search

cedowens / EvilOSX_MacroGenerator

Python3 script to generate Office macros for the EvilOSX framework. Author: Cedric Owens
BSD 3-Clause "New" or "Revised" License
26 stars 7 forks source link

Launched Encrypted Payload, but no connection #1

Open YulkyTulky opened 4 years ago

YulkyTulky commented 4 years ago

I installed the macro into a document, setup an EvilOSX listener, and opened the document (with macros enabled ofc). I was instantly notified by the listener that it launched a new encrypted payload, but the bot counter remained at 0. I have not been able to remedy this issue.

cedowens commented 4 years ago

Thanks for reporting. I did some re-testing by generating EvilOSX paylaods a couple different ways and then trying the macros. I saw the exact same behavior you saw when using the EvilOSX GUI to generate a payload (i.e., python start.py and then generate the payload from that GUI). However, when I generate a payload using the "python start.py --builder" EvilOSX command the callback works fine and I can interact with the callback. Which method are you using for payload generation?

YulkyTulky commented 4 years ago

That's really odd because I'm using the command-line interface for payload generation. Also, wouldn't the payload file be the exact same regardless of whether it was generated by the CLI or GUI?

cedowens commented 4 years ago

Yeah I think EvilOSX itself might have a glitch in how the GUI generates the payload versus the CLI generation...I even tried just running the python scripts from each manually and the one from the GUI error'd out while the CLI generated payload worked.

YulkyTulky commented 4 years ago

Still weird that the CLI build is not working for me. I'll try it again and get back to you.

YulkyTulky commented 4 years ago

UPDATE: I've now tested the macro generator on a freshly made EvilOSX payload (through CLI), using base64, hex, and Mac firewall on/off. Nothing worked. Each time, EvilOSX notified me that it created a new encrypted payload, yet no bot connected and nothing was installed on the victim machine

cedowens commented 4 years ago

Strange...I am not able to reproduce this behavior when generating the payload via CLI. I will have some colleagues independently try to follow the steps and see if they encounter the same problem you are seeing. If so, I will update here.

Spl01ter commented 3 years ago

You might have to make the payload executable

IC3-CR3AM commented 3 years ago

I got the same problem. Actually, I found the macro will generate a payload in ~/Library/Containers/com.microsoft.Word/Data/Library/Containers/ .