Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Macro compatibility #158

Closed
ghost opened this issue Oct 14, 2021 · 2 comments
Closed

Macro compatibility #158

ghost opened this issue Oct 14, 2021 · 2 comments

Comments

@ghost
Copy link

ghost commented Oct 14, 2021

Hi @trustedsec
Which version of office you used to create the payload?
office 2003,2007,2010,2013...... which one?
I am certain that the macro created in newer version(2016,2019...) may not run well on older version(2007,2010...)

And what's the environment of your ms office?
is x86 office or x64 office?

I said that because there is a incompatibilty between x86 office and x64 office,some vba script for x86 cannot run well on x64 office,like invoking some win32 api.
And that is why microsoft recommended that we should use x86 office for less error.
That is,if unicorn is written for x86 office,it is possible that the code generated by unicorn may occur an error on x64 office.

I hope that i could hear your suggestion about the "best" version of office to create the payload!!!

Thank you~
@ghost
Copy link
Author

ghost commented Oct 14, 2021
edited by ghost
Loading

This is what microsoft said
https://support.microsoft.com/en-us/office/choose-between-the-64-bit-or-32-bit-version-of-office-2dee7807-8f95-4d0c-b5fe-6c6f49b8d261

And it is hard to know whether our pentesting goal is running on x64 or x86 office,so unicorn must be compatible for them all😃

@ghost
Copy link
Author

ghost commented Oct 14, 2021
edited by ghost
Loading

I have done some research.
Using x86 office 2010 to create macro payload is the best way.
There are a few reasons below
1.Office2010 was designed for win7(I used virtualbox on win10),where you can paste the payload without seeing the annoying windows defender's prompting window.
2.The payload that 2010 created can run well on 2003(they all are 32 bits and need to install extension on microsoft site) and 2007. When it comes to 2013,2016,2019,there are a compatible mode in them to view 2010's files.
3.It seemd that security in 2013 and higher was level-up,you might do more steps to create macro and create your phishing files(maybe microsoft dont want people abuse their product to create virus).However,everything is simple in 2010
4.The fake "broken file" message may be persuasive for the target.You can say it is old and any error in the file that 2010 created is possible......

That is what i want to say.
How about your opinions?
Do you have the same idea?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@HackingDave