The SECRET to Embedding Metasploit Payloads in VBA Macros

hey guys hack exploit here back again with another video Welcome Back to the offensive VBA series and um I apologize if this has been ragging on for quite a bit but don't worry this is going to be uh the last video that's you know solely focused on let's say word macros before we return to um emulating fin 6 and the adversary emulation series and you know we've got quite a few things lined up as well so in this video what I'm going to be showing you really you know quickly is how you can leverage or utilize um you know various types of payloads that can be generated with msf Venom but sort of using parts of them or the payloads within them if that makes sense or you know the payloads generated through msf Venom and sort of including them into your own macros so you don't want to you know develop your own macro or you don't want to use any automated Solutions but you'd like to you know for example get a interpreter session and you're really focused on The Interpreter payload if you will and not you know the actual executable or anything like this um this is very useful you know for instance uh if you want to utilize techniques like hdas or HTML applications with mshda for execution and you're not too sure as to how you can utilize some of these HDA payloads that again can be generated by any C2 framework or in this case um msf venom for use in Metasploit um and so what I'm going to be showing you um you know what I'm going to be walking you through in this video is exactly how you can sort of um take something or a payload that's generated again not a macro or anything like that just take a payload generated with msf Venom uh and this could be any could be you know partial Empire HDA pad doesn't really matter and include that in your macro and I'm going to show you how to you know properly format all of this stuff so with that being said apologies for the long intro let's get started so I'm currently on a Windows VM and I have RDP access to my Cali Linux system I thought it's better than switching back and forth and uh what we're going to you know get started with firstly is let's go ahead and create our macro or macro enabled document so I'll open up word and I will save this document on my desktop here and we'll just call it uh HTA right very simple and I'll save it as doc M so micro enabled document save it there going into developer macros uh specify this document and we'll just I'll just call it uh my macro for example right create that there and I'm going to create the auto open uh sub routine so sub Auto open and uh sorry document open to ensure you know that the macro is executed the one we specify which in this case will be anything within uh the sub routine called my macro um I've already explained this so if you're new to this series take a look at the other videos in the offensive VBA Series so we'll just now um you know specify that we want to we're not calling we just want to specify what macro we want executed so in this case it's going to be the sub routine my macro and then in here we can uh go ahead and put in you know whatever so that's what we're going to take a look at shortly is what do we put in here so now that we have that running um I'm going to open up my uh Cali VM here just going to resize it so you can see it there and I'm going to open up a terminal um I'll just increase the font size so you can see that a little bit better and we'll utilize msf Venom um and payload um in this case we can go for a non-staged payload again just to stick to uh the objective here so we'll not use meterpreter cuz I know a lot of you guys are sort of averse to that so we'll use a reverse uh TCP so shell reverse DCP which means we can use netcat or set up a netcat listener they'll specify my Cali Linux IP um let me just uh check my IP just so I'm sure uh 24 okay so and then we'll put in L Port we'll just use 1337 and then the format in this case we're going to use power HDA so this is what I was referring to so let's say um you know you wanted to use this particular payload and include it in your macro how would you do that and again it can be any payload for initial access or command execution it really doesn't matter what I'm showing you or giving you other skills required to again format things correctly um so that they you know it actually fits into the macro that you're developing so I'll then save it um am I currently on my desktop toop um never mind we'll switch

there shortly um I'll say desktop uh why is that uh H that's weird output is uh home uh we'll just save it here so I'll just say shell. HDA um and I'll hit enter and then I'll move it to my desktop so we can work there um so there we are so move shell. HDA to desktop yeah there we are much better all right so desk top we have shell. HDA as well as some of the other stuff we had developed in previous episodes of offensive VBA but this is what we're interested in so if I open up shell. HDA um right over here we have uh yeah I'll use a text editor so that you can see it uh properly so I'll open up um shell. HDA open this up and this is what it looks like so uh you can see again this is a very basic boilerplate um HTML application uh that uses VB script that's not to be confused with VBA but what we want is this right over here so the Powershell command that's been obfuscated multiple times and in essence it utilizes uh HDA or you know pretty much uh yeah utilizes HDA or um in this particular case is not utilizing HDA uh but um you know the HDA file itself would execute this particular Parell code and uh pretty much you know will give us our reverse shell uh but it's been obfuscated and encoded multiple times over and of course you can we can always copy this and utilize something like uh let's say um cybers Chef to sort of decode this um and I I'll sort of explain why I'm using cyberchef cuz you can see this is pretty much base 64 right um and if you want to learn about how Metasploit sort of encodes things and obfuscates things this is a great place to learn that so over here you can see it's a little bit confusing and that's because we have a lot of null characters so um right over here let me get rid of poell this here um there we are so you can see we you can sort of make out a couple of things like n we have an environment variable wind directory concatenation sisw 64 Windows poell um we can get rid of null uh null byes adding them in here and now you can see sort of what it does but you can also see that there's additional uh B 64 encoding of specific commands so this is all you know great to avoid um not avoid detection but to make it harder for let's say guys in The Blue Team or um you know digital forensic um analyst to sort of break down or uh decipher what this does exactly but you know you can see that uh there's a few variables being set like B we can see is equal to par. exe uh and then there's also some logical statements here so and you know if else so else check for uh using the environment variable for you know the location of Powershell exe so very good checks there and then uh s. arguments is equal to you know not um no execution uh profile and then uh over here we have hidden etc you get the idea so we're not really focused on this at the moment just wanted to show you exactly what's being done so what uh the question is can we just you know straight up copy this and slap it into our VBA macro well the answer to that is not really no um and what this means is that we need to do some you know a few interesting things well one thing that we're going to need to do is we are format that into our in a format that actually makes it usable or makes it more suitable to be included in the um macro um and in order to accomplish this we are going to utilize or develop a python script that'll do the concatenation for us and format things correctly um and essentially break it down into uh multiple lines if you will so I will create a uh script on my desktop called con concatenate or just Co NC so conk dop and uh in here we'll just create a variable called uh string value uh that's going to be equal to this is where we put in the partial code so partial exe pretty much everything um

going to copy that in here and um just going to paste that in there and I'm just going to edit it in my uh in a text editor so you can see exactly what's going on um so yeah we're just going to copy it uh like so and then what we're going to do now is we're going to say n is going to be equal to the number of iterations in this case let's set it at 50 um we're then going to utilize a for Loop so for I that's going to be our counter for I um in the range um I'm going to say start from zero sorry uh length uh which is going to be just the string um value so the length of the string value so it essentially ensures that it iterates um you know right to the end and then we're going to say n um and then what are we doing in here we're just going to say print it to the screen we can obviously save it but to format it well the variable we'll be using the macro is just going to be called string so we're going to say string is equal to string plus so we're concatenating or adding you know yeah pretty much U um yeah just concatenating and then we're going to say uh plus um and then string value in this case it's going to be I uh plus n and uh we're then going to also ensure that has a correct formatting here and now if we write uh sorry I thought I was in Vim Let's uh save this now if we run uh there we are so you can see it formats it uh for us correctly or appropr rately um and now we can essentially take this into our macro so I'm just going to copy it sorry not everything my bad forgot using RDP is super slow let me just uh copy it here so just this uh you can obviously encode ball. exe if you so wish um but we just want this and now we'll go back into our macro here on the Windows system and in here we're not yet ready to go we still need to you know uh work on our macro here so we are going to say uh we'll create the variable which we already pretty much defined uh it's just going to be just called string or Str strr as string and then we're going to utilize we'll create an object um I'll sort of take a shortcut here and we'll use wind script um do shell um and then run Str the value uh like so and then in here we can just paste in what we copied like so um and this is the correct way to format you know sort of these large um these larger payloads and then uh we're pretty much good to go here um so we can save this now let me set up the netcat list on the Cali Linux system so you can see this and I'll just say netcat nvlp 1337 I believe was what we had set and I'll now minimize this so I've saved the macro save the document um let me just resize this so you can see it a little bit better if we do indeed get the shell uh let me clear that out so something like this okay and now let's close this up and we'll open up HDA do doc enable content uh we probably want to hide that poal window but there we are we get it and we get the reversal you know I can say who am I it's pretty much the system we're working on but you get the idea um anyway that was a sort of a very short final demo or PC that I wanted to give you before we proceed with um you know the active directory section of uh the fin six adversary emulation series or Subs series I should say and uh again just to recap this section of the offensive VBA series The Objective here or the reason why I started this series was because a lot of you asked me questions as to why we were utilizing the automated met exploit module uh to gain um to generate a word Macro for initial access during the finix initial access video and uh you know I sort of explained that but uh a lot of you wanted to you know maybe learn more about how this can be done manually and how VBA macros work how they can be weaponized for initial access so there you go now as I said uh this does not spell the end of the offensive VBA series will definitely be working or we

you know we'll be taking a look at a few more examples more advanced stuff like leveraging the windows API and stuff like this uh but with that being said that's going to be it for this video uh if you have any comments questions or feedback um leave it in the comment section if you found value in this video or you enjoyed it leave a like down below and with that being said that's going to be it for me and I'll be seeing you guys in the next video