Run-time error '70': Permission denied

Question

Run-time error '70': Permission denied

leesoh opened this issue 8 years ago · 8 comments

When generating an Empire payload, I'm running into the above error when enabling macros. Tested on a Windows 7 machine w/ Excel 2013 in the lab and it works fine, but on a Windows 10 box with Excel 2016 I'm running into the error. A basic "calc.exe" shell payload works just fine.

Edit: Super cool tool by the way. I love where you're going with it!

Answer 1 · 2016-12-08T23:53:40.000Z

Thanks! Hoping to get Word support in the next version. =)

You get "Permission Denied" when clicking "Enable Content" in Excel for an Empire payload, is that right? I'm assuming the Empire payload is the standard launcher text (e.g. powershell.exe -nop -enc, etc). Almost sounds like a security issue with powershell. A few things to try:

Open a standard cmd prompt on your win10 box, try the empire payload. Does it work?
Copy the payload xls to your Win7 box and try it there. Does it work?

Answer 2 · 2016-12-09T00:05:24.000Z

I suspect the same. Something along the lines of macros running calc are OK while macros that launch reverse shells are questionable. Payloads always work on my Win7 box.

Empire payload works just fine manually launching.

Answer 3 · 2016-12-09T02:48:42.000Z

Curious. Is it all shell commands or just powershell based ones? Have you tried embedding a powershell script (payload type 2) and firing that? I'm coming up short on ways to help as it seems like a config on your win10 box. Do you have GPOs governing powershell/macros/office on your win10 box?

Answer 4 · 2016-12-09T16:53:26.000Z

Yeah - at this point I think it's likely something on the W10 box causing problems. I opened the issue in case it was something you'd seen before (failing to escape something in the decoded command, etc.) but we can close this for now. I'll reopen if I find anything that can't be explained by some sort of endpoint hardening. Cheers!

Answer 5 · 2016-12-09T16:55:20.000Z

Cool. By all means, post back if you find out what the issue is! Thanks.

Answer 6 · 2016-12-09T20:12:53.000Z

@curi0usJack Confirmed AV. Kaspersky caught the Empire payload. I tried just embedding a Start-Process calc.exe and it blocked that too. Same XLS files on a stock install with Excel 2016 have no problems!

Answer 7 · 2016-12-09T20:26:58.000Z

Thanks for responding back!

As far as Kaspersky goes, are you using the heuristics filter? If so, you might be SOL with empire (would recommend pupy with ebowla encryption). If you're not using heuristics, try the luckystrike metadata attack, then have look at this tweet. ;-)

https://twitter.com/curi0usJack/status/778616567034765313

Good luck!

Answer 8 · 2016-12-09T21:03:53.000Z

Will do & thanks!