }

headersFileSend = {
    "Connection": "Keep-Alive",
    "Authorization": bearer_token,
    "User-Agent": "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16818; Pro)",
    "SessionId": session_id,
    "X-Correlation-ID": correlation_ID
  }

def send_initial_request():
    url = "https://service-preview.officepy.microsoftusercontent.com/"

    response = requests.post(url, headers=headers, proxies=proxies, verify=False)
    if response.status_code == 201:
        try:
            jsonResponse = response.json()
            return jsonResponse["url"]
        except Exception as err:
            print(f"[!] Exception occured: {err}")
            return
    else:
        print("[!] Error status code: " + str(response.status_code) )

def send_stage_2_request(url):
    json_data = {"zone":0,"zoneId":""+ str(uuid.uuid4()) +"","definitionId":"00000000-0000-0000-0000-000000000000","connectionId":""+str(uuid.uuid4())+""}

    rUrl = url + "/api/environments"

    response = requests.post(rUrl, headers=headers, json=json_data, allow_redirects=False, proxies=proxies, verify=False)
    if response.status_code == 201:
        try:
            jsonResponse = response.json()
            return jsonResponse["id"]
        except Exception as err:
            print(f"[!] Exception occured: {err}")
            return
    else:
        print("[!] Error status code: " + str(response.status_code) )

def send_stage_3_request(url, id):
    rUrl = url + "/proxy/api/environments/" + str(id) + "/runtimes"
    response = requests.post(rUrl, headers=headers, allow_redirects=False, proxies=proxies, verify=False)

    if response.status_code == 201:
        try:
            jsonResponse = response.json()
            return jsonResponse["id"]
        except Exception as err:
            print(f"[!] Exception occured: {err}")
            return
    else:
        print("[!] Error status code: " + str(response.status_code) )

def send_setup_code_request(url, environmentID, runtimeID):
    rUrl = url + "/proxy/api/environments/" + environmentID + "/runtimes/" + runtimeID + "/execute2?flags=0"

    fileName = "code.txt"

    fileContent = """
for __var__ in list(globals().keys()):
    if not __var__.startswith('__') and not __var__.startswith('_'):
	    del globals()[__var__]
    del __var__
    import numpy as np
    import pandas as pd
    import matplotlib.pyplot as plt
    import seaborn as sns
    import statsmodels as sm
    import excel
    import warnings
    warnings.simplefilter('ignore')
    from excel import client_timezone, client_locale
    excel.set_xl_scalar_conversion(excel.convert_to_scalar)
    excel.set_xl_array_conversion(excel.convert_to_dataframe)
"""

    files = {'code': ('code.txt', fileContent)}
    #do multipart post here
    response = requests.post(rUrl, headers=headersFileSend, files=files, proxies=proxies, verify=False)

    if response.status_code == 200:
        return True
    else:
        print("[!] Error status code: " + str(response.status_code) )
        return False

def run_code(url, environmentID, runtimeID, code, data, precode):
    rUrl = url + "/proxy/api/environments/" + environmentID + "/runtimes/" + runtimeID + "/executelongoperation2?flags=2&timeout=30"

    dataFileName = "data.json"
    precodeFileName = "precode.txt"
    codeFileName = "code.txt"

    files = {
        'data': ('data.json', data),
        'precode': ('precode.txt', precode),
        'code': ('code.txt', code)
        }
    #do multipart post here
    response = requests.post(rUrl, headers=headersFileSend, files=files, proxies=proxies, verify=False)

    if response.status_code == 200:
        return response.content
    else:
        print("[!] Error status code: " + str(response.status_code) )
        return ""


if __name__ == "__main__":
    print("PyCel - Excel Python interface by @two06")
    print("")
    print("[+] Making initial request...")
    url = send_initial_request()
    print("[+] Fetching environmentID ...")
    environmentID = send_stage_2_request(url)
    print("[+] Fetching resource ID...")
    id = send_stage_3_request(url, environmentID)
    #send our intitial setup file
    print("[+] Performing setup request...")
    res = send_setup_code_request(url, environmentID, id)
    if res == False:
        print("[!] sending setup file data")
        sys.exit()

    #send our code to run
    data = '{"B1":"foobar"}'
    precode = """
from excel import xl_ref as xl
import excel
_ref_context = excel.get_ref_context()
_ref_context.clear()
_ref_context["B1"] = excel.get_ref_context_data("B1")
    """
    code = """
X = 1
Y = 2
print(xl("B1"))
X + Y
    """
    print("[*] Running code...")
    res = run_code(url, environmentID, id, code, data, precode)
    print(res)
	#!/usr/bin/python3
	import requests
	import sys
	import uuid
	from requests.packages.urllib3.exceptions import InsecureRequestWarning

	#Disable annoying warnings about using burp proxy.
	requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

	http_proxy = "http://127.0.0.1:8080"
	https_proxy = "http://127.0.0.1:8080"

	proxies = {
	"http" : http_proxy,
	"https" : https_proxy
	}

	bearer_token = "Bearer <REDACTED>"
	session_id = str(uuid.uuid4())
	correlation_ID = str(uuid.uuid4())

	headers = {
	"Connection": "Keep-Alive",
	"Content-Type": "application/json",
	"Authorization": bearer_token,
	"User-Agent": "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16818; Pro)",
	"SessionId": session_id,
	"X-Correlation-ID": correlation_ID
	}

	headersFileSend = {
	"Connection": "Keep-Alive",
	"Authorization": bearer_token,
	"User-Agent": "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16818; Pro)",
	"SessionId": session_id,
	"X-Correlation-ID": correlation_ID
	}

	def send_initial_request():
	url = "https://service-preview.officepy.microsoftusercontent.com/"

	response = requests.post(url, headers=headers, proxies=proxies, verify=False)
	if response.status_code == 201:
	try:
	jsonResponse = response.json()
	return jsonResponse["url"]
	except Exception as err:
	print(f"[!] Exception occured: {err}")
	return
	else:
	print("[!] Error status code: " + str(response.status_code) )

	def send_stage_2_request(url):
	json_data = {"zone":0,"zoneId":""+ str(uuid.uuid4()) +"","definitionId":"00000000-0000-0000-0000-000000000000","connectionId":""+str(uuid.uuid4())+""}

	rUrl = url + "/api/environments"

	response = requests.post(rUrl, headers=headers, json=json_data, allow_redirects=False, proxies=proxies, verify=False)
	if response.status_code == 201:
	try:
	jsonResponse = response.json()
	return jsonResponse["id"]
	except Exception as err:
	print(f"[!] Exception occured: {err}")
	return
	else:
	print("[!] Error status code: " + str(response.status_code) )

	def send_stage_3_request(url, id):
	rUrl = url + "/proxy/api/environments/" + str(id) + "/runtimes"
	response = requests.post(rUrl, headers=headers, allow_redirects=False, proxies=proxies, verify=False)

	if response.status_code == 201:
	try:
	jsonResponse = response.json()
	return jsonResponse["id"]
	except Exception as err:
	print(f"[!] Exception occured: {err}")
	return
	else:
	print("[!] Error status code: " + str(response.status_code) )

	def send_setup_code_request(url, environmentID, runtimeID):
	rUrl = url + "/proxy/api/environments/" + environmentID + "/runtimes/" + runtimeID + "/execute2?flags=0"

	fileName = "code.txt"

	fileContent = """
	for __var__ in list(globals().keys()):
	if not __var__.startswith('__') and not __var__.startswith('_'):
	del globals()[__var__]
	del __var__
	import numpy as np
	import pandas as pd
	import matplotlib.pyplot as plt
	import seaborn as sns
	import statsmodels as sm
	import excel
	import warnings
	warnings.simplefilter('ignore')
	from excel import client_timezone, client_locale
	excel.set_xl_scalar_conversion(excel.convert_to_scalar)
	excel.set_xl_array_conversion(excel.convert_to_dataframe)
	"""

	files = {'code': ('code.txt', fileContent)}
	#do multipart post here
	response = requests.post(rUrl, headers=headersFileSend, files=files, proxies=proxies, verify=False)

	if response.status_code == 200:
	return True
	else:
	print("[!] Error status code: " + str(response.status_code) )
	return False

	def run_code(url, environmentID, runtimeID, code, data, precode):
	rUrl = url + "/proxy/api/environments/" + environmentID + "/runtimes/" + runtimeID + "/executelongoperation2?flags=2&timeout=30"

	dataFileName = "data.json"
	precodeFileName = "precode.txt"
	codeFileName = "code.txt"

	files = {
	'data': ('data.json', data),
	'precode': ('precode.txt', precode),
	'code': ('code.txt', code)
	}
	#do multipart post here
	response = requests.post(rUrl, headers=headersFileSend, files=files, proxies=proxies, verify=False)

	if response.status_code == 200:
	return response.content
	else:
	print("[!] Error status code: " + str(response.status_code) )
	return ""


	if __name__ == "__main__":
	print("PyCel - Excel Python interface by @two06")
	print("")
	print("[+] Making initial request...")
	url = send_initial_request()
	print("[+] Fetching environmentID ...")
	environmentID = send_stage_2_request(url)
	print("[+] Fetching resource ID...")
	id = send_stage_3_request(url, environmentID)
	#send our intitial setup file
	print("[+] Performing setup request...")
	res = send_setup_code_request(url, environmentID, id)
	if res == False:
	print("[!] sending setup file data")
	sys.exit()

	#send our code to run
	data = '{"B1":"foobar"}'
	precode = """
	from excel import xl_ref as xl
	import excel
	_ref_context = excel.get_ref_context()
	_ref_context.clear()
	_ref_context["B1"] = excel.get_ref_context_data("B1")
	"""
	code = """
	X = 1
	Y = 2
	print(xl("B1"))
	X + Y
	"""
	print("[*] Running code...")
	res = run_code(url, environmentID, id, code, data, precode)
	print(res)