Open shrek3n opened 2 years ago
Tylous
commented
2 years ago This looks to be a syntax issue with Powerpoint's Struct. If you update line 35 obj to objOffice, it should work. Can you confirm this worked for you before I push the fix.
shrek3n
commented
2 years ago I can confirm that fixes that piece, but it doesn't change the Access VBOM value to 1 so it doesn't execute the shellcode
Tylous
commented
2 years ago Look at the picture you have up, it should.
shrek3n
commented
2 years ago Yes, I understand, but it isn't actually changing the value as I am watching ProcMon and validating in regedit.
Tylous
commented
2 years ago Your right, it looks like this is something to do with PowerPoint has changed. Test with Excel with no issues.
Tylous
commented
2 years ago Can you confirm Word and Excel are working fine?
shrek3n
commented
2 years ago @Tylous Yes, I have no issues with the other two
.\Ivy.exe -Ix86 .\ItWorks.bin -Ix64 .\ItWorks.bin -stageless -debug -product PowerPoint -P Local -O test3.js[DEBUG] Reading payload file .\ItWorks.bin [DEBUG] Reading payload file .\ItWorks.bin [*] Generating Implant [DEBUG] JAVA CODE SNIPPET COMPLETED [!] Stageless Shellcode Selected [*] Local Mode Selected [DEBUG] LOCAL SPAWNING CODE SNIPPET COMPLETED [*] Implant Encrypted [*] Generating Loader [DEBUG] DECODER STARTER SNIPPET COMPLETED [DEBUG] DECODER FUNCTION SNIPPET COMPLETED [DEBUG] LAUCHER SNIPPET COMPLETED [+] Loader File Generated: test3.js [*] Remember the systems targeted need to have Office installed in order to workThe version variable value shows, which in this case it isn't taking the ActiveXObject above and placing it like the other instances i've created. So far I've only noticed with doing a local with PowerPoint.