Comments (10)
Sorry I am a bit confused. The Excel loader doesn’t create a binary. Are you referring to the xll loader is not working or that get a pop up message that prevents execution?
from scarecrow.
Sorry for the confusion.
I used ScareCrow like:
./ScareCrow -I msf.bin -Loader excel -domain google.com -O abc.js
On the target where Excel is installed, I executed the abc.js file like:
cscript abc.js
This opens Excel with a dialogue saying the extension is unsafe and if I want to continue. When I click yes, Excel tries to load an xll file from
C:\Users\%USERNAME%\AppData\Local\Temp
At this stage, the initial shellcode I wanted to execute did not execute.
So I tried to copy the xll file (created by abc.js in AppData\Local\Temp) and to execute this specific xll file somehow different via the described techniques in:
https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52
But none of the techniques were successful at executing the xll created by abc.js.
The payloads used to generate shellcode were all stageless.
So, I assume the xll file creation of ScareCrow is not working properly?
Or maybe I miss something here?
from scarecrow.
What version of golang are you using?
from scarecrow.
I've tested with office 365, can you provide an image of the error message?
from scarecrow.
Sure, sorry for the long response time.
The Linux I used ScareCrow on:
Linux kali 5.10.0-kali3-amd64 #1 SMP Debian 5.10.13-1kali1 (2021-02-08) x86_64 GNU/Linux
Used golang version:
go version go1.15.8 linux/amd64
I have tested on an Office ISO installation (licensed) but no O365:
Office Professional Plus 2019
Version 2102
Screenshot of the error message after executing abc.js via cscript:
After clicking "yes" on the above error, Excel opens like this:
It is notable that the xll got created under temp:
After copying the created xll from temp to Desktop and trying to execute it via Powershell, it won't work either:
from scarecrow.
I am unable to recreate this issue unless this is something to office 2019. I am in the process of getting a copy to test on to rule it out. However, If the above PowerShell leads me to believe that your DLL/XLL actually has the issue in it. Given the corrupt message from Excel, I wonder if it has to do with your bind shell? Have you tried a reverse shell?
from scarecrow.
Is the default person of office running as a 64-bit process or 32-bit process?
from scarecrow.
That is a good question..
Any idea how I can find that out in my VM I am testing this on?
from scarecrow.
You were perfectly right!!
Looked at my Excel install at the about section.
I run a 32-bit Excel in my VM and I have not noticed it/knew about it.
Thought Excel would be 64-bit by default.
Thank you very much for your great support on this topic and the tool and excuse this time taker.
Feel free to close this one.
from scarecrow.
No problem, I am glad I was able to figure this out. I know that Office 365 version comes default as 64-bit other versions such as Office Professional Plus 2019 I believe have the ability to install 64-bit but the default is 32-bit. Take care.
from scarecrow.
Related Issues (20)
- Windows 10 bug HOT 3
- Windows defender new sandbox HOT 3
- Newest version v4.1 not working with msfvenom payload HOT 7
- Binary loader build HOT 5
- New Feature Request - ProxyAware
- '.exp' files are not the compiled Go files HOT 3
- panic: Call to VirtualProtect failed!!!!! HOT 4
- Delivery HTA with Loaders Control or Wscript not working HOT 12
- cmd.Run() failed with exit status 0xffffffff HOT 5
- Output to the user is incorrect when using the -O <file> option HOT 1
- runtime.cgocall() Issue HOT 2
- Is this project still working? experiencing issues loading several shellcodes HOT 11
- Output Types HOT 2
- Windows executables not in PATH HOT 8
- ProcessInjection crashes HOT 5
- Doc, docx, rtf HOT 1
- cmd.Run() failed with exit status 0xc0000135 HOT 4
- Still having issues with cmd.Run() failed with exit status 255 HOT 1
- Add Go Lib Requirement
- Errors running ScareCrow. Exit status 128 and exit status 255 HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from scarecrow.