No-Value

[shrek3n]

.\Ivy.exe -Ix86 .\ItWorks.bin -Ix64 .\ItWorks.bin -stageless -debug -product PowerPoint -P Local -O test3.js

[DEBUG] Reading payload file .\ItWorks.bin [DEBUG] Reading payload file .\ItWorks.bin [*] Generating Implant [DEBUG] JAVA CODE SNIPPET COMPLETED [!] Stageless Shellcode Selected [*] Local Mode Selected [DEBUG] LOCAL SPAWNING CODE SNIPPET COMPLETED [*] Implant Encrypted [*] Generating Loader [DEBUG] DECODER STARTER SNIPPET COMPLETED [DEBUG] DECODER FUNCTION SNIPPET COMPLETED [DEBUG] LAUCHER SNIPPET COMPLETED [+] Loader File Generated: test3.js [*] Remember the systems targeted need to have Office installed in order to work

The version variable value shows , which in this case it isn't taking the ActiveXObject above and placing it like the other instances i've created. So far I've only noticed with doing a local with PowerPoint.

[Tylous]

This looks to be a syntax issue with Powerpoint's Struct. If you update line 35 obj to objOffice, it should work. Can you confirm this worked for you before I push the fix.

[shrek3n]

I can confirm that fixes that piece, but it doesn't change the Access VBOM value to 1 so it doesn't execute the shellcode

[Tylous]

Look at the picture you have up, it should.

[shrek3n]

Yes, I understand, but it isn't actually changing the value as I am watching ProcMon and validating in regedit.

[Tylous]

Your right, it looks like this is something to do with PowerPoint has changed. Test with Excel with no issues.

[Tylous]

Can you confirm Word and Excel are working fine?

[shrek3n]

@Tylous Yes, I have no issues with the other two