search

trustedsec / unicorn

Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.
https://www.trustedsec.com
Other
3.74k stars 817 forks source link

Macro compatibility #158

Closed ghost closed 3 years ago

ghost commented 3 years ago

Hi @trustedsec Which version of office you used to create the payload? office 2003,2007,2010,2013...... which one? I am certain that the macro created in newer version(2016,2019...) may not run well on older version(2007,2010...)

And what's the environment of your ms office? is x86 office or x64 office?

I said that because there is a incompatibilty between x86 office and x64 office,some vba script for x86 cannot run well on x64 office,like invoking some win32 api. And that is why microsoft recommended that we should use x86 office for less error. That is,if unicorn is written for x86 office,it is possible that the code generated by unicorn may occur an error on x64 office.

I hope that i could hear your suggestion about the "best" version of office to create the payload!!!

Thank you~

ghost commented 3 years ago

This is what microsoft said https://support.microsoft.com/en-us/office/choose-between-the-64-bit-or-32-bit-version-of-office-2dee7807-8f95-4d0c-b5fe-6c6f49b8d261

And it is hard to know whether our pentesting goal is running on x64 or x86 office,so unicorn must be compatible for them all😃

ghost commented 3 years ago

I have done some research. Using x86 office 2010 to create macro payload is the best way. There are a few reasons below 1.Office2010 was designed for win7(I used virtualbox on win10),where you can paste the payload without seeing the annoying windows defender's prompting window. 2.The payload that 2010 created can run well on 2003(they all are 32 bits and need to install extension on microsoft site) and 2007. When it comes to 2013,2016,2019,there are a compatible mode in them to view 2010's files. 3.It seemd that security in 2013 and higher was level-up,you might do more steps to create macro and create your phishing files(maybe microsoft dont want people abuse their product to create virus).However,everything is simple in 2010 4.The fake "broken file" message may be persuasive for the target.You can say it is old and any error in the file that 2010 created is possible......

That is what i want to say. How about your opinions? Do you have the same idea?