Macrome 0.4.1 - Enhanced Payload Embedding Edition
A number of users have had issues using Macrome to embed larger payloads such as Cobalt Strike stageless beacons. This release of Macrome adds a new MacroPattern (check out MacroPatterns.cs
) which (ab)uses the CryptStringToBinary
API to write a base64 string directly into memory. Because we're encoding the shellcode as base64 it doesn't matter if the payload contains null bytes or not - so no more using msfvenom to wrap payloads.
Additionally, once payloads exceeded a certain size Macrome would take too long to execute (Excel isn't the fastest at executing 100 of thousands of copies between cells). By embedding the payload directly into the document the time from clicking "Enable Macros" to shellcode execution is VASTLY improved. The old mechanism would be able to copy ~20-40kb / sec. I've seen the new mechanism load a shellcodified Go binary over 5MB large in under 2 seconds. For folks looking to turn their binaries into shellcode I highly recommend Amber.
This new payload encoding + macro pattern can be accessed by using adding the --payload-method Base64
command to your Macrome invocation. For example:
dotnet Macrome.dll b --decoy-document decoy_document.xls --payload popcalc.bin --payload64-bit popcalc64.bin --method AntiAnalysisCharSubroutine --payload-method base64 --password VelvetSweatshop --output-file-name base64payload.xls
I've tested this with stageless CS payloads (which make roughly a 1MB XLS file if you include x86 and x64 shellcode), Go binaries, and some other custom shellcode and it works shockingly well. I strongly recommend folks who have had issues with payload embedding in the past to try this out.