Solving Bsides 2013 Challenge 1

The challenge was to get a password from the excel document.

If you looked inside the Macro for the excel document you could see it was running shellcode.

So i edited the macro to write the shellcode to a file before it was run.


Private Sub ExecuteShellCode()
Dim lpMemory As Long
Dim sShellCode As String
Dim lResult As Long

sShellCode = ShellCode()
Open "C:\shellcode" For Output As #1
Write #1, ShellCode()
Close #1
lpMemory = VirtualAlloc(0&, Len(sShellCode), MEM_COMMIT, PAGE_EXECUTE_READWRITE)
lResult = WriteProcessMemory(-1&, lpMemory, sShellCode, Len(sShellCode), 0&)
lResult = CreateThread(0&, 0&, lpMemory, 0&, 0&, 0&)
End Sub

After opening the file it has some shellcode that decodes and runs the exe thats base 64 encoded.

meh

So I just run the Shellcode using C. As the shellocode was super long windows didn’t like it so I used GCC.


#include <stdio.h>

char shellcode[] = "\xeb\x3a\x31\xd2\x80\x3b\x2b\x75\x04\xb2\x3e\xeb\x26\x80\x3b\x2f\x75\x04\xb2\x3f\xeb\x1d\x80\x3b\x39\x77\x07\x8a\x13\x80\xea\xfc\xeb\x11\x80\x3b\x5a\x77\x07\x8a\x13\x80\xea\x41\xeb\x05\x8a\x13\x80\xea\x47\xc1\xe0\x06\x08\xd0\x43\xc3\xeb\x05\xe8\xf9\xff\xff\xff\x5b\x31\xc9\x80\xc1\x36\x01\xcb\x89\xd9\x31\xc0\x80\x3b\x3d\x74\x25\xe8\xab\xff\xff\xff\xe8\xa6\xff\xff\xff\xe8\xa1\xff\xff\xff\xe8\x9c\xff\xff\xff\x86\xc4\xc1\xc0\x10\x86\xc4\xc1\xc8\x08\x89\x01\x83\xc1\x03\xeb\xd4"

"6FoIAADDVYnlUVZXi00Mi3UQi30U/ +9999 lines of base64 encoded lines.

A=";

int main(int argc, char **argv)
{
int (*func)();
func = (int (*)()) shellcode;
(int)(*func)();
}

I then loaded it into olly and stepped through the program and kept an eye on what chars were in the registers. Until I saw “ExcelMagic” in a ECX which was being compared to my input.

gameover

Leave a Reply