search

Exploiting Microsoft Office

hashtag
Leveraging Microsoft Word Macros for Reverse Shells

hashtag
Overview

Microsoft Word macros, written in Visual Basic for Applications (VBA), can automate tasks and serve as a powerful client-side attack vector when maliciously crafted. This guide outlines the creation of a macro to launch a reverse shell using PowerShell.

hashtag
Key Points

hashtag
1. Macro Basics

  • What are Macros?

    • Macros are written in VBA, offering full access to ActiveX objects and the Windows Script Host.

    • .doc or .docm formats are required to embed macros. Macros in .docx are not persistent.

hashtag
2. Macro Setup

Steps:

  1. Save a Word document as .doc.

  2. Access the macro menu via View > Macros > Create.

  3. Develop the macro in the Visual Basic for Applications editor.

Default Macro Skeleton:

hashtag
3. Executing Commands with ActiveX

Example Macro to Open PowerShell:

hashtag
4. Auto-Execution

Use AutoOpen and Document_Open to ensure macros execute when the document opens:

hashtag
5. Creating a Reverse Shell

PowerShell Download Cradle:

  • Base64-encode the command to avoid issues with special characters.

hashtag
6. Embedding Encoded Commands

Split the base64-encoded string into chunks to bypass VBA's 255-character limit:

hashtag
7. Testing

  1. Start a Python web server to host powercat.ps1.

  2. Use a Netcat listener to catch the reverse shell.

  3. Open the Word document and enable macros.

hashtag
Summary

  • Objective: Exploit Word macros for initial footholds in enterprise networks.

  • Outcome: A reverse shell is achieved using a malicious macro that downloads and executes PowerCat via PowerShell.

  • Challenges:

    • Victim must enable macros.

    • Increased awareness and security controls make delivery harder.

Macros remain effective but increasingly challenging to deliver, necessitating alternative or supplementary attack vectors.

PreviousWindows Library FilesNextThick Client Pentest

Last updated