{"id":4193,"date":"2017-04-19T01:22:36","date_gmt":"2017-04-19T01:22:36","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=4193"},"modified":"2017-05-19T08:32:59","modified_gmt":"2017-05-19T08:32:59","slug":"beyond-good-ol-run-key-part-62","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2017\/04\/19\/beyond-good-ol-run-key-part-62\/","title":{"rendered":"Beyond good ol\u2019 Run key, Part 62"},"content":{"rendered":"<p><strong>Update<\/strong><\/p>\n<p>This is not an RCE. If it was, I would not publish it on this blog \ud83d\ude42<\/p>\n<p>Turns out &#8220;Simpsons already did it&#8221; and as pointed out by <a href=\"https:\/\/twitter.com\/arekfurt\">@arekfurt<\/a> a <em>normal<\/em> template-based persistence is already implemented in <a href=\"https:\/\/github.com\/EmpireProject\/Empire\/blob\/master\/lib\/modules\/persistence\/userland\/normal.py\">EmpireProject<\/a> and is based on <a href=\"https:\/\/enigma0x3.net\/2014\/01\/23\/maintaining-access-with-normal-dotm\/comment-page-1\/\">awesome work<\/a> of <a href=\"https:\/\/twitter.com\/enigma0x3\">@enigma0x3<\/a>. Interestingly, enabling macros is not needed to deliver the same functionality (as explained below).<\/p>\n<p>Dropping any macro sheet inside the XLSTART folder and opening it from there will not show the macro warning \ud83d\ude42<\/p>\n<p><strong>Old Post<\/strong><\/p>\n<p>Every once in a while we come across weird things that we not only discover accidentally, but are finding hard to understand. Today I was playing around with Word Macros and to my surprise I was able to accidentally run one, while my Macro Options were set to <em>Disable all macros with notification<\/em>.<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/04\/macros1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-4194 size-full\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/04\/macros1.png\" alt=\"\" width=\"459\" height=\"134\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/04\/macros1.png 459w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/04\/macros1-300x88.png 300w\" sizes=\"(max-width: 459px) 100vw, 459px\" \/><\/a>Intrigued, I quickly realized that instead of adding it to a test word document, I accidentally added it to the <em>normal<\/em> template file.<\/p>\n<p>Could it be&#8230; ?<\/p>\n<p>I rushed to add the <em>AutoOpen<\/em> macro to the <em>normal<\/em> template that will launch the Calculator anytime the template is used:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/04\/macros2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-4195 size-full\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/04\/macros2.png\" alt=\"\" width=\"392\" height=\"112\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/04\/macros2.png 392w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/04\/macros2-300x86.png 300w\" sizes=\"(max-width: 392px) 100vw, 392px\" \/><\/a>Now I only needed to open some word document&#8230;<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/04\/macros3.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-4196\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/04\/macros3-300x277.png\" alt=\"\" width=\"500\" height=\"461\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/04\/macros3-300x277.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/04\/macros3.png 671w\" sizes=\"(max-width: 500px) 100vw, 500px\" \/><\/a>How nice!<\/p>\n<p>Interestingly, the Security Warning appears ONLY after I visit options while the document is open.<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/04\/macros4.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-4197\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/04\/macros4-300x14.png\" alt=\"\" width=\"499\" height=\"23\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/04\/macros4-300x14.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/04\/macros4.png 672w\" sizes=\"(max-width: 499px) 100vw, 499px\" \/><\/a>Swap calculator with anything else, and a new stealth persistence mechanism is born&#8230;<\/p>\n<p>Now, what about Excel?<\/p>\n<p>Excel doesn&#8217;t have the <em>Normal<\/em> template equivalent by default, but you can add one. To do so, you just need to record any macro named <em>Auto_Open<\/em> and store it inside a personal template (by choosing &#8216;Store macro in <em>Personal Macro Workbook<\/em>&#8216;):<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/04\/macros5.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-4198\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/04\/macros5-300x246.png\" alt=\"\" width=\"300\" height=\"246\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/04\/macros5-300x246.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/04\/macros5.png 358w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>(alternatively, you can create a personal template directly on the system by placing a prepared XLSB file in a following location: <em>c:\\Users\\&lt;USER&gt;\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\PERSONAL.XLSB<\/em>)<\/p>\n<p>Then switch to the macro editor, and write the code as below:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/04\/macros6.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-4199 size-full\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/04\/macros6.png\" alt=\"\" width=\"458\" height=\"109\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/04\/macros6.png 458w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/04\/macros6-300x71.png 300w\" sizes=\"(max-width: 458px) 100vw, 458px\" \/><\/a><\/p>\n<p>This will ensure the Calculator will be executed anytime someone opens Excel, even if the macros are *cough* *cough* disabled&#8230;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Update This is not an RCE. If it was, I would not publish it on this blog \ud83d\ude42 Turns out &#8220;Simpsons already did it&#8221; and as pointed out by @arekfurt a normal template-based persistence is already implemented in EmpireProject and &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2017\/04\/19\/beyond-good-ol-run-key-part-62\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,35,15,19,46,9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4193"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=4193"}],"version-history":[{"count":8,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4193\/revisions"}],"predecessor-version":[{"id":4230,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4193\/revisions\/4230"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=4193"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=4193"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=4193"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}