trouble writing macro to xls document

[ankushgoel27]

Option 1 is not creating the new file and throwing an error. Please see the image for the error.

it is not recognizing the xls file in option 2.

[curi0usJack]

Thanks for opening issues & posting screenshots. It goes a long way.

At this point, there's a few things I need to know as this just doesn't seem to be working at all for you:

1) What version of Windows are you running this one? 2) 32 or 64 bit? 3) What version of Excel are you using? 4) Are you running in a 32 or 64bit powershell process? 5) You said in another issue that you upgraded to Powershell v5. What version did you upgrade from? Did you install WMF4 before WMF5? 6) Can you try running from an administrative prompt? That error code could indicate access denied on setting a registry key.

Sorry for all the questions; you just seem to be having a really hard time getting this to work and I'm searching for clues.

[ankushgoel27]

Hi,

I am running windows 7 professional SP1 64bit. I am using excel 2010. I didnt install WMF4 before WMF5. I tried running from admin prompt but the error code still persist. No worries. I want your tool to work flawlessly :)

[ghost]

Hi @curi0usJack This seems to be the same error i was having earlier. I was running 64 admin powershell with Unrestricted Policies on windows10 64bit.

Although he has some more errors than me the first one about wdAlertsNone is exactly the same.

@ankushgoel27 also try installing it with this: iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/Shellntel/luckystrike/master/install.ps1')

You may have to : Set-ExecutionPolicy -ExecutionPolicy Unrestricted

[curi0usJack]

@ankushgoel27 @c0mrad - Curious, are either of you running as an administrative user, or just in an administrative prompt? I'm seeing some articles online that are suggesting a permissions issue. If you haven't already, try running as a user with admin rights.

[curi0usJack]

fyi - just tested - this is what the installation routine looks like for me. I'm running as a lowpriv user but in an administrative prompt. Win7 64bit.

[ankushgoel27]

i did set the execution policy to unrestricted. I am running as a local admin in a admin prompt. My machine is win7 64 bit with 64 bit powershell running excel 2013. the routine doesnt look like yours.

[curi0usJack]

Did you remove PsGet? what happens when you run "Get-Help Install-Module"?

fyi - http://superuser.com/questions/996417/what-is-install-module-command-in-powershell

[ankushgoel27]

So i think the issue is with the Install-Module cmdlet. This cmdlet is not present in my powershell if i remove the PsGet module. i am researching to fix it.

[curi0usJack]

v1.1.2 pushed. Will auto Import-Module on execution.

[curi0usJack]

Just tested & confirmed that 1.1.2 works with a low priv account (all the way through generating a new xls). For reference, I'm testing with Excel 2013 (64bit)

[ankushgoel27]

so i reinstalled powershell and the install-module is now present. I reinstalled the luckystrike script. it got installed flawlessly but i am getting the same error as above in the image when i try to create a new xls sheet.

[curi0usJack]

Still smacks of a permissions issue to me. Can you comment out the following lines please & try again (1117-1119):

$Excel01.DisplayAlerts = $false $Excel01.DisplayAlerts = "wdAlertsNone" $Excel01.Visible = $false

[curi0usJack]

actually - hang on. Just comment out $Excel01.DisplayAlerts = "wdAlertsNone".

[ghost]

Working fine now thank you guys for this amazing project. Hack the planet.

[ankushgoel27]

I really appreciate you helping me install this. I did what you asked but i still get the error. Later on , i am going to try a different windows machine to see if it could be a issue with my current machine.

Thanks a lot

[taco-shellcode]

I installed using the method found here http://www.shellntel.com/blog/2016/9/13/luckystrike-a-database-backed-evil-macro-generator as well as the one posted above in this issue. I am able to get Lucky Strike to run, but when I try to generate the macro code xls file I run into the two exceptions below.

I was doing some testing and it looks like on line 1114 it attempts to set the $Excel01.DisplayAlerts = "wdAlertsNone".

It looks like the the Excel Application Com Object DisplayAlerts property only accepts a boolean value. Confirmed here https://msdn.microsoft.com/en-us/library/office/ff839782.aspx

After commenting out line 1114 I was able to narrow it down to the one exception on line 1123.

I ran it through the debugger again and set a breakpoint on line 1122. It looks like $Workbook01.VBProject is null. After some research and debugging I found that the Trust access to the VBA project object model setting was unchecked in Excel.

This is found by going to File > Options > Trust Center > Trust Center Settings > Macro Settings

Check the box for Trust access to the VBA project object model or Create a registry key under: _HKEY_LOCALMACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Excel\Security where the 15.0 represents your version of Office / Excel.

Name: AccessVBOM Type: DWORD 32 Value: 1

After enabling this setting I was able to generate a new xls file with my test macro successfully.

[ankushgoel27]

trust access to the VBA project object model is enabled. I couldnt find the registry key - security. all i see is document inspectors and installroot folders under excel.

[ankushgoel27]

i will try on a different machine and get back.

[curi0usJack]

@Mushnar - thanks for troubleshooting. Are you using Excel 2010?

[taco-shellcode]

No problem! I'm using Excel 2013 - specifically the 365 version of it.

[curi0usJack]

k - that trashes my theory. I'm using Excel 2013 as well and having no problems. That said, I'm working on a fix branch and will publish some changes there.

[curi0usJack]

@Mushnar - So, I already have that regkey being added (lines 1114 & 1115), except I'm using HKCU instead if HKLM. Can you confirm the following keys are set correctly during a debug session? Everything works fine for me on multiple vms, so I'm struggling to repro at this point.

New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null

New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null

[taco-shellcode]

@curi0usJack I just checked the script and took out the | Out-Null on those registry key creation lines, they completed successfully. I double checked the registry and those keys exist, however the creation of the xls file fails without the Trust access key I added.

Not sure why it works, just that it does :)

[curi0usJack]

Ok, I have a hunch, though it's a long shot. When luckystrike was erroring before, it was leaving a copy of the excel.exe process in memory after the script had errored. You both encountered two errors - the first regarding wdAlertsNone (which I commented), and the second one regarding the regkeys. Can one of you try this please:

1) Download latest version of luckystrike: 1.1.3. 2) Either reboot or open Task Manager & kill all open instances of Excel. 3) Try again and see if you get an error.

Let me know how it goes.

[taco-shellcode]

I verified that I had no Excel processes running and downloaded the new 1.1.3 version of luckystrike. After running through the process of selecting my calc payload, backing out, choosing 3 for file options, then 1 to generate new xls. I received the following.

[] - Generating macro code. [] - Fatal error occurred during an Excel operation. You cannot call a method on a null-valued expression.

I double checked and I do have the reg keys in HKCU\Software\Microsoft\Office\15.0\Excel\Security AccessVBOM = 1 and VBAWarnings = 1

After the exception is caught and the script exits on line 1139 - my Microsoft Excel process was still open in task manager so I manually killed it after each time I ran it.

It works just fine as soon as I add the regkey in HKLM\Software\WOW6432Node\Microsoft\Office\15.0\Excel\Security AccessVBOM = 1

Not sure it won't replicate the error on your virtual machines. I wonder if it has something to do with a difference between the true licensed key version Office 2013 and the subscription based Office 365?

Hope that helps!

[curi0usJack]

It does. Thanks for sticking with me. Mind running this & sending me the output please?

https://gist.github.com/curi0usJack/2878be90d0f2f45d728b8e8f22bb56fd

[taco-shellcode]

EXCEL VERSION: 15.0 OFFICE BITNESS: x86 OFFICE REGKEY: HKLM:\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Outlook WINDOWS VERSION: 10.0.10586.0 WINDOWS BITNESS: 64-bit ISADMIN: True

[curi0usJack]

Ok, I pushed 1.1.5 which I think will take care of this. Pull it down & give it a shot.

[taco-shellcode]

Just confirmed, it works without me having to create the registry key AccessVBOM = 1 ahead of time in HKLM. Good work!

[curi0usJack]

awesome! Thanks for hanging in there with me. enjoy!