I modified the source code of ReactOS‘ cmd and regedit for the following trick:
Let me summarize how I did this, as this is the combined result of several techniques I blogged about before.
- The Excel spreadsheet contains macros that use VirtualAlloc, WriteProcessMemory and CreateThread to “inject” shellcode (stored inside macros) into the Excel process itself. Details here and source code here.
- The shellcode loads a DLL from memory into memory.
- I modified source code from ReactOS to transform cmd.exe into cmd.dll and regedit into a dll.
You can download regedit.dll here and the new version of cmd.dll with the DLL command here. The DLL command I added allows you to load a DLL with LoadLibrary or directly into memory (/m option). When loaded with LoadLibrary, the library will be unloaded with FreeLibrary unless you use option /k to keep it loaded.
The DLL command assumes that your DLLs execute via the DllMain entry-point when they get loaded.
[...] Excel with cmd.dll & regedit.dll – didierstevens.com Stevens modified source code from ReactOS to transform cmd.exe into cmd.dll and regedit into a dll. [...]
Pingback by Week 6 in Review – 2010 | Infosec Events — Monday 15 February 2010 @ 6:04
[...] My Software, Shellcode — Didier Stevens @ 0:40 The DLL-loading shellcode I used in my cmd.xls spreadsheet was generated with a method I worked out to generate WIN32 shellcode with a C-compiler. You can [...]
Pingback by MemoryLoadLibrary: From C Program to Shellcode « Didier Stevens — Tuesday 16 February 2010 @ 0:41
That is pretty neat – an attacker can hide processes. Can you launch programs with admin privileges?
Comment by Tom — Thursday 18 February 2010 @ 13:33
Assuming you run under a LUA? No, you need to exploit an elevation vulnerability to achieve this.
Comment by Didier Stevens — Thursday 18 February 2010 @ 16:55
[...] a DLL and embedded it with my memory loading shellcode into Excel macros (the same technique as I developed for cmd.dll and regedit.dll). I imagine that a simple game like Solitaire in Excel can go viral inside a company, when you know [...]
Pingback by Frisky Solitaire – Another Info Stealer « Didier Stevens — Tuesday 9 March 2010 @ 0:01
cool stuff. Is the regedit in godmode (admin)?
Comment by sgt Pepper — Friday 19 March 2010 @ 16:17
@sgt Pepper Regedit.dll and cmd.dll run inside the Excel process with new threads. Provided Excel runs under the (elevated) Admin account, regedit will too.
Comment by Didier Stevens — Friday 19 March 2010 @ 16:36
[...] and wscript.exe? It's also worth mentioning that even after you have done the above, it is still very easy to bypass these restrictions via process injection. I reckon a student could easily do this if they [...]
Pingback by Prevent Files With These Extensions Running From These Locations... — Sunday 11 July 2010 @ 10:20