BruCON 0x05 has ended
This schedule is subject to change, check back regularly.
Registrations start at 8h30!
Workshop rooms in the location Novotel are 5 minutes walking from the main venue.
Workshop seats are limited to max 30 persons in rooms Orval, Chimay & La Trappe Seats will be on a first come first serve basis, please be there in time
back to BruCON web site.
TIP: to see as grid: click on the "Schedule button"  
Back To Schedule
Thursday, September 26 • 4:30pm - 6:30pm
Advanced Excel Hacking (Didier Stevens)

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

This is a workshop on hacking Excel on Windows without exploits.

Visual Basic for Applications (VBA) is a powerful programming language, more powerful than VBScript, because it has access to the Windows API. What I teach in this workshop is applicable to all applications with VBA support (Word, Powerpoint, AutoCAD, ...), but I choose Excel because of its prevalence and its tabular GUI that is particularly suited for inputting and outputting data.

I illustrate 2 major hacking techniques on Excel: pure VBA and VBA mixed with with special shellcode and DLLs.

The advantage of hacking without exploits, is that this will always work, regardless of the patching level. As long as Excel and macros are allowed to run, arbitrary code can be executed.

These techniques are interesting to hackers and pentesters, because they allow one to execute arbitrary code in a restricted environment, without creating new processes or writing DLLs to disk. Even in a whitelisted environment, where EXEs and DLLs have to be whitelisted, these techniques work as long as Excel is allowed to run and macros are not disabled.

For the pure VBA technique, I show examples of:

  • a Windows taskmanager that can kill, pause and resume Windows processes, as well as inject shellcode into these processes. This spreadsheet is also useful to clean infected PCs were malware prevents taskmanager from running.

  • network utilities: ping, resolve, ...

  • installed programs list

For the mixed VBA technique, I show examples of:

  • a spreadsheet with embedded cmd.exe and regedit.exe. These two programs are taken from ReactOS (the opensource project aiming to build a Windows XP binary compatible OS), transformed into DLLs, and then injected into Excel's memory from memory with specially designed shellcode. This spreadsheet allows one to run an undetectable command line interpreter and registry editor in environments were such tools are restricted. This is not only usable on corporate PCs or kiosks, but (for example) also on infected PCs were malware prohibits cmd.exe and regedit.exe to run.

  • a spreadsheet with the opensource code of putty.exe transformed into a DLL.

  • a spreadsheet with a port forwarder, allowing the restricted machine to be used as a proxy.

  • ...

I will not only explain these techniques and demo these spreadheets, but I will also explain and release the tools I designed to create these spreadsheets.

Attendees have to bring a Windows machine (physical or virtual) with Microsoft Excel (2003, 2007, 2010 or 2013, 32-bit or 64-bit). 32-bit Excel is preferred, as some examples only work on 32-bit (at the time of writing, ReactOS is 32-bit only).

A Python interpreter is also needed for attendees that want to use my tools to transform a DLL into VBA code.

avatar for Didier Stevens

Didier Stevens

Didier Stevens (Microsoft MVP Consumer Security, CISSP, GSSP-C, MCSD .NET, MCSE/Security, MCITP Windows Server 2008, RHCT, CCNP Security, OSWP) is an IT Security Consultant currently working at a large Belgian financial corporation. In 2012, Didier founded his own company Didier... Read More →

Thursday September 26, 2013 4:30pm - 6:30pm CEST
2 Westmalle Aula Ghent