Home > Client Side Attacks > XLSinjector


I have just written a new script to injects meterpreter shell to excel file.

This will speed up the pentesting process to embed malicious VBA scripts in excel files.

For this script to work, you will need windows, microsoft excel, perl and perl module Win32:OLE

To install perl module Win32:OLE (take note that its case sensitive)
C:\>  CPAN
cpan> install Win32:OLE

You can find my project at http://code.google.com/p/xlsinjector/

To run the script, simple type

[If you want it to download an excel file from the web]
C:\ perl xlsinjector.pl -u http://website/excel.xls -o 1234.xls

[If you want it to use a local excel file.  Put the excel file in the same folder as the script]
C:\ perl xlsinjector.pl -i excel.xls  -o 1234.xls

The -o argument is optional.

You can also view my demonstration video at securitytube.net


Categories: Client Side Attacks
  1. CG
    October 23, 2009 at 6:28 am

    is this any different than just using msfpayload to output the vba code and pasting the macro in yourself?

    • October 23, 2009 at 6:43 am

      The only difference is automation. I’m thinking of whether to add in the feature of scanning network drives and appending the vba code to all excel files that it can find. That is the reason why I wrote this code. Not sure if anyone would want this though.

  2. Pols
    December 7, 2009 at 10:50 am

    Hi Milo,

    I trying to run the script, but I got this error:

    [*] Mail bug reports and suggestions to
    Can’t call method “VBComponents” on an undefined value at xlsinjector.pl line 62

    I installed the required module Win32:OLE
    Going to write C:\Perl\cpan\Metadata
    Win32::OLE is up to date (0.1709).

  1. November 4, 2011 at 10:07 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: