RedSiege/EXCELntDonut

64Bit Macro Crashing Excel

rvrsh3ll opened this issue · 5 comments

This payload works in an x86 Microsoft Excel document. It crashes in x64 excel while, it works if compiled as a .NET binary instead. Just checking if you've had any issues with x64 office macros or if I'm doing something wrong here. FWIW, it crashes before it pulls the shellcode.

https://gist.github.com/rvrsh3ll/ece9cb8160b161c908b53f4a52511517

Having the same issues. .NET runs fine (x86 and x64). Macro runs in x86 excel.exe, not x64.
https://gist.github.com/kafkaesqu3/8a5043cf1a608d563d9534db5c894f3e
I tried changing the x64 encoder; xor_dynamic seems to be the only one capable of removing the null bytes.

Thanks for posting, just so you guys know @joeleonjr is looking into this, thanks for sample POCs too which you guys can share as not working so its easier for us to re-create

I've also ran into the same issue while using @rasta-mouse's Covenant GruntInjector (https://gist.githubusercontent.com/rasta-mouse/3f73f1787e6ab1ceead636ca632a50bf/raw/362ce3736c6bd0a73b40e8a6831cc0446c10d584/gistfile1.txt).

I truthfully (and unhelpfully) cannot tell if this is an issue with the macros that were generated or the fact that, like @rvrsh3ll, I'm attempting to do process injection.

EDIT: I decided to debug the macro a bit more by stepping through it; when the incrementing counter in D1 hits 570 it breaks out of the A13 - A18 loop and runs A19 =CThread(0,0,A10,0,0,0). It then moves to A20 and hits the HALT() which is when the crash happens.

Apologies for the delay. Still working on this issue. Seems like 64-bit versions were working with some of our internal process injection templates as well as the msg.cs template included in the repo, but failed when we tried running the process injection files you all shared. Will update everyone as soon as we get the 64-bit version more stable.

Ok. This took a while. Our apologies. But thank you to @dru1d-foofus @kafkaesqu3 and @rvrsh3ll for bringing this issue to our attention. I ripped out Donut for x64 shellcode generation and plugged in CLRvoyance (created by Accenture's security team). I also added a process injection template in the /templates folder. We tested the new build with that template with a cobalt strike payload and received beacons back when executing in both 32-bit and 64-bit versions of Excel. When you all get a chance, please let us know if this fixes it for you. I'm gonna close this out for now, but feel free to re-open it if it's still not working 100% for you. Thank you!