Skip to content

Latest commit

 

History

History
145 lines (96 loc) · 6.04 KB

README.md

File metadata and controls

145 lines (96 loc) · 6.04 KB

RobustPentestMacro

This is a rich-featured Visual Basic macro code for use during Penetration Testing assignments, implementing various advanced post-exploitation techniques like sandbox evasion, WMI persistence and page substitution. Intended to be able to infect both Windows and Mac OS X Office platforms by implementing platform-detection logic.

Created to make it possibly to simply Paste Payload then Copy & Paste entire macro into phished document.

For list of example Macro generation and usage scenarios one can check out author's gist here:

Various-Macro-Based-RCEs.md


SYNOPSIS:

This is a skeleton code for the malicious Macro that could be used during Penetration Testing assignments (or for education purposes), in order to embed it within Phishing documents as a Microsoft Office macro.

There are following features implemented:

  • Platform detection logic (Windows/MacOS X) - All the penetration tester has to do, is to generate both Windows and Mac OS X commands and put them into appropriate macro's functions: WindowsMalware() and MacMalware()
  • Sandbox detection (Windows) - allowing to exit macro when being scanned
  • WMI Subscription persistence (Windows) - allowing to survive system restart
  • Social Engineering trick by shape removing - for hiding fake "Enable Content" warning.
  • Supporting both MSWORD and EXCEL startup routines

One should definitely feed this script into some kind of Visual Basic obfuscator, like the author's one: VisualBasicObfuscator

The macro's code has been built up from other author's building blocks:


CONFIGURATION

The most essential configuration here is filling up functions like MalwareWindows() and MalwareMac(). One can for instance leverage Empire stager's functionality and obtain two payloads - for:

  • windows/macro
  • osx/macro

Then one have to put this way generated macros into aforementioned Malware*() functions. The penetration tester also can use buil-in primitives like:

  • ExecuteCommand(command)
  • ExecuteCommandAndPersist command, startupTaskName

For instance, such modifications to the script could look like:

Private Sub WindowsMalware()
	[...]
	str = "powershell -noP -sta -w 1 -enc  ABCDEFGHIJKLMNOPQ"
    str = str + "ABCDEFGHIJKLMNOPQRSTUWXYZ0123456789"
    ' Rest of the powershell command cut for brevity
    ' [...]
    str = str + "ABCDEFGHIJKLMNOPQRSTUWXYZ0123456789"
    
    ExecuteCommandAndPersist str, ""
End Sub

Private Sub MacMalware()  
	[...]
	cmd = "abcdefghijlmnopqrstuxwyz012345678990"
    cmd = cmd + "abcdefghijlmnopqrstuxwyz012345678990"
    ' Rest of bash command cut for brevity
    ' [...]
    cmd = cmd + "abcdefghijlmnopqrstuxwyz012345678990"
    
    Dim fullCommand As String
    fullCommand = "echo ""import sys,base64;exec(base64.b64decode(\"" " & cmd & " \""));"" | python &"

    ExecuteCommandAndPersist fullCommand, ""

Also, there are Const options documented within code's CONFIGURATION section that are self-explanatory and left to be reviewed by the user.


SOCIAL ENGINEERING SHAPE REMOVAL:

In order to leverage this feature, one has to prepare a fake "Enable Content" warning message like for instance Microsoft Office compatibility issues, AV scanned flag or something imaginary, and then to create a shape consisting of TextBox (via INSERT -> Shapes... -> TextBox). Then cover the document with this shape. Having that, one has to rename that shape using the path:

(Ribbon -> HOME -> Editing -> Select... -> Selection Pane -> give it a name, like "**warning-div**")

After that, the shape can be further modified to be floating and cover up entire document by clicking:

Right click on shape -> Move selected shape -> then setting up Position and Size to 100%, Left-Top aligned.

Among various Social Engineering shapes that could be used - two of them had been attached to this repository:

Example shape


TODO:

  • Add OpenOffice platform detection and autorun logic (OnOpen), then modify OS detection if's to support getGUItype method offered by OpenOffice.
  • Add document layout switching functionality, like the original page subsitute function did.
  • Implement host reconnaissance and situation exfil functionality
  • Refactor the code to make it a bit less detectable by AVs
  • Add architecture bitness detection logic and specific payload usage
  • Add macOS related function for platform indepency
  • Add macOS X persistence functionality (MacPersistence()) in form of for instance per-user LaunchAgents PLIST
  • Prepare builder-script customizing script's backbone as needed by user and offering instant obfuscation
  • Add more Sandbox evasion and avoidance techniques, as documented in pafishmacro, here, here and here

KNOWN BUGS:

  • The routine: DeleteWarningShape doesn't support Excel sheets at the moment (ActiveWorkbook)

DISCALIMER:

The author of this code is not taking any responsibilities of any illegal usage of it. The code had been created solely for Penetration Testing purposes.


☕ Show Support ☕

This and other projects are outcome of sleepless nights and plenty of hard work. If you like what I do and appreciate that I always give back to the community, Consider buying me a coffee (or better a beer) just to say thank you! 💪


Author

   Mariusz Banach / mgeeky, '17
   <mb [at] binary-offensive.com>
   (https://github.com/mgeeky)