Monday, January 19, 2015

Enigma0x3's Generate Macro Powershell Script

Quick post/notes on Enigma0x3's Generate Macro payload since it got hot on twitter and reddit last week.

code is here:

https://github.com/enigma0x3/Generate-Macro


The screenshot above walks through the process

run it, pass in the URL to Invode-Shellcode.ps1, enter metasploit listener IP and port, and the name of the xls you want created.

You then pick a persistence method:

     -Logon Persistence

"Meterpreter Shell with Logon Persistence: This attack delivers a meterpreter shell and then persists in the registry by creating a hidden .vbs file in C:\Users\Public and then creates a registry key in HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load that executes the .vbs file on login."

     -Powershell Profile Persistence

"Meterpreter Shell with Powershell Profile Persistence: This attack requires the target user to have admin right but is quite creative. It will deliver you a shell and then drop a malicious .vbs file in C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\cookie.vbs. Once dropped, it creates an infected Powershell Profile file in C:\Windows\SysNative\WindowsPowerShell\v1.0\ and then creates a registry key in  HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load that executes Powershell.exe on startup. Since the Powershell profile loads automatically when  Powershell.exe is invoked, your code is executed automatically."

more info: https://enigma0x3.wordpress.com/2014/06/16/abusing-powershell-profiles/

     -Microsoft Outlook Email Persistence

"Meterpreter Shell with Microsoft Outlook Email Persistence: This attack will give you a shell and then download a malicious Powershell script in this location: C:\Users\Public\. Once downloaded, it will insert your defined IP address, Port, Email address and Trigger word.
It will then create a malicious .vbs file and drop it in C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\. Once dropped, it creates a registry key that executes it on login. When the Powershell script is executed, it monitors the user's Outlook Inbox for an email containing  the email address you specified as well as the subject. When it sees the email, it will delete it and send you a shell."

more info https://enigma0x3.wordpress.com/2014/10/14/persistence-using-microsoft-outlook/

Then pick Meterpreter shell you want HTTP or HTTPS


Once complete you'll have a blank XLS in office2k-2k3 version.


I did confirm you can add your excel content, save and repopen the xls and it works (you will have to remove the persistence method or you'll get an error).

If you peak inside, you'll see its relatively straightforward to see whats going on.


No comments:

Post a Comment