This is a rich-featured Visual Basic macro code for use during Penetration Testing assignments, implementing various advanced post-exploitation techniques.
This is a rich-featured Visual Basic macro code for use during Penetration Testing assignments, implementing various advanced post-exploitation techniques like sandbox evasion, WMI persistence and page substitution. Intended to be able to infect both Windows and Mac OS X Office platforms by implementing platform-detection logic.
Created to make it possibly to simply Paste Payload then Copy & Paste entire macro into phished document.
For list of example Macro generation and usage scenarios one can check out author's gist here:
This is a skeleton code for the malicious Macro that could be used during Penetration Testing assignments (or for education purposes), in order to embed it within Phishing documents as a Microsoft Office macro.
There are following features implemented:
WindowsMalware()
and MacMalware()
One should definitely feed this script into some kind of Visual Basic obfuscator, like the author's one: VisualBasicObfuscator
The macro's code has been built up from other author's building blocks:
The most essential configuration here is filling up functions like MalwareWindows()
and MalwareMac()
.
One can for instance leverage Empire stager's functionality and obtain two payloads - for:
windows/macro
osx/macro
Then one have to put this way generated macros into aforementioned Malware*()
functions. The penetration tester also can use buil-in primitives like:
ExecuteCommand(command)
ExecuteCommandAndPersist command, startupTaskName
For instance, such modifications to the script could look like:
Private Sub WindowsMalware()
[...]
str = "powershell -noP -sta -w 1 -enc ABCDEFGHIJKLMNOPQ"
str = str + "ABCDEFGHIJKLMNOPQRSTUWXYZ0123456789"
' Rest of the powershell command cut for brevity
' [...]
str = str + "ABCDEFGHIJKLMNOPQRSTUWXYZ0123456789"
ExecuteCommandAndPersist str, ""
End Sub
Private Sub MacMalware()
[...]
cmd = "abcdefghijlmnopqrstuxwyz012345678990"
cmd = cmd + "abcdefghijlmnopqrstuxwyz012345678990"
' Rest of bash command cut for brevity
' [...]
cmd = cmd + "abcdefghijlmnopqrstuxwyz012345678990"
Dim fullCommand As String
fullCommand = "echo ""import sys,base64;exec(base64.b64decode(\"" " & cmd & " \""));"" | python &"
ExecuteCommandAndPersist fullCommand, ""
Also, there are Const
options documented within code's CONFIGURATION section that are self-explanatory and left to be reviewed by the user.
In order to leverage this feature, one has to prepare a fake "Enable Content" warning message like for instance Microsoft Office compatibility issues, AV scanned flag or something imaginary, and then to create a shape consisting of TextBox (via INSERT -> Shapes... -> TextBox). Then cover the document with this shape. Having that, one has to rename that shape using the path:
(Ribbon -> HOME -> Editing -> Select... -> Selection Pane -> give it a name, like "**warning-div**")
After that, the shape can be further modified to be floating and cover up entire document by clicking:
Right click on shape -> Move selected shape -> then setting up Position and Size to 100%, Left-Top aligned.
Among various Social Engineering shapes that could be used - two of them had been attached to this repository:
OnOpen
), then modify OS detection if's to support getGUItype
method offered by OpenOffice.MacPersistence()
) in form of for instance per-user LaunchAgents PLISTDeleteWarningShape
doesn't support Excel sheets at the moment (ActiveWorkbook
)The author of this code is not taking any responsibilities of any illegal usage of it. The code had been created solely for Penetration Testing purposes.
This and other projects are outcome of sleepless nights and plenty of hard work. If you like what I do and appreciate that I always give back to the community, Consider buying me a coffee (or better a beer) just to say thank you! 💪
Mariusz Banach / mgeeky, '17
<mb [at] binary-offensive.com>
(https://github.com/mgeeky)