exeinvba.py doesn't (en|de)code properly

[metac0rtex]

$ ls -al a.exe -rw-r--r-- 1 <user> <group> 2821632 Aug 17 15:01 a.exe $ shasum -a 256 a.exe accabe050e818c6d1b69a4a0e07d86cea0ebacb2a0cae8c8d0e4a833ec4604ab a.exe $ python exeinvba.py --exe a.exe --out a.vb --dest Environ\(\"TEMP\"\)\ \&\ \"\\a.exe\" [+] Encoding 2821632 bytes [+] Encoded data is 3762176 bytes [+] Writing to a.vb $

On the windows system, not only will it not execute properly with the "Shell()" call, but when I try to manually run the dropped file, Windows says its not a valid Win32 application. The size on the written file is less than the original and also has a different hash. File size is 2,815,608 bytes and has the hash cc7fab0055e568063eaf96226e6feac9bb99229dd0499237d6e0d5b589990ac9

Manually transferring the original exe to the windows host allows it to run successfully

[cr4nkapotomus]

Weird, what is the windows systems os? And is the location it is dropped require UAC? Also what is your exe payload?

[metac0rtex]

Windows 7 32 bit. Its being dropped in %TEMP% so no its not subject to UAC (I've dropped binaries there before without issue). Its a custom payload

[cr4nkapotomus]

Hrmm, did you compile it with mingw32 gcc?

[metac0rtex]

Nope. They payload shouldn't matter and like I said, the same payload executes fine before being pushed into exeinvba.py. The same bytes in should result in the same bytes out, correct?

[cr4nkapotomus]

It should, but I just tried it multiple times with different executables and it is working for me. One using putty, the other using electrum's installer. I just know that I have had issues with compiling windows executables with gcc's base and was told to use mingw. Are you using word? Because as of right now the builder only supports Excel Macro Enabled Documents.

[metac0rtex]

I was using Word but just tried it in Excel and same issue. What version of Office are you testing on? This is Professional Plus 2010 here

[cr4nkapotomus]

I am using 2013 but have used 2010 with exeinvba, can you post your vb output somewhere?

[metac0rtex]

Built a new binary in the interest of not leaking the original

https://gist.github.com/metac0rtex/ff38d146fcd7796272c5528d62a4e7af

[cr4nkapotomus]

Just tested on my box, write to file only fails if I use temp or the regex of temp you have, setting it to drop in C:\Users\Public\Downloads\a.exe writes and allows me to execute.

[khr0x40sh]

I'll look into the Environ VBA and see if there's an issue there.

[cr4nkapotomus]

UPDATE: So I was messing around with Environ as well and figured that it is just a syntax error.

outFile = Environ("temp") & "\a.exe" should work. Remove excess terminators such as " and it should work!

Cheers

[metac0rtex]

My bad, I didn't clean it up as well as I should have :-/

Just did tons of testing.

So, I am not using Environ() and defining it manually and still unable to get it to drop without manually going into the macro editor and manually running it. Once I manually run it, the file drops successfully. In order to get the correct binary to drop, I had to actually build the document in Windows. The hash mismatch appears to be an issue with building the document in OSX. Maybe differences in how the two compile it....? ¯_(ツ)_/¯

[cr4nkapotomus]

Possibly, I do all of my testing in a Win7 64bit VM on my *nix box. Although this interests me and I will probably have a look at how the document is built in OSX

[metac0rtex]

Still confused why I cant get it to auto drop without manually running it. Are you doing anything different than copying the VB from the script, pasting it into the macro editor, and saving everything?

[cr4nkapotomus]

Nope, I am doing exactly that (aside from the cleanup on syntax) and ran it in my test vm, a.exe seems to be placed and tries to run (cmd prompt flies up and then dies) and it isn't seen in task manager.